{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-exchange-server/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2021-26858"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Exchange Server"],"_cs_severities":["medium"],"_cs_tags":["exchange","webshell","cve-2021-26858","initial-access"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection focuses on identifying suspicious file creation events triggered by the Microsoft Exchange Server Unified Messaging (UM) service, specifically \u003ccode\u003eUMWorkerProcess.exe\u003c/code\u003e and \u003ccode\u003eumservice.exe\u003c/code\u003e. The activity is linked to potential exploitation of CVE-2021-26858, a server-side request forgery (SSRF) vulnerability. The rule targets the creation of files with web-related extensions such as \u003ccode\u003ephp\u003c/code\u003e, \u003ccode\u003ejsp\u003c/code\u003e, \u003ccode\u003ejs\u003c/code\u003e, \u003ccode\u003easpx\u003c/code\u003e, \u003ccode\u003easmx\u003c/code\u003e, \u003ccode\u003easax\u003c/code\u003e, \u003ccode\u003ecfm\u003c/code\u003e, and \u003ccode\u003eshtml\u003c/code\u003e within specific Microsoft Exchange Server directories. Successful exploitation allows attackers to establish a web shell, gaining unauthorized access, enabling lateral movement, and achieving persistence within the compromised environment. This activity was observed beginning in early 2021, with widespread targeting of Exchange servers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker exploits CVE-2021-26858 or similar vulnerability in Exchange Server, gaining the ability to write arbitrary files.\u003c/li\u003e\n\u003cli\u003eThe Exchange UM service (\u003ccode\u003eUMWorkerProcess.exe\u003c/code\u003e or \u003ccode\u003eumservice.exe\u003c/code\u003e) is leveraged to write malicious files.\u003c/li\u003e\n\u003cli\u003eA web shell file (e.g., \u003ccode\u003emalware.aspx\u003c/code\u003e, \u003ccode\u003ebackdoor.php\u003c/code\u003e) is created in a directory accessible via HTTP, such as \u003ccode\u003e\\inetpub\\wwwroot\\aspnet_client\\\u003c/code\u003e, \u003ccode\u003e*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\\u003c/code\u003e, or \u003ccode\u003e*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\ecp\\auth\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the web shell via a web browser, sending HTTP requests to the created file.\u003c/li\u003e\n\u003cli\u003eThe web shell executes commands on the Exchange server, allowing the attacker to gather information, move laterally within the network, or establish persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the Exchange server, potentially compromising sensitive data and services.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the compromised Exchange server to access other systems within the network, expanding their reach.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised Microsoft Exchange servers can lead to the exposure of sensitive email communications, user credentials, and confidential business data. Successful exploitation and web shell deployment can grant attackers persistent access to the internal network, enabling lateral movement to other critical systems. The potential consequences include data theft, ransomware deployment, disruption of email services, and reputational damage. While the number of directly affected organizations is not specified in this brief, the broad adoption of Microsoft Exchange makes this a widespread concern.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Microsoft Exchange Server UM Writing Suspicious Files\u0026quot; to your SIEM and tune for your environment to detect web shell creation (see below).\u003c/li\u003e\n\u003cli\u003ePrioritize patching CVE-2021-26858 on all internet-facing Exchange servers immediately to prevent initial exploitation.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, comparing suspicious file creations against established Microsoft baselines (see References).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation logging with the appropriate event ID to ensure adequate telemetry for the Sigma rules to function.\u003c/li\u003e\n\u003cli\u003eConsult Microsoft's Exchange support repository for additional tools and guidance on detecting and mitigating Exchange vulnerabilities (see References).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:12:00Z","date_published":"2024-01-03T18:12:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-exchange-um-webshell/","summary":"This rule detects suspicious file creations by the Microsoft Exchange Server Unified Messaging service, potentially indicative of exploitation of CVE-2021-26858, leading to web shell deployment for initial access, lateral movement, and persistence.","title":"Suspicious File Creation by Microsoft Exchange Unified Messaging Service","url":"https://feed.craftedsignal.io/briefs/2024-01-03-exchange-um-webshell/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Exchange Server"],"_cs_severities":["medium"],"_cs_tags":["exchange","powershell","activesync","persistence"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly targeting Exchange servers to gain access to sensitive email data. This activity involves the use of PowerShell to modify mailbox settings, specifically to add new ActiveSync allowed devices. The addition of rogue devices allows the attacker to maintain persistent access, bypassing typical authentication controls. This technique has been observed in intrusions following initial compromise via vulnerabilities like the SolarWinds supply chain attack. This can lead to long-term access to sensitive information, facilitating data exfiltration or further exploitation within the compromised organization. Defenders must monitor PowerShell activity related to Exchange management and validate any changes to ActiveSync configurations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained to a compromised host, potentially through exploitation of a vulnerability or stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to interact with the Exchange Management Shell (EMS).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSet-CASMailbox\u003c/code\u003e cmdlet is invoked with the \u003ccode\u003eActiveSyncAllowedDeviceIDs\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eA new, unauthorized device ID is added to the list of allowed devices for a target mailbox.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly authorized device to synchronize with the target mailbox via the ActiveSync protocol.\u003c/li\u003e\n\u003cli\u003eEmail data, including sensitive information, is accessed and potentially exfiltrated from the mailbox.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the mailbox through the authorized device, even if the user changes their password.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack allows adversaries to maintain persistent access to targeted mailboxes, enabling the collection of sensitive information. This can lead to financial losses, reputational damage, and exposure of confidential data. The number of victims can vary depending on the scope of the attacker's objectives. The technique has been observed in attacks targeting organizations across various sectors. If successful, attackers can exfiltrate sensitive data, compromise internal communications, and potentially gain further access to the organization's network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for PowerShell commands containing \u003ccode\u003eSet-CASMailbox\u003c/code\u003e and \u003ccode\u003eActiveSyncAllowedDeviceIDs\u003c/code\u003e to detect suspicious activity (see Sigma rule \u0026quot;Detect Suspicious ActiveSync Mailbox Modification via PowerShell\u0026quot;).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with command line arguments to capture PowerShell activity (reference Sigma rule logsource).\u003c/li\u003e\n\u003cli\u003eReview Exchange audit logs for modifications to \u003ccode\u003eActiveSyncAllowedDeviceIDs\u003c/code\u003e attribute to identify unauthorized device additions.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to mitigate the risk of credential compromise (reference: MITRE ATT\u0026amp;CK T1114).\u003c/li\u003e\n\u003cli\u003eRegularly audit ActiveSync device configurations for unauthorized devices (reference: description).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-activesync-mailbox-modification/","summary":"An adversary may use the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device, potentially gaining persistent access to a user's email and sensitive information.","title":"Exchange PowerShell Used to Add New ActiveSync Allowed Device","url":"https://feed.craftedsignal.io/briefs/2024-01-activesync-mailbox-modification/"}],"language":"en","title":"CraftedSignal Threat Feed - Microsoft Exchange Server","version":"https://jsonfeed.org/version/1.1"}