Microsoft has released patches to address these vulnerabilities in Microsoft Exchange Server, which are not known to impact Exchange Online or Microsoft 365 (formerly O365) cloud email services.

Below you will find tactics, techniques, and procedures (TTPs) as well as indicators of compromise (IOCs) associated with this malicious activity. To protect against this threat, we recommend that organizations scan their systems for TTPs and use IOCs to detect any incidents.

Microsoft Exchange Alert: Technical details

Microsoft's April 2021 security update mitigates significant vulnerabilities affecting Exchange Server 2016 and 2019 local. And addresses four vulnerabilities in Exchange Server:

CVE-2021-28310 - Win32k Elevation of Privilege Vulnerability

This is the only vulnerability listed as being actively exploited and fixed in April. The bug allows an attacker to escalate privileges by running a specially crafted program on a target system (Ex: Microsoft Exchange). This means they will need to log into a system or trick a legitimate user into running the code on their behalf. Considering who is listed as discovering the bug, it is probably being used in malware. Bugs of this nature are often combined with other bugs, such as a browser bug or PDF exploit, to take control of a system.

CVE-2021-28480 and CVE-2021-28481 - Microsoft Exchange Server Remote Code Execution Vulnerability

Both CVEs are listed at a CVSS of 9.8(Critical) and have identical descriptions, so both are listed here. Both code execution bugs are unauthenticated and require no user interaction. As the attack vector is listed as "Network", it is likely that these bugs can be changed - at least between Exchange servers. The CVSS score for these two bugs is actually higher than the Exchange bugs exploited earlier this year. Given the source, and considering that these bugs also receive Microsoft's highest exploit index rating, assume that they will eventually be exploited.

CVE-2021-28329 et al. - Remote Procedure Call Runtime Remote Code Execution Vulnerability

Of the 27 CVEs listed above, 12 are classified as critical, while 15 are classified as medium. In common RPC vulnerabilities, an attacker would need to send a specially crafted RPC request to a previously infected system. Successful exploitation results in code execution in another user's context. Perhaps the users involved in the important-rated bugs have lower privileges than their critical-rated counterparts. Listed below are the critically rated CVEs:

CVE-2021-28460 / CVE-2021-28480,81,82 and 82 / CVE-2021-28329, 30, 31, 32 ,33 ,34 ,35 ,36 ,37 ,38 ,39 /

CVE-2021-28343 / CVE-2021-27095 / CVE-2021-28315.

CVE-2021-28444 - Windows Hyper-V Security Feature Bypass Vulnerability

This security feature bypass allows an attacker to potentially bypass Router Guard settings in Hyper-V. Router Guard is designed to prevent guest operating systems from offering router services on the network. Many do not realize that Windows can be configured as a router and, on physical or virtual systems, be configured to redirect packets to an incorrect location (e.g. Man-in-the-Middle) or simply create a black hole in traffic.

It is possible for an attacker, once authenticated on the Exchange server, to gain access to the AD (Active Directory) and thus get all the data contained therein.

Microsoft Security Intelligence released a tweet about DearCry ransomware (the malware encrypts files on a device and demands ransom in exchange for decryption), used to exploit compromised local Exchange servers. Ransomware infections can have negative consequences for an affected organisation, including:

• Temporary or permanent loss of confidential or proprietary information;
• Interruption of regular operations;
• Financial losses incurred to restore systems and files;
• Potential damage to an organisation's reputation.

Tactics, techniques and procedures

The ransomware attempts to encrypt specific files, identified by file extension, on the target system using the Advanced Encryption Standard (AES) and Rivest - Shamir - Adleman (RSA) encryption algorithms. The ransomware contains the following encrypted public RSA key, which is used to encrypt the user's files on the target system.

