Microsoft encourages customers to keep their Exchange servers up to date and take steps to harden their environment. Windows Extended Protection and configuration certificate-based signature of the PowerShell serialization payload.
“Attackers will continue to exploit unpatched Exchange servers,” said the tech giant’s Exchange team. Said in the post. “An unpatched on-premises Exchange environment has too many facets of value to bad actors looking to steal data or perform other malicious actions.”
Microsoft also stressed that the mitigations announced by the company are only temporary solutions and may “be insufficient to protect against all variations of attacks,” noting that users should protect their servers. You must install the necessary security updates to
Exchange Server Advantageous Attack Vector In recent years, there have been many security flaws in software that have been weaponized as zero-days to hack into systems.
In the last two years alone, several series of vulnerabilities have been discovered in Exchange Server. This includes ProxyLogon, ProxyOracle, ProxyShell, ProxyToken, ProxyNotShell, and the ProxyNotShell mitigation bypass known as OWASSRF. Some of them are widely exploited in the wild.
In a technical advisory published this week, Bitdefender described Exchange as an “ideal target” while documenting several real-world attacks involving the ProxyNotShell / OWASSRF exploit chain since late November 2022. I’m here.
“be complex network front-end and back-end services [in Exchange]uses legacy code to provide backward compatibility,” said Martin Zugec of Bitdefender. I got it“The backend service trusts requests from the frontend [Client Access Services] layer. “
Another reason is the fact that several backend services run as the Exchange Server itself, come with SYSTEM privileges, and an exploit could allow an attacker malicious access. Remote PowerShell This effectively opens the way for malicious command execution.
As such, attacks armed with the ProxyNotShell and OWASSRF flaws target the arts and entertainment, consulting, legal, manufacturing, real estate, and wholesale industries in Austria, Kuwait, Poland, Turkey, and the United States.
See “These types of server-side request forgery (SSRF) attacks allow attackers to send crafted requests from a vulnerable server to other servers to gain access to resources and information that would otherwise not be directly accessible,” said the Romanian cybersecurity firm. said.
Most attacks are said to be opportunistic rather than focused and targeted. Infections have culminated in attempts to deploy web shells and remote monitoring and management (RMM) software such as ConnectWise Control and GoTo Resolve.
Web shells not only provide a persistent remote access mechanism, but also enable criminals to perform a variety of follow-on activities and even sell access to other hacker groups for profit.
In some cases, the staging servers used to host the payload were compromised by the Microsoft Exchange servers themselves, suggesting that the same techniques may have been applied to scale up the attack. .
We also observed an unsuccessful attempt by the attackers to download Cobalt Strike, a Go-based implant codenamed GoBackClient with the ability to gather system information and spawn a reverse shell.
Exploiting vulnerabilities in Microsoft Exchange is also a repeated tactic employed by UNC2596 (also known as Tropical Scorpius). Cuba (aka COLDDRAW) ransomware that leverages the ProxyNotShell exploit sequence in one attack to bug hatch Downloader.
“Initial infection vectors continue to evolve, with attackers eager to capitalize on new opportunities, but post-exploitation activity is well known,” said Zugec. “The best protection against modern cyberattacks is a defense-in-depth architecture.”