It feels a little bit like beating a dead horse, but the incident response team at FRSecure is still responding to incidents that originate with either the ProxyLogon or ProxyShell vulnerabilities in Microsoft Exchange that were patched in early-to-mid 2021, and ultimately lead to a ransomware attack.
CVEs of Note in Microsoft Exchange Vulnerability
Many of these incidents are a surprise to the victims as they have patched for these vulnerabilities and believed their systems to be safe. The issue is that these organizations patched, but then did not clean up the existing webshells dropped by attackers and did not threat hunt in their environments to see if lateral movement had occurred.
The typical pattern with these attacks is as follows:
- Attackers gain initial access utilizing the vulnerabilities resulting in webshells.
- These webshells provide highly privileged access on an already highly privileged server (Exchange).
- Attackers utilize these webshells for a variety of purposes including credential harvesting, reconnaissance, and most importantly lateral movement to establish further persistence.
- Attackers will often move to other systems in the environment to establish persistence mechanisms such as Cobalt Strike, a popular command-and-control (C2) framework.
- From here, the options are endless but most of these attacks will follow the normal kill chain that we often see:
- Further reconnaissance.
- Enumerating the domain, credential harvesting, finding critical assets, locating backups etc.
- Data exfiltration.
- Staging for additional attack objectives.
- Often preparing and distributing malware.
- Destruction of backups.
- Additional persistence mechanisms.
- Execution of final attack.
- Often ransomware.
- Waiting for profit.
- Victims may need to pay a ransom to recover data if backups are destroyed.
- Victims also may need to pay a ransom so that the attackers will destroy the data they exfiltrated.
- Some attack groups will apply additional pressure to the victim such as:
- Contacting clients/customers/etc. to let them know that their data was stolen from the victim.
- Denial-of-Service attacks to increase pressure.
- Further reconnaissance.
The idea behind this pattern is for the attacker to maximize their profit/destruction. It’s as simple as that. There are also instances where this initial access may be sold to other threat-actor groups for further exploitation.
So what should you do here?
If you haven’t already patched for these vulnerabilities, do so now. Stop reading, go do it, come back and find out what to do after that.
If you did patch you should still threat hunt in your environment. These vulnerabilities were exploited at an exceptionally fast pace, and there’s a very real possibility you were exploited before you even knew it was an issue.
Check Your Microsoft Exchange servers
Check your Exchange Servers for unexpected .aspx files—these are likely the webshells dropped by attackers. If you find these, you know that you were at least exploited by an initial threat actor. This is an indicator that you may have an active breach and should execute an organization-wide threat hunt immediately. Please do not overlook this point. If attackers have potentially had access to your environment since early-to-mid 2021, a quick response from your team is going to be crucial.
Even if you aren’t finding .aspx files now, it would be a great idea to still do a threat hunt in your organization. A threat hunt is never a bad thing. Additionally, someone in your organization could’ve cleaned those files up thinking that they were just unneeded or that this would fully resolve the compromise. In some cases, very early on, cleaning up those files may have been somewhat sufficient. This would only be the case if the attackers did not move laterally after gaining initial access.
What We Saw Last Year
During the initial period of exploit last year, FRSecure’s incident response team theorized that these threat actors may lay low after initial exploitation, only to come back to launch further attacks once the heat was off. Unfortunately, this has proven to be true.
Please, do what you need to do and don’t be another victim.
On a related note, you did the patch and threat hunt for Log4J… right?
This is an active exploit that is widespread among popular applications and software. Please do your due diligence in identifying vulnerable and/or compromised systems within your environment. And if you identify any indicators of compromise and need further assistance, please reach out at .
We will release updates if necessary as the situation progresses and we learn more.