Attackers have been exploiting a known set of Microsoft Exchange Server flaws, ProxyLogon and ProxyShell, in order to hijack email threads and convince victims to click on malicious links. Both sets of vulnerabilities, which were patched by Microsoft earlier this year, continue to be leveraged by cybercriminals in a variety of ways as seen in this recent incident, said researchers with Trend Micro in a Friday analysis.
ProxyLogon, which received a fix in March, is a set of Microsoft vulnerabilities, with the most serious being a server-side request forgery issue (CVE-2021-26855) that attackers can use to gain initial access to Exchange servers. Meanwhile, in April and May Microsoft fixed three flaws known collectively as ProxyShell, which include a security feature bypass (CVE-2021-31207), an elevation of privilege (CVE-2021-34523), and a remote code execution bug (CVE-2021-34473).
As part of a number of intrusions in the Middle East, attackers were exploiting CVE-2021-26855 with a publicly available exploit to obtain users’ security identifiers and emails; as well as chaining together CVE-2021-34473 and CVE-2021-34523 to access a PowerShell remoting feature that can be used to read and send emails. Attackers leveraged this attack to hijack email chains, and under the guise of the legitimate senders, send malicious emails as replies to others within the targeted organizations.
“True account names from the victim’s domain were used as sender and recipient, which raises the chance that a recipient will click the link and open the malicious Microsoft Excel spreadsheets,” said Mohamed Fahmy, Sherif Magdy and Abdelrhman Sharshar with Trend Micro. “The attacker also did not drop or use tools for lateral movement after gaining access to the vulnerable Exchange servers, so that no suspicious network activities will be detected.”
The emails included links, which contained Microsoft Excel or Word files with malicious macros. Once the macros were enabled, a script was executed that downloaded a DLL loader. This loader would then connect to a command-and-control (C2) server that researchers linked to SquirrelWaffle, a loader that was analyzed in October by researchers with Cisco Talos. The loader gives attackers an initial foothold onto victims’ network environments, which can then be leveraged to deliver additional malware families. It has been observed coinciding with installations of the Qakbot banking trojan and Cobalt Strike penetration-testing tool following the initial compromise of the endpoint.
“[Squirrelwaffle] is known for sending its malicious emails as replies to pre-existing email chains, a tactic that lowers a victim’s guard against malicious activities," said researchers.
The attack demonstrates how attackers continue to leverage Exchange Servers vulnerable to the ProxyLogon and ProxyShell flaws months after Microsoft released patches. In March, researchers said that the number of servers vulnerable to the Exchange ProxyLogon flaw is continuing to drop, but there were still nearly 30,000 unpatched servers online and many of them appear to have multiple webshells installed by attackers. Meanwhile, the ProxyShell flaws also continue to pose problems for companies who still haven’t patched - including in early November, when researchers assessed with "moderate confidence" that attackers were targeting vulnerable Exchange servers and attempting to exploit the ProxyShell flaw in order to deploy Babuk. Researchers with Mandiant recently said that they have responded to compromises that originate from the ProxyShell flaws as recently as November. They estimated that up to 30,000 internet-facing vulnerable servers still exist.
“It is important to ensure that patches for Microsoft Exchange Server vulnerabilities, specifically ProxyShell and ProxyLogon… have already been applied,” said the Trend Micro researchers. “Microsoft reiterated, those who have applied their patch for ProxyLogon in March are not protected from ProxyShell vulnerabilities, and should install more recent... security updates.”