new wave of attacks on MS Exchange in Russia

Since August 2022, we have been recording a wave of attacks on dozens of Russian small and medium-sized businesses. Attackers write to victims with an offer to pay money for a “security audit”, otherwise they threaten to publish confidential data. The penetration method in all cases is an SSRF vulnerability from the ProxyShell chain. We talk about the general mechanism of attacks and recommend basic measures to protect against the threat.

How is the attack

Letter from the “auditors”

Victim companies learn about the hack from an email from the attackers. Recipients are chosen by subjectively evaluating who may be interested in information about the hack in the first place. They are cybersecurity specialists and their managers, IT-specialists or other persons, one way or another connected with security in the company.

In the letter, the attackers report that they gained access to email and some internal resources of the victim company, and also uploaded gigabytes of confidential information: internal correspondence, correspondence with clients and partners, accounting documents, data for accessing internal resources. As proof, they attach relevant screenshots to the letter.

To prevent this information from becoming public, the attackers offer to pay for their “security audit services” and even promise to send a report with recommendations for fixing vulnerabilities. The amount of the ransom may vary; while investigating incidents, we met requests to transfer 9-10 thousand dollars.

The “auditors” threaten to respond in stages to the refusal. First, by sending a message about the hacking of the victim company to all its employees, as well as customers and partners. Then, if the victim is not convinced by the first stage, they promise to publish the downloaded data in the public domain.

Incident investigations show that the perpetrators are not bluffing. In one of the cases, the scammers actually sent information about the attack to all company employees and offered to provide any confidential information (management pay slips, etc.). A similar offer was received in several cases by clients and partners of the victim companies. It is noteworthy that in such mailings, the addressees were indicated openly, without a hidden copy.

At first, the attackers wrote from the mailboxes of their previous victims. At the same time, in the very first message, the scammers explained that they were not related to the company on behalf of which they acted. Since November, they have switched to the anonymous email service Proton Mail: most of the letters come from the address security4real@proton.me.

Mail server hack

In all attacks known to us, attackers exploit the same vulnerability in Microsoft Exchange mail servers.

Analyzes of MS Exchange access logs show that attackers use a script open source code exchange_ssrf_attacks.py. It exploits a known MS Exchange SSRF vulnerability with ID CVE-2021-34473which is included in the chain of vulnerabilities ProxyShell. Using this tool, attackers get a list of user mailboxes, a list of contacts, and also upload letters along with their attachments.

Having hacked the mail server and obtained the contents of the mailboxes, the attackers study correspondence in which they find credentials from the internal resources of the victim companies, including from the corporate private virtual network (VPN), the Jira issue tracking system, the Confluence internal wiki platform, and so on.

To remain anonymous, attackers use public VPN services. For example, all IP-addresses associated with the activity of scammers found in our investigations belong to the service Mullvad.

How to protect yourself from the threat

All vulnerable MS Exchange servers are equal before attackers: dozens of small and medium-sized companies from various industries fell under the wave of attacks we observed.

If your organization uses MS Exchange and does not have a strict software update policy, then it is at risk of becoming a victim of the grouping we are describing. Even though Microsoft released patch for ProxyShell back in July 2021, practice shows that many companies did not have time to update their mail servers.

If, in addition to using MS Exchange, you receive an email demanding payment for an unsolicited “security audit”, especially from security4real@proton.me, then it is most likely time for you to respond to the incident. But don’t rush to transfer $10,000 just yet.

Below we will give basic recommendations for protecting against the threat in both cases.

If you received a letter

Reasons for suspicion

With a high degree of probability, you fell under a wave of attacks under the following conditions:

  1. You received a letter demanding to pay for an infrastructure security audit that you did not order (pay special attention to letters from the address security4real@proton.me).

  2. Your company is using Microsoft Exchange servers that have not been updated since May 2021.

  3. These servers are directly accessible from the internet.

First measures

If you have any of the above reasons for suspicion, you must urgently:

  1. Restrict access to your Microsoft Exchange server from the Internet.

  2. Install the latest security patches on this server.

Remember: in no case do not pay the senders of the letter! You should not rely on the attackers to provide you with the promised “audit” report: they did not carry out such work, but simply exploited a specific vulnerability in a specific service. It should also be borne in mind that the payment does not guarantee the protection of your confidential information from publication in the public domain: there is no reason to rely on the honesty of scammers.

