Microsoft Exchange ProxyLogon Vulnerability Threat Intel Advisory

CloudSEK threat intelligence advisory on Exchange ProxyLogon flaws CVE-2021-26855/ 26857/ 26858/ 27065 exploited by ransomware gangs and nation-state actors.
Updated on
April 19, 2023
Published on
March 16, 2021
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Advisory Type
Vulnerability Intelligence
CVE Chain
CVE ID
CVSS Score
CVE-2021-26855 9.1
CVE-2021-26857 7.8
CVE-2021-26858 7.8
CVE-2021-27065 7.8
Threat Listing
Hafnium (Nation State Actor), UNC2639, UNC2640, and UNC2643 Cryptominers Unauthorized WebShells DearCry Ransomware
Affected System
(On-premise only) Microsoft Exchange Servers 2019, 2016, 2013
Platform 
Windows
 

Executive Summary

Proxylogon is a chain of vulnerabilities (CVE-26855/ 26857/ 26858/ 27065) that are actively exploited in the wild by ransomware gangs and nation-state actors. Their intention is to compromise internet-facing Exchange instances to gain foothold in the target network. The threat actor authenticates user access to the Exchange server by exploiting CVE-2021-26855. Followed by which, they write webshells/ malware to the vulnerable server, which allows the attacker to exploit any of the listed flaws, CVE-26857/ 26858/ 27065, leading to an RCE attack. 
Recent Hafnium campaigns
Based on the intelligence gathered from various sources, earlier this January, nation-state actor Hafnium targeted Exchange servers with zero-day exploit codes. Reportedly, the campaign is still active and it indicates Chinese involvement in espionage operations targeted at mostly North American states, specifically Government entities and technology companies. Hafnium along with other threat actors carried out a post-exploitation phase involving the following tools and tactics:
Tactics 
Procedure/Tools
Command Execution ASPX/PHP WebShells
Credential Dumping rundll32 C:\windows\system32\comsvcs.dll MiniDump lsass.dmp
Lateral Movement PsExec
Persistence  Domain Account UserAddition
Exfiltration WinRar Command Line Utility to archive data for exfiltration
 

Technical Details

Attackers connect to the Exchange servers via port 443, over the internet. Once the threat actor establishes contact with the target server, they leverage the proxylogon exploit chaining to compromise the system. CVE-2021-26855 (Pre- auth) is a server-side request forgery (SSRF) vulnerability in Exchange which allows the attacker to send arbitrary HTTP requests and authenticate the Exchange server. CVE-2021-26857 (Post-auth) is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Attackers can obtain SYSTEM privilege on the Exchange server which is equivalent to the root user on Linux machines. CVE-2021-26858 (Post-auth) arbitrary file writes vulnerability in Exchange. The attacker chains this flaw with CVE-2021-26855 SSRF vulnerability or compromises a legitimate admin’s credentials. CVE-2021-27065 (Post-auth) arbitrary file writes vulnerability in Exchange. Attacker chains it with CVE-2021-26855 SSRF vulnerability or compromises a legitimate admin’s credentials.  

Impact

  • Attackers can retrieve emails of any user via specially crafted SOAP XML requests sent to the server.
  • An attacker can gain administrative privilege on the server with RCE capabilities by chaining Proxylogon vulnerabilities. Thus, compromising full access to the system.
  • Attackers target Exchange servers to gain foothold in the target network to later deploy ransomware, cryptominers or for espionage purposes.
 

Indicators of Compromise

IP Addresses
103.77.192.219 104.140.114.110 104.250.191.110 108.61.246.56 149.28.14.163 157.230.221.198 167.99.168.251 185.250.151.72 192.81.208.169 203.160.69.66 211.56.98.146 5.254.43.18 80.92.205.81
Ransomware Hashes
feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6 10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
WebShell Hashes
b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944
WebShell Indicators
\inetpub\wwwroot\aspnet_client\ (any .aspx file under this folder or sub folders) \<exchange install path>\FrontEnd\HttpProxy\ecp\auth\ (any file besides TimeoutLogoff.aspx) \<exchange install path>\FrontEnd\HttpProxy\owa\auth\ (any file or modified file that is not part of a standard install) \<exchange install path>\FrontEnd\HttpProxy\owa\auth\Current\<any aspx file in this folder or subfolders> \<exchange install path>\FrontEnd\HttpProxy\owa\auth\<folder with version number>\<any aspx file in this folder or subfolders>
HTTP POST Requests
/owa/auth/Current/themes/resources/logon.css /owa/auth/Current/themes/resources/owafont_ja.css /owa/auth/Current/themes/resources/lgnbotl.gif /owa/auth/Current/themes/resources/owafont_ko.css /owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot /owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf /owa/auth/Current/themes/resources/lgnbotl.gif POST /owa/auth/Current/ POST /ecp/default.flt POST /ecp/main.css POST /ecp/<single char>.js
Exchange Control Panel [ECP] Logs for RCE
S:CMD=Set-OabVirtualDirectory.ExternalUrl='
Post Exploitation Tools
Procdump Nishang PowerCat
 

Mitigations

Microsoft has released patches for these vulnerabilities on 2nd March 2021: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b https://www.microsoft.com/security/blog/2021/03/12/protecting-on-premises-exchange-servers-against-recent-attacks/

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations