TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Rapid Response: Mass Exploitation of On-Prem Exchange Servers | Huntress

2021-03-03 · Read original ↗

ATT&CK techniques detected

23 predictions
T1190Exploit Public-Facing Application
99%
“updated 06 march @ 0317am et : added analysis leading to " stage 6 " : cobalt strike & mimikatz. on march 1, our team was notified about undisclosed microsoft exchange vulnerabilities successfully exploiting on - prem servers. after the tip from one of our msp partners, we confir…”
T1059.001PowerShell
99%
“##ng, passing along the information gathered from this host. requesting that url with fake analysis data, we see a hefty 2 mb response which can yet again be decoded. for brevity we will not include that payload in this post but link to it here. the decoded payload is a whopping …”
T1190Exploit Public-Facing Application
99%
“rapid response : mass exploitation of on - prem exchange servers | huntress updated 14 april : huntress is aware of the new microsoft exchange vulnerabilities disclosed in the microsoft april security update. our team has yet to detect exploits targeting these new vulnerabilities…”
T1190Exploit Public-Facing Application
97%
“host - foregroundcolor red " [! ] patch not installed successfully, this server must be patched. " } else { write - host - foregroundcolor green " [ + ] exchange fileversion is updated, the patch is in place. " } huntress is here to help update 05 march 1347pm et : we are automat…”
T1190Exploit Public-Facing Application
95%
“depth info on these vulnerabilities? watch our on - demand webinar or download the slides to hear about our research, new iocs and more. what ’ s happening? according to microsoft ’ s initial blog, they detected multiple zero - day exploits being used to plunder on - premises ver…”
T1190Exploit Public-Facing Application
95%
“other " less than sexy " mid - market businesses. we ’ ve also witnessed many city and county government victims, healthcare providers, banks / financial institutions, and several residential electricity providers. among the vulnerable servers, we also found over 350 webshells - …”
T1059.001PowerShell
93%
“actors are using is known as the " china chopper " one - liner. these are often in either the aspx or php web language, and will execute code passed in as an http argument included in the request. the one - liner is slipped into a file and has a syntax like so : http : / / f / up…”
T1059.001PowerShell
90%
“##u8 + uf9epzpjt30m0yp2ungjlquwpkdlkf2mtqlw5fpfniroo / op3un5 / 35fk8 + zgy6u7bwxj300 / p / 3ten92769wmugo8wl78hr + qorzwqvhw + insh2z4uphfjxedaznsblkpflvqmh + 3vth7jzp / bw = = ' ) ) ) ), [ io. compression. compressionmode ] : : decompress ) ), [ text. encoding ] : : ascii ) ). …”
T1505.003Web Shell
90%
“this off - - and we cannot allow our partners to do so either. technical details the vulnerabilities affect on - prem microsoft exchange server. exchange online is not affected. the versions affected are : - microsoft exchange server 2019 - microsoft exchange server 2016 - micros…”
T1505.003Web Shell
84%
“compromise are not persistence mechanisms. at the very start of this incident, practically all preventative security measures let this slip by - - however now that the news broke, many are adding this capability into their detections. our engineering team has worked overnight to …”
T1190Exploit Public-Facing Application
82%
“should msps do? if you use on - prem microsoft exchange servers, you might want to assume you ’ ve been hit. we recommend you not only patch immediately, but externally validate the patch and hunt for the presence of these webshells and other indicators of compromise ( see the te…”
T1059.001PowerShell
82%
“) this domain is hosted on yet another digital ocean ip address, which we have reported. the response from this domain is a powershell download cradle, which seems to pull down a stager. downloading the contents from this url, we see : invoke - expression $ ( new - object io. str…”
T1003.001LSASS Memory
80%
“, and we ' re left to tools like ghidra / ida / hopper. there are breadcrumbs that indicate the use of sqlite, mimikatz, dumping google chrome credentials and more. from the stage 5 code, we can see that it does load these dlls and invoke portions to literally run " powershell _ …”
T1505.003Web Shell
69%
“actors are using is known as the " china chopper " one - liner. these are often in either the aspx or php web language, and will execute code passed in as an http argument included in the request. the one - liner is slipped into a file and has a syntax like so : http : / / f / up…”
T1505.003Web Shell
66%
“host - foregroundcolor red " [! ] patch not installed successfully, this server must be patched. " } else { write - host - foregroundcolor green " [ + ] exchange fileversion is updated, the patch is in place. " } huntress is here to help update 05 march 1347pm et : we are automat…”
T1059.001PowerShell
66%
“uses a humongous multiline format - string to reorder and rearrange the entirety of the file, and pipe it into iex or invoke - expression. it uses the typical $ env : comspec indexing technique to " spell out " the iex alias. removing the iex we can let it unravel itself and reve…”
T1505.003Web Shell
52%
“other " less than sexy " mid - market businesses. we ’ ve also witnessed many city and county government victims, healthcare providers, banks / financial institutions, and several residential electricity providers. among the vulnerable servers, we also found over 350 webshells - …”
T1546.013PowerShell Profile
44%
“##ng, passing along the information gathered from this host. requesting that url with fake analysis data, we see a hefty 2 mb response which can yet again be decoded. for brevity we will not include that payload in this post but link to it here. the decoded payload is a whopping …”
T1059Command and Scripting Interpreter
43%
“intelligence community. update 05 march @ 1904pm et : if you consider yourself a command - line cowboy and would prefer to check the status of the patch via powershell, you can use this one - liner syntax. simply copy - and - paste and slap it into your shell. credit to cyberdrai…”
T1190Exploit Public-Facing Application
41%
“- life and should not be used in production. verify that the full version of this microsoft. exchange. rpcclientaccess. service. exe file and its sha256 hash is present in this chart below. this information comes from the official microsoft knowledge base documentation per each v…”
T1564.004NTFS File Attributes
37%
“oerzug / 52migzfd + t3q4g6 / o8e3efdlmpq / qz6q5h26 / 1qwefdsupksoaaxpro7jrkkgbpbr1mhexq3mazfnl346s1pendrpfv307vternounovdqrup / 7oy6c + qq5oquz5wrkhv + nkegw + 2s5tquhakj6cuvix121wt9sv62qao9ezivplzeeznbdz87yze1lp9nf9sv4qoz8tp5mac6pmikccfuyx5dshp7tzvfzx / 2 + bo / 8vtaz9 / xea98b…”
T1190Exploit Public-Facing Application
36%
“compromise are not persistence mechanisms. at the very start of this incident, practically all preventative security measures let this slip by - - however now that the news broke, many are adding this capability into their detections. our engineering team has worked overnight to …”
T1053.005Scheduled Task
34%
“##u8 + uf9epzpjt30m0yp2ungjlquwpkdlkf2mtqlw5fpfniroo / op3un5 / 35fk8 + zgy6u7bwxj300 / p / 3ten92769wmugo8wl78hr + qorzwqvhw + insh2z4uphfjxedaznsblkpflvqmh + 3vth7jzp / bw = = ' ) ) ) ), [ io. compression. compressionmode ] : : decompress ) ), [ text. encoding ] : : ascii ) ). …”

Summary

On-prem Microsoft Exchange Server vulnerabilities are being actively exploited in the wild. Read our blog for Huntress' most up-to-date research and IOCs.