During runtime, the ransomware loads the RSA public key embedded in code. It then attempts to identify all drives that are connected to the connected system, from drive A: to drive Z :. For each identified drive, the ransomware will enumerate it and encrypt files with the following extensions:

.TIF .TIFF .PDF .XLS .XLSX .XLTM .PS .PPS .PPT .PPTX .DOC .DOCX .LOG .MSG .RTF .TEX .TXT .CAD .WPS .EML .INI .CSS .HTM .HTML .XHTML .JS .JSP .PHP .KEYCHAIN .PEM .SQL .APK .APP .BAT .CGI .ASPX .CER .CFM .C CPP .GO .CONFIG .PL .PY .DWG .XML .JPG .BMP .PNG .EXE .DLL .CAD .AVI .H.CSV .DAT .ISO .PST .PGD .7Z .RAR .ZIP .ZIPX .TAR .PDB .BIN .DB .MDB .MDF .BAK .LOG .EDB .STM .DBF .ORA .GPG .EDB .MFS

Next, the ransomware will encrypt files that have the file extensions listed above. After encrypting the files, the ransomware will leave the ransom note "readme.txt" inside folders with encrypted files on the target system. in it contains the following message:

   If you want to decrypt, please contact us.

                        konedieyp[@]airmail.cc or uenwonken[@]memail.com

                        And please send me the following hash!

                        638428e5021d4ae247b21acf9c0bf6f6

The ransomware will then delete the original copy of the file and then replace them with encrypted copies of itself, with the file extension changed to .CRYPT. Before actually deleting the original target file, the malware will overwrite it with the replay value 0x41 to make it impossible to recover the file using computer forensic software.

Before encrypting the user's files on the target system, the malware will encrypt information about the files, including the file's full path and the AES key used to encrypt it, which will also be used to decrypt it. This data will be encrypted using the public RSA encryption key mentioned above and added to the beginning of the encrypted file. Remember that the ransomware will generate a new AES key for each file.

During execution, the ransomware runs a service called "msupdate." After the encryption process and ransom note installation, the "msupdate" service is removed.

The ransomware will then delete the original copy of the files and then replace them with encrypted copies of themselves with the file extension changed to .CRYPT. Before actually deleting the original target file, the malware will overwrite it with the replay value 0x41 to make it impossible to recover the file using computer forensic software.

Before encrypting the user's files on the target system, the malware will encrypt information about the files, including the file's full path and the AES key used to encrypt it, which will also be used to decrypt it. This data will be encrypted using the public RSA key encrypted mentioned above and added to the beginning of the encrypted file. The ransomware will generate a new AES key for each file.

Recommendations for dealing with DearCry

Users and administrators should adopt the following best practices to strengthen the security posture of their organization's systems. All configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unintended impact. The recommendations are:

• Keep signatures and antivirus engines up to date;
• Keep operating system patches up to date;
• Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication;
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless necessary;
• Enforce a strong password policy and implement regular password changes;
• Be careful when opening email attachments, even if the attachment is expected and the sender appears to be known;
• Enable a personal firewall on workstations, configured to deny unsolicited connection requests;
• Disable unnecessary services on workstations and servers;
• Look for and remove suspicious email attachments; make sure that the scanned attachment is your "true file type" (i.e. the extension matches the file header);
• Monitor users' web browsing habits; restrict access to sites with unfavourable content;
• Be careful when using removable media (e.g. USB sticks, external drives, CDs etc);
• Scan all software downloaded from the Internet before running it;
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Still on vulnerabilities

Approximately 10 webshells associated with ransomware activity have been identified, but this is not the complete list. Therefore, the recommendation is that organizations review the following MARs for a detailed analysis of the 10 webshells, along with TTPs and IOCs. These MARs include YARA rules developed to aid in timely detection and response.

