In August 2021, Mandiant Managed Defense identified and responded to the exploitation of a chain of vulnerabilities known as ProxyShell. The ProxyShell vulnerabilities consist of three CVEs (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) affecting the following versions of on-premises Microsoft Exchange Servers.

• Exchange Server 2013 (Cumulative Update 23 and below)
• Exchange Server 2016 (Cumulative Update 20 and below)
• Exchange Server 2019 (Cumulative Update 9 and below)

The vulnerabilities are being tracked in the following CVEs:

Table 1: List of May & July 2021 Microsoft Exchange CVEs and FireEye Intel Summaries

Overview

Microsoft Exchange Server provides email and supporting services for organizations. This solution is used globally, both on-premises and in the cloud. This chain of vulnerabilities exists in unpatched on-premises editions of Microsoft Exchange Server only and is being actively exploited on those servers accessible on the Internet.

Mandiant responded to multiple intrusions impacting a wide variety of industries including Education, Government, Business services, and Telecommunications. These organizations are based in the United States, Europe, and Middle East. However, targeting is almost certainly broader than directly observed.

One specific targeted attack observed by Mandiant, detailed in this post, was against a US-based university where UNC2980 exploited ProxyShell vulnerabilities to gain access to the environment.

The Exploit Chain Explained

ProxyShell refers to a chain of attacks that exploit three different vulnerabilities affecting on-premises Microsoft Exchange servers to achieve pre-authenticated remote code execution (RCE). The exploitation chain was discovered and published by Orange Tsai (@orange_8361) from the DEVCORE Research Team.

Delivering the Payload

In order to later create a web shell on a Microsoft Exchange server by exporting from a mailbox, an attacker first needs to create an email item within a mailbox. In the Metasploit implementation of the attack, the Autodiscover service is abused to leak a known user’s distinguished name (DN), which is an address format used internally within Microsoft Exchange. The Messaging Application Programming Interface (MAPI) is then leveraged to leak the user's security identifier (SID), by passing the previously leaked DN as a request. The SID is then used to forge an access token to communicate with Exchange Web Services (EWS).

With the attacker able to successfully impersonate the target user with a valid access token, they can perform EWS operations. To continue with the ProxyShell attack, the operation  ‘CreateItem’ is used, which allows the remote creation of email messages in the impersonated user’s mailbox. While responding, Mandiant has seen draft emails with attached web shells, encoded in such a way that they become decoded upon export to PST later in the attack (specifically with permutative encoding).

Emails may also be placed in targeted users' mailboxes via SMTP, as was suggested in Orange Tsai’s documentation of the attack.

CVE-2021-34473 — Pre-auth Path Confusion Leads to ACL Bypass

Microsoft Exchange has a feature called ‘Explicit Logon’, which legitimately allows users to open another user's mailbox or calendar in a new browser window by providing the mailbox address in the URL. The feature was designed to only provide access where ‘Full Access’ is granted to the user, and the target mailbox or calendar is configured to publish. Exchange is designed to normalize the specified mailbox address in the URL to identify the target.

The vulnerability exists in passing the string Autodiscover/Autodiscover.json to the email field in the URL. By passing that string, Exchange does not perform sufficient checks on the address, and through its normalization process, this leads to arbitrary access to backend URLs as NT AUTHORITY/SYSTEM.

Figure 1: Requests showing how an attacker can abuse the normalization process of the Explicit Logon feature

CVE-2021-34523 — Elevation of Privilege on Exchange PowerShell Backend

The Exchange PowerShell Remoting feature, natively built into Microsoft Exchange, was designed to assist with administrative activities via the command line. The previous exploit allowed an attacker to interface with arbitrary backend URLs as NT AUTHORITY/SYSTEM, however since that user does not have a mailbox, the attacker cannot directly interface with the PowerShell backend (/Powershell) at that privilege level.

The PowerShell backend checks for the X-CommonAccessToken header in incoming requests. If the header does not exist, another method is used to get a CommonAccessToken. This method checks for the X-Rps-CAT parameter in the incoming request, and if present, deserializes this to a valid CommonAccessToken. With the previously collected information on the target mailbox or default information from built-in mailboxes, passing of a valid X-Rps-CAT value is trivial.

By passing this value to the PowerShell backend with the previously successful access token, an attacker can downgrade from the NT AUTHORITY/SYSTEM account to the target user. This user must have local administrative privileges in order to execute arbitrary Exchange PowerShell commands.

Figure 2: This request uses the parameter X-Rps-CAT, which allows valid user impersonation

CVE-2021-31207 — Post-auth Arbitrary-File-Write Leads to RCE

Once the two previous vulnerabilities are exploited successfully, the vulnerability CVE-2021-31207 allows the attacker to write files. As soon as the attacker is able to execute arbitrary PowerShell commands, and the required ‘Import Export Mailbox’ role is assigned to the impersonated user (which can be achieved by execution of the New-ManagementRoleAssignment cmdlet), the cmdlet New-MailboxExportRequest can be used to export a user’s mailbox to a specific desired path e.g.

Figure 3: New-MailBoxExportRequest can be used to export payloads

The use of New-MailboxExportRequest allows the attacker to export target mailboxes where previously created emails with encoded web shells were created. The attacker can export the mailbox to a PST file format with a web file extension, such as ASPX, which allows the attacker to drop a functional web shell, since the encoded attachments in the email are decoded upon write to the PST file format. This is due to the PST file format using permutative encoding, by attaching a pre-encoded payload, upon export the decoded payload is actually written.

Observations From Investigations

Mandiant responded to intrusions involving ProxyShell exploitation across a range of customers and industries. Examples of proof-of-concept (PoC) exploits developed and released publicly by security researchers could be leveraged by any threat group, leading to adoption by threat groups with varying levels of sophistication. Mandiant has observed the exploit chain resulting in post-exploitation activities, including the deployment of web shells, backdoors, and tunneling utilities to further compromise victim organizations. As of the release of this blog post, Mandiant tracks eight UNC groups exploiting the ProxyShell vulnerabilities.  Mandiant anticipates more clusters will be formed as different threat actors adopt working exploits.

Exploitation

Mandiant has observed the exploitation of Proxyshell starting with the abuse of Autodiscover services to leak known users distinguished name (DN) to then leverage it to leak the administrator security identifier (SID).

By using the leaked DN and SID, the attacker can create a mailbox that contains a draft email with a malicious payload as an attachment. Afterwards, the mailbox and the contained payload are exported to a web-accessible directory or another directory on the host.

Attempted exploitation of ProxyShell appears to be mostly automated. In some cases, Mandiant observed only partial attacker success, such as the creation of items in mailboxes remotely, but not the exporting of mailboxes and their contained payloads to another directory on the host.

Mandiant has observed a wide range of source IP addresses and user agents attempting HTTP requests consistent with the first stage of the ProxyShell exploit chain.

Post-Exploitation

Upon successful exploitation of the vulnerabilities, Mandiant observed multiple payloads to gain a foothold in the network including CHINACHOP and BLUEBEAM web shells (see Malware Definitions section). Follow-on actions include execution of internal reconnaissance commands on servers, and deployment of tunneler utilities.

Figure 4: BLUEBEAM ASP web shell that was embedded into a PST payload

Threat Actor Spotlight: UNC2980

In August 2021, Mandiant Managed Defense responded to an intrusion leveraging the ProxyShell vulnerability at a US-based university. Mandiant tracks this threat actor as UNC2980.

UNC2980 is a cluster of threat activity tracked since August 2021 and believed to be conducting cyber espionage operations. Mandiant suspects this group to be operating from China currently assessed at low confidence. UNC2980 has been observed exploiting CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, publicly referred to as "ProxyShell", to upload web shells for initial access. The group relies on multiple publicly available tools including EARTHWORM, HTRAN, MIMIKATZ, and WMIEXEC post compromise.

UNC2980 in Action

Upon gaining access through the exploitation of ProxyShell and deploying a web shell, UNC2980 dropped multiple tools into the victim environment. The following publicly available tools were observed on the initial compromised host: HTRAN, EARTHWORM, and several MIMIKATZ variants.

Figure 5: Web shell embedded in PST payload used by UNC2980

Approximately 11 hours and 44 minutes after the ProxyShell exploitation, Mandiant observed post-exploitation activity beginning with multiple Event ID 4648 (A logon was attempted using explicit credentials) events initiated by the process C:\root\mimikatz.exe on the initial compromised host. All Event ID 4648 events were associated with two different domain controllers within the environment.

The group then utilized the utility WMIEXEC to conduct post-exploitation activity. This was primarily observed through the default redirection of command output used by WMIEXEC.

Figure 6: Reconnaissance commands executed via WMICEXEC

UNC2980 was observed utilizing several techniques for credential theft once access to a host was established. In one instance, after performing reconnaissance, UNC2980 deployed multiple variants of MIMIKATZ. In another instance, UNC2980 utilized multiple batch files which executed ntdsutil to enumerate snapshots of volumes and were then used to copy ntds.dit and the System hive.

Figure 7: Executed Batch commands

Monitoring and Investigating

Mandiant recommends monitoring or investigating for compromise on presently or previously vulnerable Exchange servers.

Remote Creation of Items in Mailboxes

• Monitor or investigate irregular Exchange EWS logs to identify CreateItem requests, indicating the remote creation of items.
  • Mandiant has observed draft emails created, containing attached encoded web shells, though other items may also be created.
  • Examine logs under ‘Program Files\Microsoft\Exchange Server\V15\Logging\Ews\*’ where:
    • AuthenticatedUser is SYSTEM or a system account
    • SoapAction is CreateItem
    • HttpStatus is 200 (indicating success)
• Monitor or identify draft emails with encoded attachments.
  • Mandiant has observed draft emails containing .TXT file attachments with encoded content.

