Indiscriminate Exploitation of Microsoft Exchange Servers (CVE-2021-24085)


![Indiscriminate Exploitation of Microsoft Exchange Servers \(CVE-2021-24085\)](https://blog.rapid7.com/content/images/2021/03/Exchange-1.jpg) _The following blog post was co-authored by Andrew Christian and Brendan Watters._ Beginning Feb. 27, 2021, [Rapid7’s Managed Detection and Response (MDR)](<https://www.rapid7.com/services/managed-services/managed-detection-and-response-services/>) team has observed a notable increase in the automated exploitation of vulnerable Microsoft Exchange servers to upload a webshell granting attackers remote access. The suspected vulnerability being exploited is a [cross-site request forgery (CSRF) vulnerability](<https://www.rapid7.com/fundamentals/cross-site-request-forgery/>): The likeliest culprit is [CVE-2021-24085](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24085>), an Exchange Server spoofing vulnerability released as part of Microsoft’s February 2021 Patch Tuesday advisory, though other CVEs may also be at play (e.g., CVE-2021-26855, CVE-2021-26865, CVE-2021-26857). The following China Chopper command was observed multiple times beginning Feb. 27 using the same DigitalOcean source IP ( cmd /c cd /d C:\inetpub\wwwroot\aspnet_client\system_web&net group "Exchange Organization administrators" administrator /del /domain&echo [S]&cd&echo [E] Exchange or other systems administrators who see this command—or any other China Chopper command in the near future—should look for the following in IIS logs: * (the source IP of the requests) * `/ecp/y.js` * `/ecp/DDI/DDIService.svc/GetList` Indicators of compromise (IOCs) from the attacks we have observed are consistent with IOCs for [publicly available exploit code targeting CVE-2021-24085](<https://github.com/sourceincite/CVE-2021-24085>) released by security researcher [Steven Seeley](<https://twitter.com/steventseeley>) last week, shortly before indiscriminate exploitation began. After initial exploitation, attackers drop an ASP eval webshell before (usually) executing `procdump` against `lsass.exe` in order to grab all the credentials from the box. It would also be possible to then clean some indicators of compromise from the affected machine[s]. We have included a section on CVE-2021-24085 exploitation at the end of this document. Exchange servers are frequent, [high-value attack targets](<https://attackerkb.com/search?q=exchange>) whose patch rates often [lag behind attacker capabilities](<https://blog.rapid7.com/2020/09/29/microsoft-exchange-2010-end-of-support-and-overall-patching-study/>). Rapid7 Labs has identified nearly 170,000 Exchange servers vulnerable to CVE-2021-24085 on the public internet: ![Indiscriminate Exploitation of Microsoft Exchange Servers \(CVE-2021-24085\)](https://lh6.googleusercontent.com/78_nHS9E83ZMCTmhVGtJvoieo_6tEcVLbmYeWB5jLPZNA0vkPN5MhTlUqvr_8o6IUw7WWG2K0IIsNDeJpvmkbBJHY3p_6_LH1ZnNb86cuOQJUZ_qdAyx3a0zpvFGF2l00c_vxVTg) **Rapid7 recommends that Exchange customers apply Microsoft’s February 2021 updates immediately.** InsightVM and Nexpose customers can [assess their exposure to CVE-2021-24085](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-24085/>) and other February Patch Tuesday CVEs with vulnerability checks. InsightIDR provides existing coverage for this vulnerability via our out-of-the-box China Chopper Webshell Executing Commands detection, and will alert you about any suspicious activity. [View this detection](<https://docs.rapid7.com/insightidr/windows-suspicious-process/#attacker-tool>) in the Attacker Tool section of the InsightIDR Detection Library. ## CVE-2021-24085 exploit chain As part of the [PoC](<https://github.com/sourceincite/CVE-2021-24085>) for CVE-2021-24085, the attacker will search for a specific token using a request to `/ecp/DDI/DDIService.svc/GetList`. If that request is successful, the PoC moves on to writing the desired token to the server’s filesystem with the request `/ecp/DDI/DDIService.svc/SetObject`. At that point, the token is available for downloading directly. The PoC uses a download request to `/ecp/poc.png` (though the name could be anything) and may be recorded in the IIS logs themselves attached to the IP of the initial attack. Indicators of compromise would include the requests to both `/ecp/DDI/DDIService.svc/GetList` and `/ecp/DDI/DDIService.svc/SetObject`, especially if those requests were associated with an odd user agent string like `python`. Because the PoC utilizes aSetObject to write the token o the server’s filesystem in a world-readable location, it would be beneficial for incident responders to examine any files that were created around the time of the requests, as one of those files could be the access token and should be removed or placed in a secure location. It is also possible that responders could discover the file name in question by checking to see if the original attacker’s IP downloaded any files. #### NEVER MISS A BLOG Get the latest stories, expertise, and news about security today. Subscribe