ProxyLogon continues to haunt both Public & Private Organizations
ProxyLogon is a Microsoft Exchange Server vulnerability that allows attackers to bypass authentication and impersonate administrators.
This vulnerability is covered by CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 which may be chained together to build a pre-authentication Remote Code Execution (RCE) vulnerability, allowing individuals to take control of servers despite not having any legitimate access. This gives attackers access to email conversations, data exfiltration, and the ability to install a web shell for future exploitation within the victim environment.
An unauthenticated attacker can use an open 443 port to execute arbitrary instructions on a Microsoft Exchange Server.
ProxyLogon-type vulnerabilities have been frequently leveraged to implement simple yet extremely powerful persistent server accesses, such as the SessionManager backdoor, a malicious native-code module for Microsoft’s IIS web server software. This trend indicates that attackers are actively exploiting ProxyLogon Vulnerabilities.
A China-based APT group recently exploited an MS Exchange vulnerability to deliver ShadowPad malware and infect one of the victim’s Building Automation Systems.
BAS infrastructure integrates operational aspects such as power, lighting, HVAC systems, fire alarms, and security cameras into a unified control panel.
Cyble Research Labs investigated the exposed Microsoft Exchange servers using online scanners to understand the scope of the issue.
At the time of investigation, it was found that there are more than 6,000 exposed MS Exchange servers that are vulnerable, as shown in the heatmap below.
Despite a lower incidence of exposed MS Exchange servers compared to last year, it should be noted that these servers are deployed in critical sectors like Energy, Finance, Manufacturing, Hospitals, and other public-private organizations (shown in Figure 2). This increases the risk of exploitation by threat actors as these sectors have a tangible impact on the national economy, infrastructure, defense, etc.
MS Exchange server Overview
MS Exchange employs a single building block design to deliver email services for implementation ranging from small businesses to huge multinational companies.
The Client Access services accept all forms of client connections on Exchange Mailbox servers. These connections are proxied by the Client Access (frontend) services to the backend services on the target Inbox server (the local server or a remote Mailbox server that maintains an active copy of the user’s mailbox). Clients do not connect directly to the backend services. The figure below depicts this flow of traffic.
The key components of MS Exchange Server are: –
Outlook Web Access (OWA) is a web-based interface for mailbox access and administration (read/send/delete email, update calendar, etc.).
Exchange ActiveSync (EAS) is a service that enables mobile device users to access and manage their email, calendar, contacts, tasks, etc., without needing an internet connection.
Exchange Web Services (EWS) is an API that allows different applications to access mailbox components.
Exchange Control Panel (ECP) Is a web interface for managing Exchange components such as creating various mail traffic policies, mailboxes, connecting additional mail servers, etc.
Remote Procedure Call (RPC) is a client access service that operates on top of the RPC protocol.
Internet Message Access Protocol 4 (IMAP4) / Post Office Protocol 3 (POP3) are application layer protocols for email access.
As mentioned above, Proxy Logon is comprised of 4 vulnerabilities which are described below in the ProxyLogon Vulnerability Chain diagram below.
The CVE-2021-26855 (SSRF) vulnerability is known as “ProxyLogon,” allowing an external attacker to evade the MS Exchange authentication process and impersonate any user.
An attacker can make an arbitrary HTTP request that will be routed to another internal service on behalf of the mail server computer account by faking a server-side request. To exploit this flaw, the attacker must create a specific POST request for a static file in a directory that is accessible without the need for authentication.
A post-authentication insecure deserialization vulnerability in a vulnerable Exchange Server’s Unified Messaging Service allows commands to be performed with SYSTEM account capabilities.
The SYSTEM account is used by Windows and services and is assigned full control rights to all files by default. A hostile actor can exploit this vulnerability in conjunction with stolen credentials or the previously known SSRF vulnerability to execute arbitrary commands on a vulnerable Exchange Server in the SYSTEM security context.
CVE-2021-26858 and CVE-2021-27065 are both post-authentication arbitrary file write vulnerabilities that allow an authorized user to write files to any path on a vulnerable Exchange Server. A malicious actor might use the previously described CVE-2021-26855 SSRF vulnerability to gain admin access and write web shells to virtual folders (VDirs).
Attackers usually target Exchange Servers to gain a foothold into the company’s network to obtain access to sensitive information to deliver ransomware and malware.
During our routine threat hunting exercise, we observed that several cybercrime forums are still discussing the Proxylogon vulnerability and Threat Actor’s access to vulnerable Exchange Servers, as shown in the figures below.
As per Cybersecurity Infrastructure Security Agency (CISA) “2021 Top Routinely exploited vulnerabilities” advisory, ProxyLogon is still an actively exploited vulnerability used by hackers and APT groups. The SessionManager backdoor and targeting BAS indicate that malicious hackers have been actively exploiting the ProxyLogon vulnerability.
- Update outdated servers with the latest patches released by Microsoft.
- Utilize Microsoft released Exchange On-premises Mitigation Tool (EOMT.ps1) that can automate portions of both the detection and patching process.
- Configure a VPN to isolate the Exchange Server from external access.
- Look for modifications within the system’s RDP, firewall, WMI subscriptions, and Windows Remote Management (WinRM) setup that the attacker may have made to establish persistence.
- Examine mailbox-level email forwarding settings (including ForwardingAddress and ForwardingSMTPAddress attributes), mailbox inbox rules (which may be used to route emails externally), and Exchange Transport rules users may not be familiar with.