Windows Outlook Vulnerability (ProxyLogon)

[Cross-posted from the Yet Another Security Blog by Craig Buchanan of Stillwater]

With the release of the proof-of-concept (PoC) of the ProxyLogon vulnerability in Exchange server, there continues to be an increase of attacks trying to utilize this. This attack is no longer just being exploited by Advanced Persistent Threats (APT's) but now many threat actors are trying to attack the (as of March 14th) 69,548 vulnerable Exchange servers. It has been reported by several, that you no longer have to get on the dark web to find it, a simple Google search will get you the information you need to use it. Check Point indicated that they had seen 7200 attacks on March 15th which is a 10 fold increase from the 11th when they saw 700. The most targeted segment remains government at 23%. To help, Microsoft released a one=click mitigation tool (linked below) to help customers who were uncomfortable with shoring up their configuration until they can patch. Many experts, however, caution that if you have gone through the weekend unpatched, you should assume that you have been breached.

Researchers are indicating that they have been observing and learning from the use of the China Chopper web shell which is used on victim machines. Hafnium for instance is using the JScript version of the web shell, researchers have discovered. 

Also of note, the White House has formed a joint government-private sector task force on the ProxyLogon hack. The hope is that a rapid response will help to mitigate any nefarious activities. 

It also appears that the Western Australian Parliament election was targeted by Chinese threat actors. The Australian Cyber Security Centre (ACSC) used this as a cautionary tale that all Exchange servers need to be patched immediately. It should be noted that Assistant Defence Minister Andrew Hastie would neither confirm nor deny any compromises to the government nor private servers. He basically said that Cyber is a war domain (battlefield) and it was not prudent to discuss battle wins and losses during combat. This is some of the strongest wording yet from a government official as to the gravity of the initial activities. 

The Dutch National Cyber Security Centre indicated that at least 1200 Dutch servers have likely been affected by the breach.

Thursday night Microsoft announced that Microsoft Defender Antivirus and System Center Endpoint Protection will now mitigate CVE-2021-26855. This is one of the 4 ProxyLogon exploits that threat actors have been using to gain access to servers. 26855 is often used to set up the other 3 so Defender and System Center blocking means that many of the playbooks used by the threat actors will not work. Microsoft has pledged to get the information to other end-point vendors so that everyone can be patched.

https://threatpost.com/microsoft-exchange-cyberattacks-one-click-fix/164817/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/

https://www.wsj.com/articles/microsoft-probing-whether-leak-played-role-in-suspected-chinese-hack-11615575793

https://www.scmagazine.com/home/security-news/vulnerabilities/white-house-forms-public-private-task-force-to-tackle-microsoft-exchange-hack/

https://www.scmagazine.com/home/security-news/vulnerabilities/the-microsoft-exchange-hack-the-risks-and-rewards-of-sharing-bug-intel/

https://www.scmagazine.com/home/patch-management/microsoft-releases-one-click-mitigation-tool-for-exchange-server/

https://thehill.com/policy/cybersecurity/543605-biden-administration-convenes-government-private-sector-groups-to?&web_view=true

https://www.abc.net.au/news/2021-03-17/wa-parliament-targeted-cyber-attack/13253926?&web_view=true

https://www.reuters.com/article/us-netherland-cyber-microsoft/microsoft-hack-fallout-substantial-for-dutch-servers-watchdog-says-idUSKBN2B82K4?&web_view=true

https://www.zdnet.com/article/microsoft-releases-one-click-mitigation-tool-for-exchange-server-hacks/?&web_view=true

https://www.securityweek.com/over-80000-exchange-servers-still-affected-actively-exploited-vulnerabilities?&web_view=true

https://www.infosecurity-magazine.com/news/exchange-exploit-attempts-sixfold/?&web_view=true

https://www.zdnet.com/article/hafniums-china-chopper-a-slick-and-tiny-web-shell-for-creating-server-backdoors/?&web_view=true

https://thehackernews.com/2021/03/mimecast-finds-solarwinds-hackers-stole.html

https://thehackernews.com/2021/03/use-this-one-click-mitigation-tool-from.html

https://www.binarydefense.com/threat_watch/finland-attributes-parliament-attack-to-apt31/

https://www.scmagazine.com/home/security-news/vulnerabilities/microsoft-antivirus-now-automatically-mitigates-hafnium-exchange-server-vulnerability/

https://www.microsoft.com/security/blog/2021/03/18/automatic-on-premises-exchange-server-mitigation-now-in-microsoft-defender-antivirus/

https://www.helpnetsecurity.com/2021/03/19/iocs-solarwinds-attackers/

 

Microsoft Tools:

https://aka.ms/eomt - Microsoft One-Click-Mitigation tool

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download - Microsoft Safety Scanner 

 

Government links

https://us-cert.cisa.gov/remediating-apt-compromised-networks

 

 

For more information, or to comment on this topic, visit Yet Another Security Blog.