1. AR21-072A: MAR-10328877.r1.v1: China Chopper Webshell
2. AR21-072B: MAR-10328923.r1.v1: China Chopper Webshell
3. AR21-072C: MAR-10329107.r1.v1: China Chopper Webshell
4. AR21-072D: MAR-10329297.r1.v1: China Chopper Webshell
5. AR21-072E: MAR-10329298.r1.v1: China Chopper Webshell
6. AR21-072F: MAR-10329301.r1.v1: China Chopper Webshell
7. AR21-072G: MAR-10329494.r1.v1: China Chopper Webshell
8. AR21-084A: MAR-10329496-1.v1: China Chopper Webshell
9. AR21-084B: MAR-10329499-1.v1: China Chopper Webshell
10. AR21-102A: MAR-10331466-1.v1: China Chopper Webshell

Webshells: what they are and what they are used for

A webshell is a script that can be loaded into a compromised Microsoft Exchange Server to allow remote administration of the machine. Webshells are used for the following purposes:

• Collect and filter confidential data and credentials;
• Upload additional malware with the potential to create, for example, a watering hole (botnet utility) for infection and scanning of other victims;
• Use as a relay point to issue commands to hosts within the network without direct access to the Internet;
• To use as command and control infrastructure, potentially in the form of a bot in a botnet or in support of compromising additional external networks. This can occur if the adversary intends to maintain long-term persistence. Commonly known as DDos (Denial of Service attacks).

Files found as targets of HTTP POST requests

They are:

• /owa/auth/Current/themes/resources/logon.css
• /owa/auth/Current/themes/resources/owafont_ja.css
• /owa/auth/Current/themes/resources/lgnbotl.gif
• /owa/auth/Current/themes/resources/owafont_ko.css
• /owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot
• /owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf
• /owa/auth/Current/themes/resources/lgnbotl.gif

Administrators should search the ECP server logs for the following string (or something similar):

S:CMD=Set-OabVirtualDirectory.ExternalUrl='

Os logs podem ser encontrados em <exchange install path>\Logging\ECP\Server\.

To determine possible webshell activity, administrators should search for aspx files in the following paths:

• \inetpub\wwwroot\aspnet_client\ (any aspx file in this folder or subfolders)
• \<exchange install path>\FrontEnd\HttpProxy\ecp\auth\ (qualquer arquivo além TimeoutLogoff.aspx)
• \<exchange install path>\FrontEnd\HttpProxy\owa\auth\ (qualquer arquivo ou arquivo modificado que não faça parte de uma instalação padrão)
• \<exchange install path>\FrontEnd\HttpProxy\owa\auth\Current\ (qualquer aspx arquivo nesta pasta ou subpastas)
• \<exchange install path>\FrontEnd\HttpProxy\owa\auth\<folder with version number>\ (qualquer arquivo aspx nesta pasta ou subpastas)

Also search on /owa/auth/Current for the following non-standard web log user agents. These agents may be useful for incident responders to determine if further investigation is required.

These should not be considered as definitive IOCs:

• DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)
• facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)
• Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)
• Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)
• Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html
• Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)
• Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)
• Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)
• Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36

User agents were also observed in conjunction with the exploitation of /ecp/ URLs:

• ExchangeServicesClient/0.0.0.0
• python-requests/2.19.1
• python-requests/2.25.1

These agents were also observed having connections for post-exploitation web shell access:

• antSword/v2.1
• Googlebot/2.1+(+http://www.googlebot.com/bot.html)
• Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)

As with non-standard user agents, responders can examine the Internet Information Services (IIS) logs of Exchange servers to identify possible historical activity. Also, as with non-standard user agents, they should not be considered as definitive IOCs:

• POST /owa/auth/Current/
• POST /ecp/default.flt
• POST /ecp/main.css
• POST /ecp/<single char>.js

The following IP addresses were used by the malicious actors. Although these are connected to virtual private servers (VPSs) and virtual private networks (VPNs), responders should investigate these IP addresses on their networks and act according to their internal policies:

