Microsoft is warning users of increasing attacks on Exchange servers after picking up on a trend of advanced server compromise attacks in April.
The company is urging users and organizations to apply the latest security patches, keep antivirus and cybersecurity software enabled, review roles and groups to ensure no unauthorized accounts have been added or deleted, restrict access and vigilantly investigate alerts.
In April, multiple Exchange-specific behavior-based detections picked up unusual activity. The telemetry showed attackers operating on on-premises Exchange servers using deployed web shells. Whenever attackers interacted with the web shell, the hijacked application pool ran the command on behalf of the attacker, generating an interesting process chain. Common services, for example Outlook on the web (formerly known as Outlook Web App or OWA) or Exchange admin center (EAC; formerly known as the Exchange Control Panel or ECP), executing net.exe, cmd.exe, and other known living-off-the-land binaries (LOLBins) like mshta.exe is very suspicious and should be further investigated.
According to Microsoft, attackers started interacting with target Exchange servers via web shells they deployed.
The most common client access paths were:
- %ProgramFiles%\Microsoft\Exchange Server\<version>\ClientAccess
- %ProgramFiles%\Microsoft\Exchange Server\<version>\FrontEnd
Those directories provide various client access services like Outlook on the web, EAC, AutoDiscover and more. They are automatically configured during server installation and provide authentication and proxy services for internal and external client connections, according to Microsoft.
Micorosft says most of the attacks used the China Copper web shell and tried to blend the web shell script file with other .aspx files present on the system by using common file names.
“In many cases, hijacked servers used the ‘echo’ command to write the web shell. In other cases, certutil.exe or powershell.exe were used,” Microsoft says.
The attackers were also observed switching web shells or introducing two or more for various purposes. In one case, Microsoft observed attackers creating an .ashx version of a popular, publicly available .apsx web shell.
The attackers gained a treasure trove of information about the server and used it to add a new user account on servers where they gained the highest privileges, essentially making them a domain admin with unrestricted access.
They also accessed credentials, tampered with security tools like Microsoft Defender Antivirus and created a network architecture that allowed for remote access of machines.
Here are steps Microsoft outlined to make sure your organization doesn’t become a victim to this advanced attacks:
1. Apply the latest security updates
Identify and remediate vulnerabilities or misconfigurations in Exchange servers. Deploy the latest security updates, especially for server components like Exchange, as soon as they become available. Specifically, check that the patches for CVE-2020-0688 is in place. Use threat and vulnerability management to audit these servers regularly for vulnerabilities, misconfigurations, and suspicious activity.
2. Keep antivirus and other protections enabled
It’s critical to protect Exchange servers with antivirus software and other security solutions like firewall protection and MFA. Turn on cloud-delivered protection and automatic sample submission to use artificial intelligence and machine learning to quickly identify and stop new and unknown threats. Use attack surface reduction rules to automatically block behaviors like credential theft and suspicious use of PsExec and WMI. Turn on tamper protection features to prevent attackers from stopping security services.
If you are worried that these security controls will affect performance or disrupt operations, engage with IT pros to help determine the true impact of these settings. Security teams and IT pros should collaborate on applying mitigations and appropriate settings.
3. Review sensitive roles and groups
Review highly privileged groups like Administrators, Remote Desktop Users, and Enterprise Admins. Attackers add accounts to these groups to gain foothold on a server. Regularly review these groups for suspicious additions or removal. To identify Exchange-specific anomalies, review the list of users in sensitive roles such as mailbox import export and Organization Management using the Get-ManagementRoleAssignment cmdlet in Exchange PowerShell.
4. Restrict access
Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce strong randomized, just-in-time local administrator passwords and Enable MFA. Use tools like LAPS.
Place access control list (ACL) restrictions on ECP and other virtual directories in IIS. Don’t expose the ECP directory to the web if it isn’t necessary and to anyone in the company who doesn’t need to access it. Apply similar restrictions to other application pools.
5. Prioritize alerts
Pay attention to and immediately investigate alerts indicating suspicious activities on Exchange servers. Catching attacks in the exploratory phase, the period in which attackers spend several days exploring the environment after gaining access, is key. Common application pools like ‘MSExchangeOWAAppPool’ or ‘MSExchangeECPAppPool’ are commonly hijacked by attackers through web shell deployment. Prioritize alerts related to processes such as net.exe, cmd.exe, and mshta.exe originating from these pools or w3wp.exe in general.