Remote Unauthenticated PowerShell

• Monitor IIS logs for successful POST requests containing "/autodiscover/autodiscover.json" & "Powershell".
• Monitor or investigate the execution of the PowerShell cmdlets ‘New-ManagementRoleAssignment’ or ‘New-MailboxExportRequest’.
  • Mandiant has observed ‘New-ManagementRoleAssignment’ being used to assign mailbox import and export permissions to target mailboxes, followed by ‘New-MailboxExportRequest’ to export the drafts folder containing emails with encoded web shells attached.
  • Examine PowerShell ScriptBlock, transcription, and module logging where enabled.
  • Examine logs under ‘Program Files\Microsoft\Exchange Server\V15\Logging\CmdletInfra\Powershell-Proxy\Cmdlet\*’, especially the cmdlet parameters where:
    • AuthenticatedUser is the name of impersonated mailbox user
    • ProcessName contains w3wp
    • Cmdlet is ‘New-ManagementRoleAssignment’ or ‘New-MailboxExportRequest’
  • Mandiant has observed the ‘CmdletInfra\Powershell-Proxy\Cmdlet’ logs recording remote cmdlets and their parameters even when regular PowerShell ScriptBlock/transcription/module logging is not enabled.
  • Mandiant recommends review of these logs on presently or previously vulnerable servers even in cases where no web shell is identified, since attackers may execute any PowerShell cmdlet, utilizing only part of the exploit chain.
• Examine the ‘Data’ field in the Audit logs stored under ‘\Program Files\Microsoft\Exchange Server\V15\Logging\LocalQueue\Exchange\*’. This field contains JSON data with the Operation Key value containing the executed PowerShell cmdlets.

Creation or Use of Web Shells

• Monitor or identify .ASPX files created under the path inetpub\wwwroot\aspnet_client written by SYSTEM.
• Monitor or identify PST files (by header ‘!BDN’ / 0x2142444E) with web file extensions (commonly .ASPX). These files may be written by MSMailboxReplication.exe or w3wp.exe (the latter can be the result of replication events due to the exploitation of a different Exchange server in the same cluster).
• Monitor or identify files created by MSMailboxReplication.exe with extensions other than .PST (this binary is used by the New-MailboxExportRequest PowerShell cmdlet).
• Monitor or identify arbitrary commands spawned by the process w3wp.exe.
• Monitor or investigate the ‘MSExchange Management’ Event logs (EID: 1 and EID: 6) to identify ‘New-MailboxExportRequest’ requests with .ASPX extensions, indicative of a web shell creation attempt.

Additional attempted or successful exploitation may be identified by analyzing network and IIS logs looking for HTTP requests matching some of the patterns described in this report.

• Requests against /autodiscover/autodiscover.json containing ‘powershell’, ‘mapi/nspi’, ‘mapi/emsmdb’, ‘/EWS’ or ‘X-Rps-CAT'.
• Status codes 200, 301, or 302 indicating successful exploitation.
• Status codes 400, 401, or 404 indicating attempted exploitation.

Prevention and Remediation

Mandiant advises all organizations to apply patches KB5003435 (CVE-2021-31207) and KB5001779 (CVE-2021-34473 and CVE-2021-34523) to vulnerable on-premises Microsoft Exchange servers to mitigate these vulnerabilities being exploited. To verify the current version of on-premises Microsoft Exchange running within an organization, reference this Microsoft resource.

If an organization is not able to immediately apply the patches, inbound TCP/80 and TCP/443 traffic to on-premises Exchange servers should be explicitly blocked from the Internet.

Additionally, Mandiant recommends organizations review their detection and response capabilities, especially on public-facing infrastructure, including:

• Deploying and configuring a File Integrity Monitoring solution to monitor and/or prevent the creation of files, especially on web servers outside of maintenance windows
• Deploying, configuring, and monitoring an Endpoint Detection and Response solution to alert to and respond to malicious activity effectively
• Enabling enhanced logging and implementing sufficient log retention periods to support investigations, including:
  • Microsoft Systems Monitor (Sysmon) on Windows Servers
  • PowerShell Module, Script Block, and Transcription Logging

Detecting the Techniques

Mandiant Security Validation Action

Organizations can validate their security controls using the following actions with Mandiant Security Validation.

Malware Definitions

BLUEBEAM

BLUEBEAM (aka. Godzilla) is a publicly available web shell management tool written in JAVA. BLUEBEAM can generate web shell payloads in JSP, ASP[.]NET, and PHP, it also supports AES encryption.

BLUEBEAM contains 20 built-in modules that provide features such as loading additional web shells into memory, shell execution, mimikatz, meterpreter, file compression, and privilege escalation.

HTRAN

HTRAN is a publicly available tunneler written in C/C++ that serves as a proxy between two endpoints specified via command line arguments.

EARTHWORM

EARTHWORM is a publicly available tunneler utility. It is capable of establishing a tunnel to a SOCKS v5 server and is supported on the following operating systems: Linux, MacOS, and Arm-Linux.

CHINACHOP

The CHOPPER web shell is a simple code injection web shell that is capable of executing Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with webserver account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime.

For more detailed analysis, see our blog post on the China Chopper web shell.

Acknowledgements

Alex Pennino, Andrew Rector, Harris Ansari and Yash Gupta