doublepulsar.com Open in urlscan Pro
52.1.119.170  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Sign in
Open in app
Get started
 * Cybersecurity News
 * Ransomware Threats
 * Threat Honeypots
 * Contact
   
 * Newsletter




RESPONSES (1)



What are your thoughts?

Cancel
Respond

Also publish to my profile

There are currently no responses for this story.

Be the first to respond.

You have 2 free member-only stories left this month.

Sign up for Medium and get an extra one




MULTIPLE THREAT ACTORS, INCLUDING A RANSOMWARE GANG, EXPLOITING EXCHANGE
PROXYSHELL VULNERABILITIES

Kevin Beaumont
Follow
Aug 21 · 7 min read


For nearly a month, I have been watching mass in the wild exploitation of
ProxyShell, a set of vulnerabilities revealed by Orange Tsai at BlackHat.

These vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities
revealed in March — they are more exploitable, and organisations largely haven’t
patched.

This post goes into why, how you can identify systems, how you can defend your
organisations and what threat actors are doing.


LOCKFILE RANSOMWARE

Over a week ago, BluePot/MailPot, my personal honeypot project, detected
exploitation from 209.14.0.234:



At the time, they dropped this webshell:



As you can see, static antivirus detection was poor (and as of the time of
writing, still is).

Yesterday a researcher alerted me to this blog from Symantec, fingering an
unknown Exchange vulnerability being used to deploy ransomware:

LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain
Controllers | Symantec Blogs (security.com)

You may notice the IP address I mentioned above:



In fact, the honeypot saw the actor return to the box and run this command 3
days later:




Afterwards, I can see the staging of artefacts related to LockFile, a new
ransomware.

So to be clear, the unknown Exchange vulnerabilities are ProxyShell.


REWIND

I have been watching multiple threat actors, including groups operating from US
internet service providers again and deploying in methods similar to Hafnium
back in January-March.

The Exchange patches from April and May 2021 cover the ProxyShell
vulnerabilities, however Microsoft’s messaging of this has been knowingly awful.



Microsoft decided to downplay the importance of the patches and treat them as a
standard monthly Exchange patch, which have been going on for — obviously —
decades. You may remember how much negative publicity March’s Exchange patches
caused Microsoft, with headlines such as “Microsoft emails hacked”.


WHY THESE VULNERABILITIES MATTER

However, the vulnerabilities in question are extremely serious, and reported by
the same person as the person who reported ProxyLogon — aka March’s Exchange’s
vulnerabilities.



They are pre-authenticated (no password required) remote code execution
vulnerabilities, which is as serious as they come. Additionally, during the
ProxyLogon attacks in January-March, attackers needed to know an Exchange
administrator mailbox, and hardcoded to administrator@ in proof of concept code.
This mailbox only existed if you installed Exchange as that account, and
accessed email, which is a minority situation — therefore most orgs got away
with it.

However, with ProxyShell this does not apply — you do not need to know the
identify of an Exchange administrator in advance.



Microsoft knew this would blow up in an international incident for customers. I
know this because I worked there, and told people.

You can read technical details of these vulnerabilities here:

Zero Day Initiative — From Pwn2Own 2021: A New Attack Surface on Microsoft
Exchange — ProxyShell!

— CVE-2021–34473 — Pre-auth Path Confusion leads to ACL Bypass
— CVE-2021–34523 — Elevation of Privilege on Exchange PowerShell Backend
— CVE-2021–31207 — Post-auth Arbitrary-File-Write leads to RCE

To make matters worse, Microsoft failed to allocate CVEs for these
vulnerabilities until July — 4 months after the patches were issued. Given many
organisations vulnerability manage via CVE, it created a situation where
Microsoft’s customers were misinformed about the severity of one of the most
critical enterprise security bugs of the year.




MASS EXPLOITATION

I have been observing mass and increasing exploitation of these vulnerabilities
for weeks, and very publicly tweeting about it.

