DearCry - Leveraging the ProxyLogon Vulnerability - What it Means for You

Let us discuss the issue of DearCry, a new strain of ransomware that several threat actor groups are deploying to attack vulnerable Exchange servers.


Is Your Exchange Vulnerable to a DearCry Attack?

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server itself, and access to connected devices on the same network. Attackers typically install a backdoor, in the shape of a webshell that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits.


As a refresher, the Microsoft Exchange attacks using the ‘ProxyLogon’ vulnerability, and previously associated with the dropping of malicious web shells, are taking on a ransomware twist. Until now, the main aim of the attack has been to initially compromise to allow for data exfiltration, with a bit of cryptomining on the side.


ProxyLogon is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. We have also chained this bug with another post-authentication arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution. All affected components are vulnerable by default! A view of the ProxyLogon can be watched in the

As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an only opened 443 port!

What DearCry delivers is an additional vector of attack, of which anybody can now download the DearCry exploit and effect it against a vulnerable Exchange. This has changed significantly within the past week where we have seen the activities being conducted upon a mainly Nation State level, now being undertaken potentially by ‘Script Kiddies’ against corporate Exchange environments.


The danger of this pivot to ransomware is the sheer number of potential targets. Needless to say, it is essential that you install the Exchange updates required to keep your systems safe from harm. To take the attack one stage further, the cyber criminals are actively looking to feed off the Exchange bugs. Ransomware attackers spreading a strain called DearCry are attempting to install the malware after compromising Exchange servers, according to Microsoft.


"We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry," Microsoft warned in a tweet. Ransom:Win32/DoejoCrypt.A is the name under which Microsoft's Defender antivirus will detect the new threat.


What is a Webshell?

A webshell is a malicious web-based shell-like interface that enables remote access and control to a web server by allowing execution of arbitrary commands. Previously, this type of backdoor has been seen used within the Payment Card environments, where attackers would gain access to compromised e-commerce servers and exfiltrate information using tools and techniques employed whilst actively using the webshell as the enabling capability.


Do You Know What a Webshell is?

So, why do the attackers do this? It saves effort by leveraging existing compromised servers with HAFNIUM web shells and using them as a foothold into networks. It is a lot easier to scan the internet (reconnaissance), find one of the thousands of exposed Exchange servers, gain access to the web shell, then move to a hands-on keyboard attack to move laterally within the environment, exfiltrate sensitive data, and deploy ransomware. This is a much faster path to profit as it saves the first step of initial compromise of your victim.



What can we do to prevent, detect, and react to DearCry?

Prevention requires patching and removing any web shells from your Exchange servers. A number of scripts exist to find them but we recommend the script below. Note, it has also been seen that Defender is now detecting this tool as a web shell also.


https://github.com/cert-lv/exchange_webshell_detection


Detection “should” be taken care of by your endpoint security tool. But not all are up to scratch and if the threat actors up their level of sophistication they may incorporate AV bypass techniques or more likely simply disable detection tooling! To prevent this in your environment where Microsoft Defender is deployed, we strongly recommend enabling Tamper Protection.


Leveraging the power of Azure Sentinel and Microsoft Defender, we can create custom rules to detect the initial stages of DearCry deployment by monitoring for the “msupdate” service creation. The following is rough and quick custom detection that can be seen as a “back stop” or “last chance detection”.


In theory, Microsoft Defender detects DearCry as “Ransom:Win32/DoejoCrypt.A – ‘DearCry’” but, if the threat actors change their variant so that it bypasses detection, we can still detect based on their techniques instead. Or, if you do not have tamper protection enabled it is possible the threat actor may disable your anti-virus entirely. We also realise techniques could change, do this rule should be seen as a short-term detection to give visibility until you are able to patch.


Summary and IOC

If you haven’t already patched your systems, please do so right away and search your systems for signs of compromise.

Patch Your Exchange Now!

Malwarebytes detects web shells planted on comprised Exchange servers as Backdoor.Hafnium. When the ransomware was still unknown, DearCry attacks would have been detected proactively as Malware.Ransom.Agent.Generic.


Indicators of Compromise (IOCs):

The following IOCs have been provided as assistance to your response to ascertaining if there has been a compromise to your Exchange environment:

  • feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede

  • e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6

  • 10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da

  • 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff

If you need help with any deployment, investigation, or immediate incident response services please do get in touch with us to discuss this matter.

19 views0 comments

FORINT

+44 (0)7826 527691

Forint Limited, 320 Firecrest Ct, Warrington WA1 1RG

©2020 by Forint Limited. Forint Ltd is a registered company in England and Wales (12215794) and is registered at 320 Firecrest Court, Centre Park, Warrington, Cheshire, United Kingdom, WA1 1RG