Microsoft Exchange Hack IOCs Shared by Bank Regulator in Chile
To Aid Security Professionals and other Microsoft Exchange Administrators, the CMF has Released IOCs of Web Shells and a Batch File Found on Their Compromised Server.
At the beginning of the year, several cybersecurity companies were affected by attacks against on-premise Exchange servers in client environments using zero-day vulnerabilities.
On March 2nd, Microsoft disclosed that four Exchange Server zero-day vulnerabilities were being used in attacks against exposed Outlook on the web (OWA) servers. These vulnerabilities are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065.
These vulnerabilities known as ‘ProxyLogon’ are being used by Chinese state-sponsored threat actors and enable attackers to access victims’ Exchange Servers and gain control system access of a company’s network.
According to a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), adversaries could take advantage of these vulnerabilities to steal information, compromise networks, and encrypt data for ransom.
The Commission for the Financial Market (CMF) updates information on the operational incident recently reported, caused by vulnerabilities in the Microsoft Exchange email platform.
This week, Chile’s Comisión para el Mercado Financiero (CMF) has also disclosed that they have been compromised after threat actors exploited the recently disclosed ProxyLogon vulnerabilities in their Microsoft Exchange servers to install web shells and attempt to steal credentials.
The CMF operates under the Ministry of Finance and is the regulator and inspector for banks and financial institutions in Chile.
“The analyzes carried out by the information security and technology area of the CMF, together with external specialized support, have so far dismissed the presence of a ransomware and indicate that the incident would be limited to the Microsoft Exchange platform”
In support of other Microsoft Exchange administrators, CMF shares IOCs of their attack:
- 0b15c14d0f7c3986744e83c208429a78769587b5: error_page.aspx (China Chopper web shell)
- bcb42014b8dd9d9068f23c573887bf1d5c2fc00e: supp0rt.aspx (China Chopper web shell)
- 0aa3cda37ab80bbe30fa73a803c984b334d73894: test.bat (batch file to dump lsass.exe)
In many attacks, the file names have been identical whilst indicators of compromise (IOC) will have different file hashes for each victim.
Web shells using the names ‘error_page.asp’ and ‘supp0rt.aspx’ have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim.
These files are Microsoft Exchange Offline Address Books (OAB), whose ExternalUrl setting has been changed to the China Chopper web shell.
This web shell is commonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely control web servers. It also allows threat actors to execute commands on the compromised Microsoft Exchange server remotely by visiting the URL configured in the ExternalURL setting.
The batch file, test.bat, is also commonly seen in ProxyLogon attacks and is used to dump the LSASS process’s memory to harvest Windows domain credentials. The batch file also exports a list of users on the Windows domain.
The command shown below will use the comsvcs.dll LOLBin to dump LSASS’ memory to a file in the IIS server’s wwwroot. It then uses dsquery to export a list of users in the Windows domain to a file.
These files are then zipped up in the wwwroot to be downloaded remotely by the threat actors.
While most Microsoft Exchange attacks have been deploying web shells, harvesting credentials, and stealing mailboxes, some attacks are also installing cryptominers, and more recently, the DearCry ransomware on exploited servers.
Microsoft releases script to check for ProxyLogin hacks
Microsoft provided a list of commands that Exchange administrators could use to check if a server was hacked. These commands would need to be executed manually to check for indicators of compromise (IOC) in Exchange HttpProxy logs, Exchange log files, and Windows Application event logs.
Recently, Microsoft released a PowerShell script on the Microsoft Exchange support engineer’s GitHub repository named Test-ProxyLogon.ps1 to automate these tasks for the administrator.
CMF further states that they are investigating the breach and have been in contact with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance.