Jump to content

This new Microsoft tool checks Exchange Servers for ProxyLogon hacks


itman

Recommended Posts

Quote

Microsoft has released a PowerShell script that admins can use to check whether the recently disclosed ProxyLogon vulnerabilities have hacked a Microsoft Exchange server.

Microsoft releases script to check for ProxyLogin hacks

When disclosing these vulnerabilities, Microsoft provided a list of commands that Exchange administrators could use to check if a server was hacked.

These commands would need to be executed manually to check for indicators of compromise (IOC) in Exchange HttpProxy logs, Exchange log files, and Windows Application event logs.

Yesterday, Microsoft released a PowerShell script on the Microsoft Exchange support engineer's GitHub repository named Test-ProxyLogon.ps1 to automate these tasks for the administrator.

https://www.bleepingcomputer.com/news/microsoft/this-new-microsoft-tool-checks-exchange-servers-for-proxylogon-hacks/

Edited by itman
Link to comment
Share on other sites

Eset just published an very detailed article on this vulnerability here: https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

Looks like Eset is detecting most of the known attack methods. The real issue is about the unknown ones. These servers need to be patched immediately or, Microsoft mitigations employed which again will only protect against known attack methods.

Link to comment
Share on other sites

Also of note is exploitation of this vulnerability possibly occurred as early as Nov., 2020:

Quote

China and beyond

Joe Slowik, senior security researcher at security firm DomainTools, published his own analysis on Wednesday and noted that three of the APTs that ESET saw exploiting the vulnerabilities ahead of the patches—Tick, Calypso, and Winnti—have previously been linked to hacking sponsored by the People’s Republic of China. Two other APTs that ESET saw exploiting the vulnerabilities a day after the patches—Tonto and Mikroceen—also have ties to the PRC, the researcher said.

Slowik produced the following timeline:

domain-tools-timeline-640x250.png

DomainTools

The timeline includes three exploitation clusters that security firm FireEye has said were exploiting the Exchange vulnerabilities since January. FireEye referred to the groups as UNC2639, UNC2640, and UNC2643 and didn’t tie the clusters to any known APTs or say where they were located.

Because different security firms use different names for the same threat actors, it's not clear if the groups identified by FireEye overlap with those seen by ESET. If they were distinct, the number of threat actors exploiting the Exchange vulnerabilities prior to a patch would be even higher.

https://arstechnica.com/gadgets/2021/03/security-unicorn-exchange-server-0-days-were-exploited-by-6-apts/

Edited by itman
Link to comment
Share on other sites

Updates on Microsoft Exchange Server Vulnerabilities

Quote

CISA has added seven Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Each MAR identifies a webshell associated with exploitation of the vulnerabilities in Microsoft Exchange Server products.

https://us-cert.cisa.gov/ncas/current-activity/2021/03/13/updates-microsoft-exchange-server-vulnerabilities

Most of these newly identified webshells have a strange prefix. As such, should be fairly easy to stop them.

Link to comment
Share on other sites

If anyone  needs "additional encouragement" to patch their Exchange servers, read this:

New PoC for Microsoft Exchange bugs puts attacks in reach of anyone

https://www.bleepingcomputer.com/news/security/new-poc-for-microsoft-exchange-bugs-puts-attacks-in-reach-of-anyone/

Link to comment
Share on other sites

Quote

Microsoft has released a new, one-click mitigation tool, Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates.We have tested this tool across Exchange Server 2013, 2016, and 2019...

This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update...

[The tool] will automatically mitigate CVE-2021-26855 [Microsoft Exchange Server Remote Code Execution Vulnerability] on any Exchange server on which it is deployed...

http:// https://msrc-blog.microsoft.com/202...hange-on-premises-mitigation-tool-march-2021/

Link to comment
Share on other sites

This extensive current status article by bleepingcomputer.com confirms that exploitation use of this Exchange server vulnerability was occurring in early Jan., 2021:

Quote

APT groups had a two-month advantage

The same month, threat intelligence and incident response company Volexity detected ProxyLogon attacks aiming to compromise networks or to steal email data.

Closer examination determined that “cyber espionage operations using the SSRF vulnerability CVE-2021-26855 started occurring on January 3, 2021,” two days before DEVCORE submitted the report to Microsoft.

In January, multiple cybersecurity companies detected attacks against on-premise Exchange servers in client environments using zero-day vulnerabilities.

https://www.bleepingcomputer.com/news/security/the-microsoft-exchange-hacks-how-they-started-and-where-we-are/

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...