Microsoft Exchange ProxyLogon Vulnerability Threat Intel Advisory
Published 16 March 2021
- Proxylogon is a chain of vulnerabilities, actively exploited in the wild
- They compromise internet-facing Exchange instances to gain foothold in the target network
Share this Threat Intel:
|Hafnium (Nation State Actor), UNC2639, UNC2640, and UNC2643
|(On-premise only) Microsoft Exchange Servers 2019, 2016, 2013|
Proxylogon is a chain of vulnerabilities (CVE-26855/ 26857/ 26858/ 27065) that are actively exploited in the wild by ransomware gangs and nation-state actors. Their intention is to compromise internet-facing Exchange instances to gain foothold in the target network. The threat actor authenticates user access to the Exchange server by exploiting CVE-2021-26855. Followed by which, they write webshells/ malware to the vulnerable server, which allows the attacker to exploit any of the listed flaws, CVE-26857/ 26858/ 27065, leading to an RCE attack.
Recent Hafnium campaigns
Based on the intelligence gathered from various sources, earlier this January, nation-state actor Hafnium targeted Exchange servers with zero-day exploit codes. Reportedly, the campaign is still active and it indicates Chinese involvement in espionage operations targeted at mostly North American states, specifically Government entities and technology companies. Hafnium along with other threat actors carried out a post-exploitation phase involving the following tools and tactics:
|Command Execution||ASPX/PHP WebShells|
|Credential Dumping||rundll32 C:\windows\system32\comsvcs.dll
|Persistence||Domain Account UserAddition|
|Exfiltration||WinRar Command Line Utility to archive data for exfiltration|
Attackers connect to the Exchange servers via port 443, over the internet. Once the threat actor establishes contact with the target server, they leverage the proxylogon exploit chaining to compromise the system.
CVE-2021-26855 (Pre- auth) is a server-side request forgery (SSRF) vulnerability in Exchange which allows the attacker to send arbitrary HTTP requests and authenticate the Exchange server.
CVE-2021-26857 (Post-auth) is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Attackers can obtain SYSTEM privilege on the Exchange server which is equivalent to the root user on Linux machines.
CVE-2021-26858 (Post-auth) arbitrary file writes vulnerability in Exchange. The attacker chains this flaw with CVE-2021-26855 SSRF vulnerability or compromises a legitimate admin’s credentials.
CVE-2021-27065 (Post-auth) arbitrary file writes vulnerability in Exchange. Attacker chains it with CVE-2021-26855 SSRF vulnerability or compromises a legitimate admin’s credentials.
- Attackers can retrieve emails of any user via specially crafted SOAP XML requests sent to the server.
- An attacker can gain administrative privilege on the server with RCE capabilities by chaining Proxylogon vulnerabilities. Thus, compromising full access to the system.
- Attackers target Exchange servers to gain foothold in the target network to later deploy ransomware, cryptominers or for espionage purposes.
Indicators of Compromise
|\inetpub\wwwroot\aspnet_client\ (any .aspx file under this folder or sub folders)
\<exchange install path>\FrontEnd\HttpProxy\ecp\auth\ (any file besides TimeoutLogoff.aspx)
\<exchange install path>\FrontEnd\HttpProxy\owa\auth\ (any file or modified file that is not part of a standard install)
\<exchange install path>\FrontEnd\HttpProxy\owa\auth\Current\<any aspx file in this folder or subfolders>
\<exchange install path>\FrontEnd\HttpProxy\owa\auth\<folder with version number>\<any aspx file in this folder or subfolders>
HTTP POST Requests
POST /ecp/<single char>.js
Exchange Control Panel [ECP] Logs for RCE
Post Exploitation Tools
Microsoft has released patches for these vulnerabilities on 2nd March 2021: