{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2021-26858/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2021-26858"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Exchange Server"],"_cs_severities":["medium"],"_cs_tags":["exchange","webshell","cve-2021-26858","initial-access"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection focuses on identifying suspicious file creation events triggered by the Microsoft Exchange Server Unified Messaging (UM) service, specifically \u003ccode\u003eUMWorkerProcess.exe\u003c/code\u003e and \u003ccode\u003eumservice.exe\u003c/code\u003e. The activity is linked to potential exploitation of CVE-2021-26858, a server-side request forgery (SSRF) vulnerability. The rule targets the creation of files with web-related extensions such as \u003ccode\u003ephp\u003c/code\u003e, \u003ccode\u003ejsp\u003c/code\u003e, \u003ccode\u003ejs\u003c/code\u003e, \u003ccode\u003easpx\u003c/code\u003e, \u003ccode\u003easmx\u003c/code\u003e, \u003ccode\u003easax\u003c/code\u003e, \u003ccode\u003ecfm\u003c/code\u003e, and \u003ccode\u003eshtml\u003c/code\u003e within specific Microsoft Exchange Server directories. Successful exploitation allows attackers to establish a web shell, gaining unauthorized access, enabling lateral movement, and achieving persistence within the compromised environment. This activity was observed beginning in early 2021, with widespread targeting of Exchange servers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker exploits CVE-2021-26858 or similar vulnerability in Exchange Server, gaining the ability to write arbitrary files.\u003c/li\u003e\n\u003cli\u003eThe Exchange UM service (\u003ccode\u003eUMWorkerProcess.exe\u003c/code\u003e or \u003ccode\u003eumservice.exe\u003c/code\u003e) is leveraged to write malicious files.\u003c/li\u003e\n\u003cli\u003eA web shell file (e.g., \u003ccode\u003emalware.aspx\u003c/code\u003e, \u003ccode\u003ebackdoor.php\u003c/code\u003e) is created in a directory accessible via HTTP, such as \u003ccode\u003e\\inetpub\\wwwroot\\aspnet_client\\\u003c/code\u003e, \u003ccode\u003e*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\\u003c/code\u003e, or \u003ccode\u003e*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\ecp\\auth\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the web shell via a web browser, sending HTTP requests to the created file.\u003c/li\u003e\n\u003cli\u003eThe web shell executes commands on the Exchange server, allowing the attacker to gather information, move laterally within the network, or establish persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the Exchange server, potentially compromising sensitive data and services.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the compromised Exchange server to access other systems within the network, expanding their reach.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised Microsoft Exchange servers can lead to the exposure of sensitive email communications, user credentials, and confidential business data. Successful exploitation and web shell deployment can grant attackers persistent access to the internal network, enabling lateral movement to other critical systems. The potential consequences include data theft, ransomware deployment, disruption of email services, and reputational damage. While the number of directly affected organizations is not specified in this brief, the broad adoption of Microsoft Exchange makes this a widespread concern.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Microsoft Exchange Server UM Writing Suspicious Files\u0026quot; to your SIEM and tune for your environment to detect web shell creation (see below).\u003c/li\u003e\n\u003cli\u003ePrioritize patching CVE-2021-26858 on all internet-facing Exchange servers immediately to prevent initial exploitation.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, comparing suspicious file creations against established Microsoft baselines (see References).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation logging with the appropriate event ID to ensure adequate telemetry for the Sigma rules to function.\u003c/li\u003e\n\u003cli\u003eConsult Microsoft's Exchange support repository for additional tools and guidance on detecting and mitigating Exchange vulnerabilities (see References).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:12:00Z","date_published":"2024-01-03T18:12:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-exchange-um-webshell/","summary":"This rule detects suspicious file creations by the Microsoft Exchange Server Unified Messaging service, potentially indicative of exploitation of CVE-2021-26858, leading to web shell deployment for initial access, lateral movement, and persistence.","title":"Suspicious File Creation by Microsoft Exchange Unified Messaging Service","url":"https://feed.craftedsignal.io/briefs/2024-01-03-exchange-um-webshell/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2021-26858","version":"https://jsonfeed.org/version/1.1"}