After completing the initial security measures, you can proceed to the express analysis of the MS Exchange server in order to confirm or deny the suspicion of an incident.

Express Analysis of MS Exchange Server

To make sure that the ProxyShell vulnerability chain has been exploited on your MS Exchange server, you will need to check two logs:

If the audit shows successful exploitation attempts, we recommend a full incident investigation. It will allow you to understand what the attackers did in the infrastructure and what resources, in addition to MS Exchange, they could compromise. Cyber ​​incident investigation is part of our service “Cyber ​​Incident Management”.

Below we will tell you which artifacts in each journal you should pay attention to during express analysis.

IIS event logs

The Internet Information Services event logs store web server access events.

The logs can be found on the MS Exchange server in the directory C:\inetpub\logs\LogFiles.

Script used by our attackers exchange_ssrf_attacks.py leaves two specific artifacts in the IIS logs that can point us to the successful operation of ProxyShell:

  1. POST requests like this:

    POST /autodiscover/autodiscover.json?a=a@edu.edu/ews/exchange.asmx

  2. The User-Agent field in the request with the following value:

    Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36.

When parsing POST requests, it is important to ensure that they have a 200 response code indicating exploitation success. In other cases, we have only unsuccessful attempts, which any MS Exchange server accessible from the Internet can routinely record several times a day – such requests are not worthy of attention.

Examples of entries from the IIS event log, in which both artifacts are recorded, are shown in Fig. one.

Rice.  1. Fragment of the IIS log with artifacts of successful operation of ProxyShell (response code 200 is highlighted in red)
Rice. 1. Fragment of the IIS log with artifacts of successful operation of ProxyShell (response code 200 is highlighted in red)

EWS logs

Exchange Web Services – An API for providing various applications with access to mailbox components. The logs for this service contain information about client interaction with it.

The logs can be found in the directory C:\Program Files\Microsoft\Exchange Server\<version number>\Logging\Ewswhere <version number> – version of Microsoft Exchange.

Among other things, these logs capture the source IP addresses of the request, the type of operation, the email address for which the operation is performed, and the User-Agent of the client.

As we indicated above, one of the script artifacts exchange_ssrf_attacks.py – specific User-Agent value:

Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36.

Using it in the EWS logs, you can find the operations that scammers performed using their tool.

Among the operations it is worth paying attention to those that are performed when unloading emails:

  • FindItem – getting items in the user’s mailbox;

  • GetItem – receiving information about messages in e-mail;

  • GetAttachment – extracting attachments from emails.

By analyzing the above activities in the EWS logs, you can get a list of email addresses for which the attacker downloaded emails along with attachments.

A fragment of the EWS log with the necessary operations is shown in fig. 2.

Rice.  2. Fragment of the EWS log with the e-mail upload process (relevant types of operations are highlighted in red)
Rice. 2. Fragment of the EWS log with the e-mail upload process (relevant types of operations are highlighted in red)

If you have not received a letter

If “auditors” did not write to you, but at the same time your company uses a Microsoft Exchange server accessible from the Internet, you should not relax.

MS Exchange is a popular product in the corporate segment, so cybersecurity researchers are paying more and more attention to it, actively discovering new vulnerabilities in it. Attackers, in turn, take these findings into service, which is why inaccurate use of Microsoft Exchange inevitably turns into a danger to the infrastructure.

To minimize risks, we recommend the following measures:

  1. Update Microsoft Exchange regularly. Exploitation of MS Exchange vulnerabilities often becomes the primary vector of attacks on company infrastructures. It is important to install critical server updates on time so as not to become easy prey for attackers, including those using known vulnerabilities, such as ProxyLogon and ProxyShell.

  2. Close access from the Internet to the mail server and other sensitive services. Even in the absence of obvious vulnerabilities, attackers can gain access to sensitive information stored on the same mail, for example, using a brute-force attack. It is better to eliminate this possibility by arranging access to such services through one of two intermediate nodes:

    • corporate VPN;

    • a proxy server that requires clients to present TLS certificates and verifies these certificates (connections via HTTP or without certificates should be prohibited in this case).

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *