EDR / MDRIdentify, contain, respond, and stop malicious activity on endpoints
SIEMCentralize threat visibility and analysis, backed by cutting-edge threat intelligence
Risk Assessment & Dark Web MonitoringIdentify and quantify unknown cyber risks and vulnerabilities
Cloud App SecurityMonitor and manage security risk for SaaS apps
SOC ServicesProvide 24/7 threat monitoring and response backed by ConnectWise SOC experts
Policy ManagementCreate, deploy, and manage client security policies and profiles
Incident Response ServiceOn-tap cyber experts to address critical security incidents
Cybersecurity GlossaryGuide to the most common, important terms in the industry
Exchange ProxyShell being used for Babuk ransomware attacks
This year has been full of news of Microsoft Exchange vulnerabilities being used for multiple attacks. We’ve discussed it several times already (https://www.connectwise.com/resources/exchange-vulnerability-poc-released, https://www.connectwise.com/resources/its-not-yet-over-for-proxylogon, https://www.connectwise.com/resources/its-been-a-busy-week, https://perchsecurity.com/perch-news/more-exchange-vulnerabilities-and-a-confluence-rce/, https://perchsecurity.com/perch-news/multiple-mail-maladies-vulnerabilities-in-starttls-and-exchange/). News came out earlier this week of a threat actor, commonly referred to as Tortilla, exploiting the Exchange ProxyShell(https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis) vulnerability. According to intelligence released by Cisco Talos(https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html), Tortilla has been operating since July 2021. It mainly focuses on US businesses, though they have targeted a few organizations in the U.K., Germany, Ukraine, Finland, Brazil, Honduras, and Thailand.
Similar to the initial Hafnium attacks(https://www.connectwise.com/resources/its-been-a-busy-week) utilizing ProxyLogon back in March, Tortilla is using ProxyShell to deploy the China Chopper web shell on vulnerable Exchange servers. Once the web shell is installed, they download a modified EfsPotato exploit that targets ProxyShell and PetitPotam(https://isc.sans.edu/diary/Active%2BDirectory%2BCertificate%2BServices%2B%2528ADCS%2B-%2BPKI%2529%2Bdomain%2Badmin%2Bvulnerability/27668) vulnerabilities. ProxyShell is another Exchange exploit that takes advantage of the relationship between Microsoft Exchange and Microsoft Internet Information Services (IIS) in order to execute code remotely. PetitPotam is a vulnerability in Microsoft’s Active Directory Certificate Services (ADCS) that allows a user to completely take over a Windows domain that has the ADCS service running. From there, the attackers attempt to deploy a Babuk ransomware payload. Babuk is a ransomware operation that launched at the beginning of this year(https://www.bleepingcomputer.com/news/security/babuk-locker-is-the-first-new-enterprise-ransomware-of-2021/) and began using the common double-extortion method of ransoming data and also stealing data and threatening to leak it to the public unless an additional ransom was paid. The Babuk ransomware source code was leaked (https://www.bleepingcomputer.com/news/security/babuk-ransomwares-full-source-code-leaked-on-hacker-forum/) in September, and as a result, we have seen other groups re-using much of their code. Babuk is notorious for not only encrypting data but also interrupting the backup process and deleting volume shadow copies.
The CRU has several SIEM alerts (Event Notifications in the Perch app) available in the ConnectWise CRU Collection within the Perch marketplace that will detect most of this behavior. We have detections for all of the known “Proxy” Exchange vulnerabilities as well as detection for Babuk behavior, such as deleting volume shadow copies. If you are also a Perch IDS customer, we have signatures that will detect attempts to exploit PetitPotam. Additionally, we have recently observed some new Exchange attacks against one of our own partners and added the following new signatures to the CRU Collection based on our observations. Thankfully, we were able to work together with our partner to stop this attack before any ransomware was deployed.
EN Name: [Windows][CRU] w3wp parent to powershell/cmd calling cmd/powershell Perchybana query: winlog.event_data.ParentImage:"w3wp.exe" AND winlog.event_data.Image:("powershell.exe" OR "cmd.exe") AND NOT winlog.event_data.CommandLine:"System32" EN Name: [Windows][CRU] File create by w3wp to an exe file in a temp directory Perchybana query: winlog.event_data.Image:"w3wp.exe" AND winlog.event_data.TargetFilename:("Temp" AND "exe") AND winlog.event_id:"11"
The main focus of Exchange exploits discovered this year has been the relationship between Exchange and Microsoft Internet Information Services or IIS. We have been able to identify malicious activity by specifically looking for processes spawned by the IIS worker process (w3wp.exe). The two signatures above are specifically looking for PowerShell and cmd.exe commands being executed by w3wp.exe or working out of a temp directory. Both of these look for common techniques used by threat actors when compromising an Exchange server.
EN Name: [Windows][CRU] Windows Defender Exclusion Set on C Drive via powershell or cmd Perchybana query: winlog.event_data.CommandLine:(("powershell.exe" OR "powershell" OR "cmd.exe" OR "cmd") AND "Add-MpPreference" AND "-ExclusionPath" AND "C:") EN Name: [Windows][CRU] Real-Time disabled via commandline Perchybana query: winlog.event_data.CommandLine:("reg" AND "add" AND "real-time" AND "DisableRealtimeMonitoring" AND "/d 1")
After compromising the server, we observed threat actors adding exclusions to Windows Defender and then disabling Defender’s real-time protection. These signatures will trigger on this activity.
EN Name: [Windows][CRU] Guest or default account set with remote or admin rights Perchybana query: (winlog.event_data.ParentImage:("net.exe" OR "net") OR winlog.event_data.ParentCommandLine:("net.exe" OR "net")) AND winlog.event_data.CommandLine:("add" AND ("Guest" OR "DefaultAccount") AND ("Administrators" OR "Remote"))
Once a threat actor has gained access to a system, they need to establish persistence in order to maintain access. In this case we observed the threat actors adding the built-in “Guest” and “DefaultAccount” users to the “Administrators” and “Remote” groups, which were then used to remotely access the server for further malicious activity.
EN Name: [Windows][CRU] PowerShell Get-Process LSASS in ScriptBlock or CommandLine Percybana query: (winlog.event_data.CommandLine:(“Get-Process lsass”)) OR (winlog.event_id: 4103 AND winlog.event_data.ScriptBlockText:(“Get-Process lsass”))
The Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. Threat actors often uses LSASS to dump passwords stored in memory. This signature is specifically looking for PowerShell scripts attempting to use LSASS.
If you are a ConnectWise partner who uses the Perch application, we strongly recommend you subscribe to the CRU Collection so you can get the benefits of the latest research by the CRU.