Microsoft’s Defender ATP Research Team released guidance on how to defend against attacks targeting Exchange servers with the use of behavior-based detection.
Microsoft researchers analyzed multiple campaigns targeting Exchange servers in early April which showed how the malicious actors deploying web shells them.
There are two primary techniques to target Exchange servers; the most common scenario sees attackers launching social engineering or drive-by download attacks targeting endpoints to steal credentials and move laterally until they gain access to an Exchange server.
In a second scenario, attackers exploit a remote code execution vulnerability (i.e. CVE-2020-0688) affecting the underlying Internet Information Service (IIS) component of a target Exchange server.
In this case, if the server has misconfigured access levels, the attackers can achieve system privileges.
The CVE-2020-0688 flaw resides in the Exchange Control Panel (ECP) component, the root cause of the problem is that Exchange servers fail to properly create unique keys at install time. A remote, authenticated attacker could exploit the CVE-2020-0688 vulnerability to execute arbitrary code with SYSTEM privileges on a server and take full control.
“The data and techniques from this analysis make up an anatomy of Exchange server attacks. Notably, the attacks used multiple fileless techniques, adding another layer of complexity to detecting and resolving these threats, and demonstrating how behavior-based detections are key to protecting organizations.” reads the analysis published by Microsoft.
Microsoft warns that threat actors are increasingly focusing on the exploitation of unpatched Exchange servers.
Upon gaining access to the server, threat actors deploy a web shell into one of the multiple web-accessible paths on it.
The web shell can be deployed in different forms, in its investigation, Microsoft noticed that most of these attacks used the China Chopper web shell.
“In April, multiple Exchange-specific behavior-based detections picked up unusual activity. The telemetry showed attackers operating on on-premises Exchange servers using deployed web shells.” continues Microsoft. “Whenever attackers interacted with the web shell, the hijacked application pool ran the command on behalf of the attacker, generating an interesting process chain. Common services, for example Outlook on the web (formerly known as Outlook Web App or OWA) or Exchange admin center (EAC; formerly known as the Exchange Control Panel or ECP), executing net.exe, cmd.exe, and other known living-off-the-land binaries (LOLBins) like mshta.exe is very suspicious and should be further investigated.”
In April, a joint report published by the U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) warned of bad actors increasingly exploiting vulnerable web servers to deploy web shells.
Microsoft recommends customers to apply the latest Exchange servers, use antimalware solutions, make sure that sensitive groups and roles are frequently reviewed for suspicious removals and additions, restrict access by applying the principle of least privilege, and immediately investigate suspicious activity alerts.
“Behavior-based blocking and containment capabilities in Microsoft Defender Advanced Threat Protection stop many of the malicious activities we described in this blog. Behavior-based blocking and containment stops advanced attacks in their tracks by detecting and halting malicious processes and behaviors.” concludes the report.
(SecurityAffairs – hacking, Exchange servers)