Exchange ProxyShell being used for Babuk ransomware attacks

This year has been full of news of Microsoft Exchange vulnerabilities being used for multiple attacks. We’ve discussed it several times already (https://www.connectwise.com/resources/exchange-vulnerability-poc-released, https://www.connectwise.com/resources/its-not-yet-over-for-proxylogon, https://www.connectwise.com/resources/its-been-a-busy-week, https://perchsecurity.com/perch-news/more-exchange-vulnerabilities-and-a-confluence-rce/, https://perchsecurity.com/perch-news/multiple-mail-maladies-vulnerabilities-in-starttls-and-exchange/). News came out earlier this week of a threat actor, commonly referred to as Tortilla, exploiting the Exchange ProxyShell(https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis) vulnerability. According to intelligence released by Cisco Talos(https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html), Tortilla has been operating since July 2021. It mainly focuses on US businesses, though they have targeted a few organizations in the U.K., Germany, Ukraine, Finland, Brazil, Honduras, and Thailand.

Similar to the initial Hafnium attacks(https://www.connectwise.com/resources/its-been-a-busy-week) utilizing ProxyLogon back in March, Tortilla is using ProxyShell to deploy the China Chopper web shell on vulnerable Exchange servers. Once the web shell is installed, they download a modified EfsPotato exploit that targets ProxyShell and PetitPotam(https://isc.sans.edu/diary/Active%2BDirectory%2BCertificate%2BServices%2B%2528ADCS%2B-%2BPKI%2529%2Bdomain%2Badmin%2Bvulnerability/27668) vulnerabilities. ProxyShell is another Exchange exploit that takes advantage of the relationship between Microsoft Exchange and Microsoft Internet Information Services (IIS) in order to execute code remotely. PetitPotam is a vulnerability in Microsoft’s Active Directory Certificate Services (ADCS) that allows a user to completely take over a Windows domain that has the ADCS service running. From there, the attackers attempt to deploy a Babuk ransomware payload. Babuk is a ransomware operation that launched at the beginning of this year(https://www.bleepingcomputer.com/news/security/babuk-locker-is-the-first-new-enterprise-ransomware-of-2021/) and began using the common double-extortion method of ransoming data and also stealing data and threatening to leak it to the public unless an additional ransom was paid. The Babuk ransomware source code was leaked (https://www.bleepingcomputer.com/news/security/babuk-ransomwares-full-source-code-leaked-on-hacker-forum/) in September, and as a result, we have seen other groups re-using much of their code. Babuk is notorious for not only encrypting data but also interrupting the backup process and deleting volume shadow copies.

The CRU has several SIEM alerts (Event Notifications in the Perch app) available in the ConnectWise CRU Collection within the Perch marketplace that will detect most of this behavior. We have detections for all of the known “Proxy” Exchange vulnerabilities as well as detection for Babuk behavior, such as deleting volume shadow copies. If you are also a Perch IDS customer, we have signatures that will detect attempts to exploit PetitPotam. Additionally, we have recently observed some new Exchange attacks against one of our own partners and added the following new signatures to the CRU Collection based on our observations. Thankfully, we were able to work together with our partner to stop this attack before any ransomware was deployed.

EN Name: [Windows][CRU] w3wp parent to powershell/cmd calling cmd/powershell
Perchybana query: winlog.event_data.ParentImage:"w3wp.exe" AND winlog.event_data.Image:("powershell.exe" OR "cmd.exe") AND NOT winlog.event_data.CommandLine:"System32"
EN Name: [Windows][CRU] File create by w3wp to an exe file in a temp directory
Perchybana query: winlog.event_data.Image:"w3wp.exe" AND winlog.event_data.TargetFilename:("Temp" AND "exe") AND winlog.event_id:"11"

The main focus of Exchange exploits discovered this year has been the relationship between Exchange and Microsoft Internet Information Services or IIS. We have been able to identify malicious activity by specifically looking for processes spawned by the IIS worker process (w3wp.exe). The two signatures above are specifically looking for PowerShell and cmd.exe commands being executed by w3wp.exe or working out of a temp directory. Both of these look for common techniques used by threat actors when compromising an Exchange server.

EN Name: [Windows][CRU] Windows Defender Exclusion Set on C Drive via powershell or cmd
Perchybana query: winlog.event_data.CommandLine:(("powershell.exe" OR "powershell" OR "cmd.exe" OR "cmd") AND "Add-MpPreference" AND "-ExclusionPath" AND "C:")
EN Name: [Windows][CRU] Real-Time disabled via commandline
Perchybana query: winlog.event_data.CommandLine:("reg" AND "add" AND "real-time" AND "DisableRealtimeMonitoring" AND "/d 1")

After compromising the server, we observed threat actors adding exclusions to Windows Defender and then disabling Defender’s real-time protection. These signatures will trigger on this activity.

EN Name: [Windows][CRU] Guest or default account set with remote or admin rights
Perchybana query: (winlog.event_data.ParentImage:("net.exe" OR "net") OR winlog.event_data.ParentCommandLine:("net.exe" OR "net")) AND winlog.event_data.CommandLine:("add" AND ("Guest" OR "DefaultAccount") AND ("Administrators" OR "Remote"))

Once a threat actor has gained access to a system, they need to establish persistence in order to maintain access. In this case we observed the threat actors adding the built-in “Guest” and “DefaultAccount” users to the “Administrators” and “Remote” groups, which were then used to remotely access the server for further malicious activity.

EN Name: [Windows][CRU] PowerShell Get-Process LSASS in ScriptBlock or CommandLine
Percybana query: (winlog.event_data.CommandLine:(“Get-Process lsass”)) OR (winlog.event_id: 4103 AND winlog.event_data.ScriptBlockText:(“Get-Process lsass”))

The Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. Threat actors often uses LSASS to dump passwords stored in memory. This signature is specifically looking for PowerShell scripts attempting to use LSASS.

If you are a ConnectWise partner who uses the Perch application, we strongly recommend you subscribe to the CRU Collection so you can get the benefits of the latest research by the CRU.

References

https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html

https://threatpost.com/tortilla-exchange-servers-proxyshell/175967/

https://techcommunity.microsoft.com/t5/exchange-team-blog/proxyshell-vulnerabilities-and-your-exchange-server/ba-p/2684705

https://www.bleepingcomputer.com/news/security/babuk-ransomwares-full-source-code-leaked-on-hacker-forum/

https://www.bleepingcomputer.com/news/security/babuk-locker-is-the-first-new-enterprise-ransomware-of-2021/