TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Microsoft Exchange Servers Still Vulnerable to ProxyShell | Huntress

2021-08-19 · Read original ↗

ATT&CK techniques detected

18 predictions
T1190Exploit Public-Facing Application
100%
“' s cve entries linked above, exchange 2010 is not affected by these. however, exchange 2010 reached end of life back in october 2020 which means : " microsoft will no longer [ provide ] security fixes for vulnerabilities that may make the server vulnerable to security breaches "…”
T1505.003Web Shell
99%
“a webshell ) with a unc path \ \ that refers to a different machine. this could be considered " lateral movement, " but considering the threat actor would already need to have the access to place a separate webshell there, it just adding redundant persistence to another compromis…”
T1190Exploit Public-Facing Application
99%
“in the context of system and write arbitrary files. huntress is seeing attackers actively exploiting these vulnerabilities against vulnerable exchange servers. our team has sent over 100 incident reports related to this exploit in the last two days, august 17 and 18. what should …”
T1505.003Web Shell
99%
“cu23 + kb5004778 = v15. 0. 1497. 23 - 20659e56c780cc96b4bca5e4bf48c812898c88cf134a84ac34033e41deee46e9 indicators of compromise so far, huntress has found webshells written in subdirectories within the exchange installation path. typically, these files have a random filename, whi…”
T1190Exploit Public-Facing Application
98%
“microsoft exchange servers still vulnerable to proxyshell | huntress attackers are actively scanning for vulnerable microsoft exchange servers and abusing the latest line of microsoft exchange vulnerabilities that were patched earlier this year. back in march, we saw multiple zer…”
T1505.003Web Shell
96%
“6 with file paths to monitor and remediation steps - update # 6 - 08 / 23 / 2021 @ 10 : 53am et - added intel regarding threat actors ' ability to hide a webshell in uncommon / nonstandard locations outside of typically monitored asp directories - update # 5 - 08 / 23 / 2021 @ 12…”
T1190Exploit Public-Facing Application
96%
“- 08 / 22 / 2021 @ 8 : 24pm et of the original ~ 1900 vulnerable exchange servers from friday night, we still see 1764 that are unpatched as of right now. this is fairly concerning since we are starting to see active post - exploitation behavior that includes coinminers and ranso…”
T1505.003Web Shell
93%
“\ who - c : \ users \ all users \ xyz - c : \ users \ all users \ zoo - c : \ users \ all users \ zing update # 7 - 08 / 23 / 2021 - 2 : 06pm et digging into the tradecraft we uncovered in update # 6, where the exchange configuration file c : \ windows \ system32 \ inetsrv \ conf…”
T1204.002Malicious File
93%
“\ aspnet _ client \ updateserver. aspx note that these are not pure aspx files. examining the magic bytes and file header will explain this is instead a microsoft outlook email folder. upon further inspection of this file ( with simple strings or viewing in a hex editor ), you wi…”
T1505.003Web Shell
93%
“for keeping up with our intel! ), huntress learned that some of the hidden webshells tucked away in the exchange configuration file discussed previously in update # 7 and # 8 have also been reported with modification times prior to august 2021. we have hunted across all of the 4,…”
T1505.003Web Shell
90%
“the lockfile ransomware, we uncovered a unique ttp that we had not seen before for proxyshell activity. the configuration file for the exchange internet service was modified to include a new " virtual directory, " which practically redirects one url endpoint to another location o…”
T1190Exploit Public-Facing Application
86%
“##hanslovan ) august 21, 2021 collaboration with industry security researchers kevin beaumont and rich warren have helped corroborate that the webshell and lockfile ransomware incidents we ’ re seeing within companies may be related : we ’ ll continue to keep the community update…”
T1505.003Web Shell
82%
“commands should be run from an administrator command prompt, with $ directoryname replaced appropriately for your target directory. icacls $ directoryname / grant administrator : f / t takeown / f $ directoryname / r rd \ \. \ $ directoryname / s / q update # 8 - 08 / 23 / 2021 -…”
T1505.003Web Shell
41%
“##shell timeline. we can ’ t say definitively, but it is reasonable to assume these are leftover remnants of proxylogon, back in march. additionally, none of these “ old ” webshell paths use the subfolder names we had seen previously : who, xyz, zing, zoo., etc. whether you are p…”
T1071.001Web Protocols
41%
“##149132cdbd6121d4781 - exchange 2019 cu9 + kb5004780 = v15. 2. 858. 15 - c5c88f5b013711060bcf4392caebbc3996936b49c4a9b2053169d521f82010aa - exchange 2016 cu21 + kb5004779 = v15. 1. 2308. 14 - 9f7f12011436c0bbf3aced5a9f0be8fc7795a00d0395bfd91ff76164e61f918d - exchange 2016 cu20 +…”
T1190Exploit Public-Facing Application
33%
“30 [. ] 18 - python - requests / 2. 26. 0 - 84. 17. 46 [. ] 174 - python - requests / 2. 26. 0 - 116. 203. 201 [. ] 159 - python - requests / 2. 26. 0 - 116. 203. 201 [. ] 159 - mozilla / 5. 0 + ( windows + nt + 10. 0 ; + win64 ; + x64 ) + applewebkit / 537. 36 + ( khtml, + like …”
T1071.001Web Protocols
32%
“30 [. ] 18 - python - requests / 2. 26. 0 - 84. 17. 46 [. ] 174 - python - requests / 2. 26. 0 - 116. 203. 201 [. ] 159 - python - requests / 2. 26. 0 - 116. 203. 201 [. ] 159 - mozilla / 5. 0 + ( windows + nt + 10. 0 ; + win64 ; + x64 ) + applewebkit / 537. 36 + ( khtml, + like …”
T1505.003Web Shell
31%
“##hanslovan ) august 21, 2021 collaboration with industry security researchers kevin beaumont and rich warren have helped corroborate that the webshell and lockfile ransomware incidents we ’ re seeing within companies may be related : we ’ ll continue to keep the community update…”

Summary

Attackers are scanning for vulnerable Microsoft Exchange servers and abusing the latest line of Exchange vulnerabilities that were patched in early 2021.