By David Liebenberg and Caitlin Huey.
While the security community made a great effort to warn users of the exploitation of several Microsoft Exchange Server zero-day vulnerabilities, it was still the biggest threat Cisco Talos Incident Response (CTIR) saw this past quarter. These vulnerabilities, tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, comprised around 35 percent of all incidents investigated.
This shows that when a vulnerability is recently disclosed, severe, and widespread, CTIR will often see a corresponding rise in engagements in which the vulnerabilities in question are involved. Thankfully, the majority of these incidents involved scanning and not post-compromise behavior, such as file encryption or evidence of exfiltration.
While CTIR’s focus was largely on the Microsoft Exchange Server vulnerabilities this quarter, ransomware continued to be a persistent and growing problem. This quarter featured several ransomware families that we have not previously encountered in CTIR engagements, including MountLocker, Zeppelin and Avaddon. These families fit the ransomware-as-a-service (RaaS) model and are typically deployed with Cobalt Strike and are delivered by an initial commodity trojan loader. These ransomware families also engage in double extortion, threatening to publish victim data if the ransom demand is not met. Looking forward, Q4 saw a relative rise in Dridex infections beginning in late March, which has also borne out in our telemetry, as well. This could be related to the takedown and uninstallation of Emotet coordinated by global law enforcement partners earlier this year.
Targeting
Actors targeted a broad range of verticals, including biotechnology, government, distribution, education, energy/utilities, food and agriculture, health, IT services, legal, machinery, manufacturing, non-profit, real estate, retail, technology, telecommunications and transportation. Attackers targeted the health care sector most often, with nearly four times as many incidents as the next most targeted verticals education and technology. This is a continuation of a trend from last quarter. There are many reasons why actors are continuing to target the health care industry, including the COVID-19 pandemic incentivizing victims to pay to restore services as quickly as possible.
Threats
The exploitation of Microsoft Exchange Server zero-day vulnerabilities comprised a huge portion of threats CTIR observed.
Beginning in early March, CTIR responded to a growing number of cases involving threat activity related to these vulnerabilities. During these engagements, CTIR observed multiple instances of threat actors leveraging both invalid and legitimate administrator email addresses to attempt to exploit the Microsoft zero-days. For the majority of these incidents, we saw indications of scanning attempts and HTTP POST requests but did not see evidence of post-exploitation activity.
In several incident response engagements, CTIR observed attackers using invalid administrator email addresses to attempt to exploit the vulnerabilities. The invalid accounts, which the adversaries created, have a seemingly legitimate username, followed by the target entity’s email domain, such as "administrator@domainname". Successful exploitation of CVE-2021-26855 requires that the attacker provide a valid email address, and since the accounts did not actually exist on the target organization’s email server, the response in the Microsoft Internet Information Server (IIS) logs was: “The email address can't be found.”
The examples outlined above contrast those associated with legitimate administrator account usage. In cases where we saw valid admin email addresses being used, we observed multiple instances of probable post-exploitation activity, including the creation and writing of web shells, use of utilities such as ProcDump associated with possible credential harvesting, and compressing and archiving data with utilities such as MakeCab (makecab.exe) or WinRAR to stage for potential exfiltration.
The lack of post-exploitation activity associated with invalid administrator account usage sheds light on several potential explanations of threat actor behavior. The attackers likely understood that a patch for these vulnerabilities would soon be released and acted quickly and in an indiscriminate manner to obtain access to as many victim networks as possible while these exploits remained viable. This notion is supported in part by their apparent failure to conduct relatively simple follow-on actions that would have helped them achieve victim compromise.
In at least one engagement affecting a U.S. municipal government, we saw actors incorporate invalid and valid administrator accounts into their operations. CTIR observed the actors making three attempts to exploit CVE-2021-26855 within an eight-hour window. The first two failed attempts involved the use of an invalid administrator email address, with the final successful attempt leveraging a legitimate administrator account address that resulted in post-compromise activity. We could not determine how the actors obtained the valid account email address, but this further suggests that a variety of actors are attempting to exploit the Microsoft zero-days, resulting in the variety of observed tactics, techniques, and procedures (TTPs). In this particular engagement, the adversaries also successfully exploited CVE-2021-27065, which was observed within the IIS log for HTTP POST requests and continued with the execution of variants of the China Chopper web shells. In this same engagement, we also noticed some of these China Chopper web shells being created and/or accessed using “notepad.exe” or “Wordpad.exe.” An example can be seen in the following command: C:\Program Files\Windows NT\Accessories\WORDPAD.EXE C:\ASPX\lMAxnJTv.aspx.
In one engagement affecting a Canadian health care organization, CTIR observed the exploitation of one additional Microsoft Exchange Server vulnerability, CVE-2021-24085. After successful exploitation, the adversary created a web shell at “c:\programdata\a.aspx”. Analysis shows that after “a.aspx” was created, it was dropped to four of the customer’s Exchange Servers at the following directory: “Program Files\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\owa\auth\current\themes\Style.ExchangeTheme.aspx”. After the vulnerability was released on Feb. 9, a proof of concept (PoC) exploit was released shortly after in mid-February 2021, suggesting that threat actors were already working on actively exploiting it in the wild.
Beyond Microsoft Exchange, other targeted vulnerabilities included the Telerik UI vulnerability CVE-2019-18935 and the F5 vulnerability CVE-2020-5902, both of which have been observed in previous quarters. Affected industry verticals included telecoms, health care, government, real estate, technology and education.
Initial vectors
This quarter, CTIR’s primary focus was on Microsoft Exchange servers. Correspondingly, for the first time since compiling these reports, phishing/email was not the top infection vector. Instead, vulnerable internet-facing applications and software were the top vector. However, it is important to note that for the vast majority of engagements, the initial vector remains unknown, usually due to insufficient logging and/or lack of security instrumentation.
CTIR encourages all organizations to save their logs to make any potential incident response engagements more efficient and effective.
Top-observed MITRE ATT&CK techniques
Below is a list of the most common MITRE ATT&CK techniques observed in this quarter’s IR engagements. Given that some techniques can fall under multiple categories, we grouped them under the most relevant category in which they were leveraged. This represents what CTIR observed most frequently and is not intended to be exhaustive.
Key findings from the MITRE ATT&CK appendix include:
- Exploiting public-facing applications was a large initial access vector this quarter as CTIR engaged a number of customers following Microsoft’s disclosure of the Exchange Server zero-days. We also observed more web shells being created and dropped after exploitation attempts were successful.
- Remote desktop protocol (RDP) usage slightly increased this quarter. We rarely observed RDP connections made in isolation. For example, where we observed accounts leveraged to remotely connect from compromised hosts via RDP and deploy/execute malware, we also observed compromised accounts remotely connecting to various systems using multiple command-line utilities such as Windows Management Instrumentation (WMI) and PSExec.
- In several Ryuk engagements that closed out this quarter, we observed WMI, RDP, PowerShell base64-encoded commands, and Cobalt Strike beacons all used across the attack chain.
Initial Access (TA0027): T1190 Exploit Public-Facing Application — Exploit vulnerabilities in internet-facing Microsoft Exchange Servers. Persistence (TA0028): T1505.003 Server Software Component Web Shell — Used a variant of China Chopper web shells to place on compromised Exchange Servers. Execution (TA0041): T1059.001 Command and Scripting Interpreter PowerShell — Executes PowerShell code to retrieve information about the client's Active Directory environment. Discovery (TA0007): T1046 Network Service Scanning — Attacker IPs scanning over FTP and NBT. Credential Access (TA0006): T1003 OS Credential Dumping — Use tools such as Mimikatz to compromise credentials in the environment. Privilege Escalation (TA0029): T1543.003 Create or Modify System Process: Windows Service — Malicious services were found to install the schedule task, “Sync.” Lateral Movement (TA0008): T1021.001 Remote Desktop Protocol — Malicious PowerShell script enables Restricted Admin mode for RDP. Collection (TA0035): T1560.001 Archive Collected Data: Archive via Utility — One binary was capable of extracting system information and files that are subsequently placed within a tar archive, which is compressed with bzip2. Defense Evasion (TA0030) T1027: Obfuscated Files or Information — Use base64-encoded payloads. Command and Control (TA0011) T1132.001: Data Encoding: Standard Encoding — Use Base64 to encode C2 communication. Impact (TA0034) T1486: Data Encrypted for Impact — Deploy Ryuk ransomware. Software: Cobalt Strike — Execution of “Invoke-DACheck,” a Cobalt Strike Aggressor Script to check if the current user is a domain administrator.