itman 1,758 Posted March 6, 2021 Share Posted March 6, 2021 (edited) Quote Microsoft has released a PowerShell script that admins can use to check whether the recently disclosed ProxyLogon vulnerabilities have hacked a Microsoft Exchange server. Microsoft releases script to check for ProxyLogin hacks When disclosing these vulnerabilities, Microsoft provided a list of commands that Exchange administrators could use to check if a server was hacked. These commands would need to be executed manually to check for indicators of compromise (IOC) in Exchange HttpProxy logs, Exchange log files, and Windows Application event logs. Yesterday, Microsoft released a PowerShell script on the Microsoft Exchange support engineer's GitHub repository named Test-ProxyLogon.ps1 to automate these tasks for the administrator. https://www.bleepingcomputer.com/news/microsoft/this-new-microsoft-tool-checks-exchange-servers-for-proxylogon-hacks/ Edited March 6, 2021 by itman Peter Randziak 1 Link to comment Share on other sites More sharing options...
itman 1,758 Posted March 11, 2021 Author Share Posted March 11, 2021 Eset just published an very detailed article on this vulnerability here: https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ . Looks like Eset is detecting most of the known attack methods. The real issue is about the unknown ones. These servers need to be patched immediately or, Microsoft mitigations employed which again will only protect against known attack methods. Peter Randziak 1 Link to comment Share on other sites More sharing options...
itman 1,758 Posted March 13, 2021 Author Share Posted March 13, 2021 (edited) Also of note is exploitation of this vulnerability possibly occurred as early as Nov., 2020: Quote China and beyond Joe Slowik, senior security researcher at security firm DomainTools, published his own analysis on Wednesday and noted that three of the APTs that ESET saw exploiting the vulnerabilities ahead of the patches—Tick, Calypso, and Winnti—have previously been linked to hacking sponsored by the People’s Republic of China. Two other APTs that ESET saw exploiting the vulnerabilities a day after the patches—Tonto and Mikroceen—also have ties to the PRC, the researcher said. Slowik produced the following timeline: Enlarge DomainTools The timeline includes three exploitation clusters that security firm FireEye has said were exploiting the Exchange vulnerabilities since January. FireEye referred to the groups as UNC2639, UNC2640, and UNC2643 and didn’t tie the clusters to any known APTs or say where they were located. Because different security firms use different names for the same threat actors, it's not clear if the groups identified by FireEye overlap with those seen by ESET. If they were distinct, the number of threat actors exploiting the Exchange vulnerabilities prior to a patch would be even higher. https://arstechnica.com/gadgets/2021/03/security-unicorn-exchange-server-0-days-were-exploited-by-6-apts/ Edited March 13, 2021 by itman Link to comment Share on other sites More sharing options...
itman 1,758 Posted March 13, 2021 Author Share Posted March 13, 2021 Updates on Microsoft Exchange Server Vulnerabilities Quote CISA has added seven Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Each MAR identifies a webshell associated with exploitation of the vulnerabilities in Microsoft Exchange Server products. https://us-cert.cisa.gov/ncas/current-activity/2021/03/13/updates-microsoft-exchange-server-vulnerabilities Most of these newly identified webshells have a strange prefix. As such, should be fairly easy to stop them. Link to comment Share on other sites More sharing options...
itman 1,758 Posted March 15, 2021 Author Share Posted March 15, 2021 If anyone needs "additional encouragement" to patch their Exchange servers, read this: New PoC for Microsoft Exchange bugs puts attacks in reach of anyone https://www.bleepingcomputer.com/news/security/new-poc-for-microsoft-exchange-bugs-puts-attacks-in-reach-of-anyone/ Link to comment Share on other sites More sharing options...
itman 1,758 Posted March 16, 2021 Author Share Posted March 16, 2021 Quote Microsoft has released a new, one-click mitigation tool, Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates.We have tested this tool across Exchange Server 2013, 2016, and 2019... This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update... [The tool] will automatically mitigate CVE-2021-26855 [Microsoft Exchange Server Remote Code Execution Vulnerability] on any Exchange server on which it is deployed... http:// https://msrc-blog.microsoft.com/202...hange-on-premises-mitigation-tool-march-2021/ Link to comment Share on other sites More sharing options...
itman 1,758 Posted March 16, 2021 Author Share Posted March 16, 2021 (edited) This extensive current status article by bleepingcomputer.com confirms that exploitation use of this Exchange server vulnerability was occurring in early Jan., 2021: Quote APT groups had a two-month advantage The same month, threat intelligence and incident response company Volexity detected ProxyLogon attacks aiming to compromise networks or to steal email data. Closer examination determined that “cyber espionage operations using the SSRF vulnerability CVE-2021-26855 started occurring on January 3, 2021,” two days before DEVCORE submitted the report to Microsoft. In January, multiple cybersecurity companies detected attacks against on-premise Exchange servers in client environments using zero-day vulnerabilities. https://www.bleepingcomputer.com/news/security/the-microsoft-exchange-hacks-how-they-started-and-where-we-are/ Edited March 16, 2021 by itman Link to comment Share on other sites More sharing options...
Recommended Posts