Microsoft Exchange servers are getting hacked via ProxyShell exploits
(bleepingcomputer.com)

Additionally, others have been talking about it:

Polite Warning: Please Patch the Newest Exchange Vuln : msp (reddit.com)



Meanwhile, over at Microsoft, we have one reference for ProxyShell on
Microsoft.com — a question from a customer:



Compared to their coverage of ProxyLogon includes remediation scripts, blogs,
advice, threat intelligence etc:





IDENTIFYING SYSTEMS THAT NEED PATCHING

Since it is clear Microsoft are completely missing in action, I wrote an nmap
plugin, which can be used to identify unpatched systems:


SCANNING/HTTP-VULN-EXCHANGE-PROXYSHELL.NSE AT MAIN · GOSSITHEDOG/SCANNING


CONTRIBUTE TO GOSSITHEDOG/SCANNING DEVELOPMENT BY CREATING AN ACCOUNT ON GITHUB.

github.com



I worked with Shodan to get this detection into their product — for example, if
you use Shodan Monitor it will automatically inform you if you are vulnerable.



CERT in Austria have then taken the script and used it to scan assets in their
country, to inform orgs.



Insurance provider Coalition also smartly alerts customers to the
vulnerabilities:



The scale of the problem is large.



Many US government systems are unpatched. As of writing, there are still
hundreds of directly exploitable, internet facing systems with *.gov SSL
certificate hostnames within the US.



When Orange’s talk took place, Microsoft itself had not finished patching its
own on premise Exchange servers for these vulnerabilities:



To make matters worse, in terms of customer protection, Microsoft pays $0 — no
bounty at all — for on premise Exchange vulnerabilities to researchers (compared
to millions for Office 365 vulnerabilities).




DETECTION OF EXPLOITATION ACTIVITY

I have written various detections for Azure Sentinel, these need IIS log
collection enabled (not default).


POWERSHELL ABUSE VIA SSRF — 100% TRUE POSITIVES ON SUCCESSFUL EXPLOITATION

ThreatHunting/Exchange-Powershell-via-SSRF at master · GossiTheDog/ThreatHunting
(github.com)


PROXYSHELL RBAC EVENTS — REVIEW FOR ODD RBAC FAILURES (HAPPENS AT EXPLOITATION
STAGE DUE TO USING UNKNOWN USERS WITH POWERSHELL)

ThreatHunting/Exchange-ProxyShell-RBAC at master · GossiTheDog/ThreatHunting
(github.com)


LOOK FOR SSRF TO BACKEND INTERFACE — NEEDS TUNING TO ALLOWLIST LEGIT TRAFFIC IN
YOUR ENVIRONMENT.

ThreatHunting/Exchange-CVE-2021–34473-SSRF at master · GossiTheDog/ThreatHunting
(github.com)


PROXYSHELL SSRF — 100% TRUE POSITIVES OF ATTEMPTED EXPLOITATION

ThreatHunting/Exchange-ProxyShell-SSRF at master · GossiTheDog/ThreatHunting
(github.com)


ANTIVIRUS AND EDR EXCLUSIONS

Please remember that Microsoft’s own documentation tells system administrators
to exclude the processes and folders used in exploitation from security tool
scanning:




SCALE OF EXPLOITATION OF PROXYSHELL

In my honeypots, split between Azure Sentinel and moving to Splunk, I have
identified over a thousand exploitation attempts.

I have been tweeting some of them when bored:





I’ve seen everything from hands on keyboard attackers, ransomware staging to
email exfiltration using EWS.




EXAMPLE EXPLOITING IPS (ACTIONS ON TARGET)

45.76.151.211
84.17.46.174
209.14.0.234

I don’t want to release a full list of IOCs for all activity, as it may give
away the honeypot locations.

I suspect security vendors may be flying slightly blind here due to Exchange’s
recommended security tooling exclusions, and lack of prior vulnerability
information sharing by Microsoft.


SUMMARY

Actions you can take:

 * Make sure you patch these vulnerabilities as a matter of priority:
   CVE-2021–34473 CVE-2021–34523 CVE-2021–31207
 * Scan your network border with my nmap script, or use something like Shodan.io
   which can identify the vulnerabilities for you
 * Ask Microsoft to pay bug bounties for on-premise Exchange to researchers, as
   they do with Microsoft 365 (i.e. systems they manage).
 * Check the security tooling exclusions you have on Exchange servers. For
   internet facing Exchange servers, for example, it is incredibly risky to
   allowlist all activity from w3wp.exe (IIS), as Microsoft recommends — you are
   allowing attackers to go undetected.
 * Ask Microsoft to talk about threats against their own products, as they would
   with other vendor’s products. During this period Microsoft have been openly
   detailing how to exploit vulnerabilities in other vendor’s products
   (example), but have completely failed to deal with their own problems.


UPDATES


21ST AUGUST 2021

CISA have issued guidance to identify systems and patch:




A reminder you can find vulnerability systems in your estate by looking for
vuln:cve-2021–34473 in Shodan.io, or grabbing the nmap checker above (or ask
your vulnerability management company for an unauthenticated checker).

Current count for ProxyLogon and ProxyShell vulnerable systems:



There are some additional IOCs for LockFile in this Twitter thread (link), if
that’s your thing:




DOUBLEPULSAR

Cybersecurity from the trenches of reality, written by…

Follow

22

1





SIGN UP FOR DOUBLEPULSAR CYBERSECURITY THREAT INTELLIGENCE


BY DOUBLEPULSAR

Threat Intelligence, from porgs, direct to your email box. Take a look.

Get this newsletter
 * Proxyshell
 * Cybersecurity
 * Proxylogon

22 claps

22

1



Written by


KEVIN BEAUMONT

Follow


Everything here is my personal work and opinions.

Follow



DOUBLEPULSAR

Follow

Cybersecurity from the trenches, written by Kevin Beaumont. Opinions are of the
author alone, not their employer.

Follow

Written by


KEVIN BEAUMONT

Follow

Everything here is my personal work and opinions.


DOUBLEPULSAR

Follow

Cybersecurity from the trenches, written by Kevin Beaumont. Opinions are of the
author alone, not their employer.


MORE FROM MEDIUM


OTHER SECURITY RESOURCES

The Pragmatic Programmers in The Pragmatic Programmers



DICK SMITH SCAM ADVERTISING GARNERS LAWSUIT AGAINST THE GUARDIAN

Michael Bacina



USEFUL RESOURCES FOR EVALUATING SUBGRAPHS

Gerrit



FULL PACKET FRIDAYS: MALWARE TRAFFIC ANALYSIS

Matt B



TRANSPORT LAYER PROTECTION CHEAT SHEET FOR JAVASCRIPT DEVELOPERS

Florian GOTO in JavaScript in Plain English



{UPDATE} EAT GAME HACK FREE RESOURCES GENERATOR

Jojo Artemas



DON’T LET YOUR WEB SECURITY SOLUTION AFFECT PERFORMANCE.

Verizon Media Platform



GDPR DEMYSTIFIED #2

Julia Sommer



LEARN MORE.

Medium is an open platform where 170 million readers come to find insightful and
dynamic thinking. Here, expert and undiscovered voices alike dive into the heart
of any topic and bring new ideas to the surface. Learn more


MAKE MEDIUM YOURS.

Follow the writers, publications, and topics that matter to you, and you’ll see
them on your homepage and in your inbox. Explore


WRITE A STORY ON MEDIUM.

If you have a story to tell, knowledge to share, or a perspective to offer —
welcome home. It’s easy and free to post your thinking on any topic. Start a
blog

About

Write

Help

Legal

Get the Medium app


To make Medium work, we log user data. By using Medium, you agree to our Privacy
Policy, including cookie policy.