• 103.77.192[.]219
• 104.140.114[.]110
• 104.250.191[.]110
• 108.61.246[.]56
• 149.28.14[.]163
• 157.230.221[.]198
• 167.99.168[.]251
• 185.250.151[.]72
• 192.81.208[.]169
• 203.160.69[.]66
• 211.56.98[.]146
• 5.254.43[.]18
• 5.2.69[.]14
• 80.92.205[.]81
• 91.192.103[.]43

The webshell hashes provided by Microsoft are shown below:

• b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
• 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
• 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
• 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
• 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
• 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
• 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
• 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944

Remember that this is not a complete list of indicators of compromise and threat actors often use short-term leased IP addresses that change very frequently. Organizations that do not locate in their network traffic any of the IOCs listed in this alert may have been compromised. We recommend that your Microsoft Exchange professional follow Microsoft's suggested guidelines.

Mitigation

According to Microsoft, the company is aware of threat actors using open source tools to scan vulnerable Microsoft Exchange servers. This specific type of attack can be scripted, allowing attackers to exploit vulnerabilities through automated mechanisms.

Check security updates are available for the following operating systems:

• Exchange Server 2010 (upgrade requires SP3 or any SP3RU)
• Exchange Server 2013 (upgrade requires CU 23)
• Exchange Server 2016 (upgrade requires CU 19 or CU 18)
• Exchange Server 2019 (upgrade requires CU 8 or CU 7)

All patches must be applied using administrator privileges.

If patching is not an immediate option, a temporary solution is recommended, not as a replacement for patching. In addition, there are other mitigation options available. It is recommended to limit or block external access to Internet-facing Exchange servers by the following:

• Restrict untrusted connections to port 443 or configure a VPN to separate Exchange Server from external access; note that this will not prevent an adversary from exploiting the vulnerability if the attacker is already on your network;
• Block external access to the local Exchange;
• Restrict external access to the OWA URL: /owa/;
• Restrict external access to the Exchange Admin Center (EAC) aka Exchange Control Panel (ECP) URL: /ecp/;
• Disconnect vulnerable Exchange servers from the Internet until a patch can be applied;
• Investigate exposed Exchange servers for compromise, regardless of current patch status;
• Search for web shells via our guidance and run a full AV scan using the on-site Exchange mitigation tool;
• Investigate local users and groups, even non-administrative users, for changes and ensure that all users require a password to log in. New user account creations (represented by event ID 4720) during the time the system was vulnerable may indicate the creation of a malicious user;
• Reset and randomise local administrator passwords with a tool like LAPS if you are not already doing so;
• Look for changes to the system's RDP, firewall, WMI signatures and Windows Remote Management (WinRM) configuration that may have been configured by the attacker to allow persistence;
• Look for event ID 1102 to determine if the attackers have wiped the event logs, an activity that attackers perform with exe in an attempt to cover their tracks;
• Look for new persistence mechanisms such as unexpected services, scheduled tasks and startup items;
• Look for Shadow IT tools that attackers may have installed for persistence, such as non-Microsoft RDP and remote access clients;
• Check your mailbox level mail forwarding settings (ForwardingAddress and ForwardingSMTPAddress attributes), check your mailbox inbox rules (which can be used to forward mail externally) and check Exchange Transport rules that you may not recognise.

Sources

• Microsoft's April 2021 Security Update that mitigates significant vulnerabilities affecting on-premises Exchange Server 2016 and 2019.
• Microsoft Advisory: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
• Microsoft Security Blog - Hafnium targeting Exchange Servers: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
• Volexity Blog: https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
• Microsoft's blog on Exchange Server Vulnerabilities Mitigations: https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

References

Eric Zimmerman: KAPE Documentation

Mitigate Microsoft Exchange On-Premises Product Vulnerabilities:

• Emergency Directive 21-02;
  
• Supplemental Direction V1 to Emergency Directive 21-02;
• Supplemental Direction V2 to Emergency Directive 21-02;

Analysis Report: DearCry Ransomware