A whirlwind of Microsoft Exchange vulnerabilities shows lessons in how to ground network defense

In recent years, there have been several Microsoft Exchange exploits, including well-known vulnerabilities like ProxyLogon and ProxyShell, and new threats such as ProxyNotShell and the OWASSRF exploit. These exploits highlight the endless creativity of attackers and the challenge faced by security teams to keep up with a rapidly-evolving threat landscape, often resulting in a reactive approach to new threats. Defending against new cybersecurity vulnerabilities in a reactive state is a significant challenge because as technology evolves, new flaws and vulnerabilities will continue to emerge, making it difficult to stay ahead of the threats and leaving organizations in a perpetual state of reaction to new security risks. This reality puts into perspective our detection methodology and how we focus our detection efforts. Undoubtedly vulnerabilities are critical however, they are only a piece of a larger attack chain, a chain that maintains a level of consistency, namely threat behaviors. Adversarial behaviors don’t often change, as actions needed to reach their objectives will likely stay the same. So, why not shift our focus to understanding adversary tactics, techniques, and procedures (TTPs) to build a stable detection strategy? 

One of the most recent cases of a Microsoft Exchange compromise came on December 2nd, 2022, as Rackspace was engaged with CrowdStrike on a security breach affecting the cloud-computing company’s Hosted Exchange environment. Their investigation ultimately discovered the Play ransomware gang as the perpetrators of the attack, having exploited ProxyNotShell mitigations named OWASSRF by CrowdStrike. A detailed write-up by CrowdStrike explained in detail the OWASSRF exploit and provided defensive recommendations, as did many others in the security community. While we have new detections and mitigation strategies available, the more important pieces of intelligence came from observing post-exploitation activity to uncover the rest of the attack chain. "Defense strategies, however, should focus less on payloads but more on the chain of activities that lead to their deployment," as stated by Microsoft. This is a crucial aspect of threat detection at Anvilogic — to be able to find the sequencing of threat techniques to identify malicious activity. 

The first attack chain was reported by Huntress threat operations manager Dray Agha (Twitter: @Purp1eW0lf), involving the use of BitsAdmin to download the Screen Connect/ ConnectWise Control remote access tool followed by the deployment of Mimikatz for credential harvesting. A threat brief published by Unit42 expands the exploit revealing the deployment of a PowerShell backdoor tracked as ‘SilverArrow.’ PowerShell activity observed by Unit42 involved the creation of a new user account for persistence and use of the AnyDesk remote desktop application. Additional attack chains exploiting ProxyNotShell or OWASSRF exploits were reported by Bitdefender, echoing the use of BitsAdmin to drop malicious payloads as well as the misuse of the IIS process w3wp with living-off-the-land binaries (LOLBins) to drop remote access software. 

By piecing together these reported attack chains, we can create an attack flow to sequence the atomic-level indicators supported by the research gathered. This attack flow is based on the Attack flow research & development project from MITRE Engenuity Center for Threat-Informed Defense, which the Anvilogic Forge team modified to track threat campaigns. 

On the detection side, the sequenced activity can be chained together with the Anvilogic threat scenario builder. A sequence of atomic-level indicators mapped to MITRE techniques results in a high-fidelity alert capable of tracking post-exploitation activity based community reported research.

Adversary post-exploitation activity often follows a similar pattern of actions they execute to achieve their sought-after objective. By identifying these trends and understanding the common techniques and tactics that adversaries use, defenders can create effective and lasting detections that aren’t focused on an ever-changing access vector. This can improve the organization's overall security posture and reduce the impact of successful attacks.

About the Forge Author

Kevin Lo is a threat researcher for the Anvilogic Forge team, where he is responsible for threat research and intelligence. Prior to Anvilogic, Kevin was a cybersecurity analyst at a US financial institution serving roles in digital forensics, cybersecurity operations, and detection engineering. Kevin currently resides in Albany, NY. He holds a Bachelor's degree from Syracuse University in Information Management & Technology with a concentration in Information Security. Kevin holds several cybersecurity certifications with GIAC and MITRE ATT&CK.

Happy to connect with you on LinkedIn!

Reference

• Bitdefender: Technical Advisory: Proxy*Hell Exploit Chains in the Wild: https://businessinsights.bitdefender.com/technical-advisory-proxyhell-exploit-chains-in-the-wild 
• CrowdStrike: OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations: https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ 
• Dray Agha: Tweet: https://twitter.com/Purp1eW0lf/status/1602989967776808961?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1602989967776808961%7Ctwgr%5E729ab6f8c525fa3021edf16124b74081ba3b2881%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fowassrf-explained-analyzing-the-microsoft-exchange-rce-vulnerability 
• Microsoft: https://twitter.com/MsftSecIntel/status/1620474467083231234 
• Rackspace: Hosted Exchange Issues: https://status.apps.rackspace.com/index/viewincidents?group=2 
• Unit42: Threat Brief: OWASSRF Vulnerability Exploitation: https://unit42.paloaltonetworks.com/threat-brief-owassrf/