Detection and Response for ProxyShell Activity
Executive Summary
On August 21, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) released an urgent notice related to the exploitation of ProxyShell vulnerabilities (CVE-2021-31207, CVE-2021-34473, CVE-2021-34523). By chaining these vulnerabilities together, threat actors are compromising unpatched Microsoft Exchange servers and gaining footholds in enterprise networks. Security vendors and researchers are also observing post-exploitation behaviors such as deploying ransomware to victim environments. The Elastic Security Intelligence & Analytics team provides detection logic to identify this activity, as well as observations about exploitation in the wild.
Details
On August 21, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) released an urgent notice related to the exploitation of ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). Microsoft has issued several patches for these vulnerabilities earlier in the year, however inconsistent adoption of those patches has left some infrastructure exposed. The threat of exploitation is more significant due to combining exploits for one or more vulnerabilities.
As reported by Symantec and other security service providers, adversaries exploit these vulnerabilities and attempt to install webshells - web content, served on-demand, that functions similarly to backdoors. Using these web shells, adversaries inherit the privilege level of the Exchange IIS web server to perform reconnaissance, harvest credentials, and pursue post-exploitation behavior such as installing ransomware.
Elastic observed unusual descendant processes (cmd.exe
and poweshell.exe
) of the Exchange IIS webserver process (w3wp.exe
) that involved notable remote network indicators to high-numbered ports (Figure 1).
Figure 1 - Process ancestry of Exchange server exploitation
Our observations have been independently corroborated by others in the community as malicious. While a complete understanding of served content is unknown, it appears that requests are being evaluated
Overview
The key takeaways of this analysis are as follows:
- Significant rise in exploitation of Exchange servers in recent weeks related to the ProxyShell exploit
- National Institute of Standards and Technology (NIST) assigned a critical CVSS score of 8.8 out of 10 based on remote code execution without authentication (CVE-2021-31207)
- National Institute of Standards and Technology (NIST) assigned a critical CVSS score of 10 out of 10 based on remote code execution without authentication (CVE-2021-34473)
- National Institute of Standards and Technology (NIST) assigned a critical CVSS score of 9.8 out of 10 based on remote code execution without authentication (CVE-2021-34523)
- These vulnerabilities affect on-premises Exchange servers which are self-managed
Timeline of Events
The events of this campaign were observed in the following order.
- May 11, 20212 - Microsoft released Exchange server patch (CVE-2021-31207)
- July 13, 2021 - Microsoft released additional Exchange server patches (CVE-2021-34473, CVE-2021-34523)
- August 6, 2021 - ProxyShell proof-of-concept (POC) code released
- August 13, 2021 - Large uptick in Exchange server compromises reported by community
- August 18, 2021 - Elastic first observes ProxyShell activity
Impact
Microsoft asserts that these vulnerabilities affect all on-premises Exchange servers (Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019). Exchange Online is not affected.
Notably, the initial attack requires on-premises Exchange servers to be accessible to the public Internet via port 443. Attackers with access to enterprises where Exchange servers are internally accessible may be able to exploit unpatched vulnerabilities related to this activity.
The ProxyShell exploit chain leverages multiple tactics and techniques categorized by the MITRE ATT&CK® framework:
- Tactics
- Techniques/Sub-Techniques
Detection
Elastic recommends leveraging the below logic to aid in the detection of adversary activity within your environment. Additionally, the provided defensive recommendations may be used to harden and defend vulnerable systems from the successful exploitation of this campaign.
Detection logic
On August 24, Elastic released guidance describing existing and new detection logic that can be used to identify this cluster of activity (ProxyShell):
- Existing logic:
- New logic:
Defensive Recommendations
- Review and ensure that you have deployed the latest Microsoft Security Updates for Exchange Server, consider other recommendations from Microsoft for Exchange hardening
- Leverage Auditbeat’s File Integrity Monitoring function to identify changes to the Exchange configuration file and Internet directories located at
C:\Windows\System32\inetsrv\Config\applicationHost.config
andC:\inetpub\wwwroot\
- Maintain backups of your critical systems to aid in quick recovery
- Perform routine vulnerability scans of your systems and patch identified vulnerabilities
- Review and implement the above detection logic within your environment using technology such as the Elastic Endpoint, Winlogbeat, Filebeat, Packetbeat, or Network Security Monitoring (NSM) platforms such as Zeek or Suricata
- Block network traffic from malicious IP addresses associated with ProxyShell activity
References
-
Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities
-
CVE-2021-31207 | Microsoft Server Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207
-
CVE-2021-34473 | Microsoft Server Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473
-
CVE-2021-34523 | Microsoft Server Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523
-
LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers
-
Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit
Indicators
Table 1 describes atomic indicators of compromise (IOCs) observed in this intrusion set. IOCs observed by Elastic have been included for the community, and don't represent all IOCs associated with ProxyShell or ProxyShell-inspired intrusions.
Artifact | Note |
---|---|
45.91.83[.]176 | Staging site, hosts payload file used in this activity cluster |
Table 1 - Indicators of Compromise