Microsoft Defender ATP Research team has issued guidance on how to defend attack against Exchange servers using behavior-based detection
Microsoft Defender ATP Research team has issued guidance on how to defend attack against Exchange servers using behavior-based detection
In April, there was a tremendous spike in attacks on Microsoft Exchange servers and the investigation helped to analyse the deployment web shells by the attackers.
In February, Microsoft released patches for this vulnerability tracked as CVE-2020-0688, also warned to install the fixes as soon as possible, anticipating future attacks.
One of the most important things to be done is Safeguarding Exchange servers in order to limit organizational exposure to attacks. As Exchange servers contain the most critical business data, there are chances for the attackers to compromise and gain access to the server and take control of the network. So the vulnerabilities or attacks tend to be with highly evasive techniques which need to be treated with high priority.
“Exchange servers provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance,” says Microsoft.
Over the past decades, the email servers used identical cryptographic keys for the control panels backend, which permitted remote attackers to run malware on it.
There are two primary ways in which Exchange servers are compromised. The first and most commonly practised scenario is attackers commencing social-engineering of drive-by download attacks targeting endpoints to steal credentials.
The second scenario is attackers exploiting a remote code execution vulnerability affecting the Internet Information Service (IIS) component of a target Exchange server.
“This is an attacker’s dream: directly landing on a server and, if the server has misconfigured access levels, gain system privileges,” noted Microsoft Defender ATP Research Team.
In March, Cybersecurity firm Volexity warned that the nation-state actors were trying to exploit a vulnerability tracked as CVE-2020-0688, recently addressed in Microsoft Exchange email.
“Drop everything and patch this vulnerability immediately,” Jonathan Cran, head of research at Kenna Security, warned at the time.
According to Microsoft, during the month of April multiple campaigns began to target Exchange servers.
As soon as they get accessed, the attackers install web shells, that are malicious scripts uploaded to target systems and enable attackers to control the servers remotely. The attackers used multiple web shells, but the most widely used was the China Chopper web shell.
The hijacked application pool runs the command on behalf of the attacker and generates an interesting process chain. Common services, for example, Outlook on the web (formerly known as Outlook Web App or OWA) of Exchange admin center (EAC; formerly known as the Exchange Control Panel or ECP), executing net.exe, cmd.exe, and other known living-off-the-land binaries (LOLBins) like manta.exe.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: “BlueLeaks” Exposes Data of 200 US police Departments and Exposed Online