Deep Dive Into the Microsoft Exchange ProxyLogon Exploit: A Comprehensive Threat Analysis

Priya Nair — Digital Forensics Analyst

Key Takeaways

• The exploit chain against Microsoft Exchange Server leveraging ProxyLogon is a major vector for initial access.
• Our investigation identified multiple techniques employed by the actor, ranging from web shell deployment to asymmetric encryption for command and control communications.
• The persistence mechanisms were particularly concerning, revealing how the actor maintained footholds within compromised environments.

Executive Summary

The rise of cyberattacks leveraging the ProxyLogon vulnerabilities in Microsoft Exchange Server has highlighted a critical weak point in corporate defenses. During our investigation, we analyzed several instances of compromise stemming from this vulnerability, tracking the entire attack chain from initial access through to lateral movement and impact assessment. The examination of artifacts left by the threat actor revealed a sophisticated approach to exploitation, highlighting the need for enhanced detection methodologies and thorough incident response protocols.

Initial Access

Initial access was facilitated through a specific set of vulnerabilities identified as CVE-2021-26855 and its related CVEs within the Microsoft Exchange Web Services. These vulnerabilities allowed the actor to first authenticate without valid credentials. We observed several exploitation attempts that employed specifically crafted HTTP requests targeting the Exchange Autodiscover service. The payload often involved the injection of malicious commands that would subsequently lead to the deployment of web shells on the compromised server.

Execution & Persistence

Upon successful exploitation, the actor deployed a web shell, typically named shell.aspx, which resided in accessible locations such as C:\inetpub\wwwroot\aspnet_client\my_shell.aspx. This enabled remote code execution, allowing the actor to issue commands on the compromised system. The web shell employed varying expressions of obfuscation to evade detection, including base64 encoding and URL encoding to hide malicious HTTP requests. For persistence, our analysis revealed the actor often created scheduled tasks or modified existing application settings to ensure their implants were executed on system reboot.

Command and Control

The command and control (C2) infrastructure utilized by the attackers was not straightforward. Traffic analysis during our investigations revealed a significant use of HTTPS for C2 communications, which typically obfuscated communication patterns to blend in with legitimate traffic. We identified several domains and IPs used during these communications, including known malicious indicators. Additionally, the actor employed asymmetric encryption to secure data sent back to their C2 servers, a tactic that complicates interception and analysis efforts.

Lateral Movement & Discovery

Lateral movement was observed via T[1080] – Taint Analysis and T[1075] – Pass-the-Hash techniques. The threat actor exploited stored credentials from the compromised Microsoft Exchange Server, utilizing tools such as Mimikatz to extract password hashes and tokens for further access into the network. We observed attempts to access Active Directory resources, which were evident in user enumeration attempts and reconnaissance through commands executed from the web shell.

Impact & Objectives

The ultimate objectives of the attacks included data exfiltration and the installation of additional malware for future activities. We noted significant data transfers to external IPs, indicating attempts to siphon sensitive information, specifically targeting financial and personal employee data. The long-term impact also included disruption to services, with many organizations experiencing outages as a result of the initial compromises. Furthermore, the spread of ransomware extensions was evident, as secondary payloads aimed to encrypt files after lateral movement was successful.

MITRE ATT&CK Mapping

• T1203 – Exploitation for Client Execution: Exploitation of Microsoft Exchange vulnerabilities to gain initial access.
• T1071 – Application Layer Protocol: Use of HTTPS for command and control communication.
• T1086 – PowerShell: Deployment and execution of scripts via the web shell for lateral movement.

Detection Opportunities

• Monitor HTTP traffic for anomalies related to the Exchange Autodiscover service, especially patterns consistent with exploitation attempts.
• Implement logging and alerting for creation or modification of files in the C:\inetpub\wwwroot directory, particularly looking for unusual file extensions or names.
• Deploy detection for known malicious IP addresses and domain names associated with ongoing C2 infrastructure or previously observed web shell activities.

Analyst Notes

As the threat landscape evolves, our findings reiterate the pressing need for robust patch management and immediate response protocols. Organizations should prioritize updating their Microsoft Exchange platforms, conduct regular security assessments, and ensure proactive monitoring of network traffic. Continuous education of security personnel regarding emerging threats will bolster defenses against such exploit techniques.

Source: Original Report