<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Microsoft Exchange Server - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/microsoft-exchange-server/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 18:12:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/microsoft-exchange-server/feed.xml" rel="self" type="application/rss+xml"/><item><title>Suspicious File Creation by Microsoft Exchange Unified Messaging Service</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-exchange-um-webshell/</link><pubDate>Wed, 03 Jan 2024 18:12:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-exchange-um-webshell/</guid><description>This rule detects suspicious file creations by the Microsoft Exchange Server Unified Messaging service, potentially indicative of exploitation of CVE-2021-26858, leading to web shell deployment for initial access, lateral movement, and persistence.</description><content:encoded><![CDATA[<p>This detection focuses on identifying suspicious file creation events triggered by the Microsoft Exchange Server Unified Messaging (UM) service, specifically <code>UMWorkerProcess.exe</code> and <code>umservice.exe</code>. The activity is linked to potential exploitation of CVE-2021-26858, a server-side request forgery (SSRF) vulnerability. The rule targets the creation of files with web-related extensions such as <code>php</code>, <code>jsp</code>, <code>js</code>, <code>aspx</code>, <code>asmx</code>, <code>asax</code>, <code>cfm</code>, and <code>shtml</code> within specific Microsoft Exchange Server directories. Successful exploitation allows attackers to establish a web shell, gaining unauthorized access, enabling lateral movement, and achieving persistence within the compromised environment. This activity was observed beginning in early 2021, with widespread targeting of Exchange servers.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker exploits CVE-2021-26858 or similar vulnerability in Exchange Server, gaining the ability to write arbitrary files.</li>
<li>The Exchange UM service (<code>UMWorkerProcess.exe</code> or <code>umservice.exe</code>) is leveraged to write malicious files.</li>
<li>A web shell file (e.g., <code>malware.aspx</code>, <code>backdoor.php</code>) is created in a directory accessible via HTTP, such as <code>\inetpub\wwwroot\aspnet_client\</code>, <code>*\Microsoft\Exchange Server*\FrontEnd\HttpProxy\owa\auth\</code>, or <code>*\Microsoft\Exchange Server*\FrontEnd\HttpProxy\ecp\auth\</code>.</li>
<li>The attacker accesses the web shell via a web browser, sending HTTP requests to the created file.</li>
<li>The web shell executes commands on the Exchange server, allowing the attacker to gather information, move laterally within the network, or establish persistence.</li>
<li>The attacker gains control over the Exchange server, potentially compromising sensitive data and services.</li>
<li>The attacker may use the compromised Exchange server to access other systems within the network, expanding their reach.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Compromised Microsoft Exchange servers can lead to the exposure of sensitive email communications, user credentials, and confidential business data. Successful exploitation and web shell deployment can grant attackers persistent access to the internal network, enabling lateral movement to other critical systems. The potential consequences include data theft, ransomware deployment, disruption of email services, and reputational damage. While the number of directly affected organizations is not specified in this brief, the broad adoption of Microsoft Exchange makes this a widespread concern.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Microsoft Exchange Server UM Writing Suspicious Files&quot; to your SIEM and tune for your environment to detect web shell creation (see below).</li>
<li>Prioritize patching CVE-2021-26858 on all internet-facing Exchange servers immediately to prevent initial exploitation.</li>
<li>Investigate any alerts generated by the Sigma rule, comparing suspicious file creations against established Microsoft baselines (see References).</li>
<li>Enable Sysmon file creation logging with the appropriate event ID to ensure adequate telemetry for the Sigma rules to function.</li>
<li>Consult Microsoft's Exchange support repository for additional tools and guidance on detecting and mitigating Exchange vulnerabilities (see References).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">threat</category><category>exchange</category><category>webshell</category><category>cve-2021-26858</category><category>initial-access</category></item><item><title>Exchange PowerShell Used to Add New ActiveSync Allowed Device</title><link>https://feed.craftedsignal.io/briefs/2024-01-activesync-mailbox-modification/</link><pubDate>Tue, 02 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-activesync-mailbox-modification/</guid><description>An adversary may use the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device, potentially gaining persistent access to a user's email and sensitive information.</description><content:encoded><![CDATA[<p>Attackers are increasingly targeting Exchange servers to gain access to sensitive email data. This activity involves the use of PowerShell to modify mailbox settings, specifically to add new ActiveSync allowed devices. The addition of rogue devices allows the attacker to maintain persistent access, bypassing typical authentication controls. This technique has been observed in intrusions following initial compromise via vulnerabilities like the SolarWinds supply chain attack. This can lead to long-term access to sensitive information, facilitating data exfiltration or further exploitation within the compromised organization. Defenders must monitor PowerShell activity related to Exchange management and validate any changes to ActiveSync configurations.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial access is gained to a compromised host, potentially through exploitation of a vulnerability or stolen credentials.</li>
<li>The attacker uses PowerShell to interact with the Exchange Management Shell (EMS).</li>
<li>The <code>Set-CASMailbox</code> cmdlet is invoked with the <code>ActiveSyncAllowedDeviceIDs</code> parameter.</li>
<li>A new, unauthorized device ID is added to the list of allowed devices for a target mailbox.</li>
<li>The attacker uses the newly authorized device to synchronize with the target mailbox via the ActiveSync protocol.</li>
<li>Email data, including sensitive information, is accessed and potentially exfiltrated from the mailbox.</li>
<li>The attacker maintains persistent access to the mailbox through the authorized device, even if the user changes their password.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful execution of this attack allows adversaries to maintain persistent access to targeted mailboxes, enabling the collection of sensitive information. This can lead to financial losses, reputational damage, and exposure of confidential data. The number of victims can vary depending on the scope of the attacker's objectives. The technique has been observed in attacks targeting organizations across various sectors. If successful, attackers can exfiltrate sensitive data, compromise internal communications, and potentially gain further access to the organization's network.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Monitor process execution for PowerShell commands containing <code>Set-CASMailbox</code> and <code>ActiveSyncAllowedDeviceIDs</code> to detect suspicious activity (see Sigma rule &quot;Detect Suspicious ActiveSync Mailbox Modification via PowerShell&quot;).</li>
<li>Enable Sysmon process creation logging with command line arguments to capture PowerShell activity (reference Sigma rule logsource).</li>
<li>Review Exchange audit logs for modifications to <code>ActiveSyncAllowedDeviceIDs</code> attribute to identify unauthorized device additions.</li>
<li>Implement multi-factor authentication (MFA) to mitigate the risk of credential compromise (reference: MITRE ATT&amp;CK T1114).</li>
<li>Regularly audit ActiveSync device configurations for unauthorized devices (reference: description).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">threat</category><category>exchange</category><category>powershell</category><category>activesync</category><category>persistence</category></item></channel></rss>