- Months after a massive campaign against Microsoft Exchange Servers, tens of thousands of organizations have failed to patch their systems, allowing threat actors to deploy new tactics and create highly privileged mailboxes, according to a research from Mandiant released Wednesday.
- Threat actors are now writing web shells by exporting exchange certificate requests instead of mailbox exports, according to Mandiant. They achieve Remote PowerShell by exploiting the first two vulnerabilities, according to the blog. After creating new mailboxes, privileged access to other mailboxes is then assigned.
- Researchers have detected up to 30,000 vulnerable servers that are visible on the internet, despite disclosures being issued in April and patches released in April and May.
The Cybersecurity and Infrastructure Security Agency (CISA) warned in August about three ProxyShell vulnerabilities, CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207, which could allow an attacker to execute arbitrary code on unprotected systems. Microsoft issued updated guidance in late August, alerting customers that security updates from May or July would protect their systems.
However, by September researchers at Sophos warned Conti affiliates were using ProxyShell exploits to target organizations during ransomware attacks. Mandiant researchers reported webshell uploads linked to threat actor UNC2980 against a U.S.-based university in August.
Now, Mandiant researchers say they have observed threat actors using new methods after some of the prior methods of attack were blocked through the prior security updates.
"For example, in the case of exporting web shells, various antivirus solutions have detected web shells exported from mailboxes when they were written to disk via inspection and blocking of web files written with mailbox (PST) file headers," Josh Goddard, a consultant with Mandiant's Incident Response Group, told Cybersecurity Dive via email. "However, web shells exported from the certificate store did not contain these headers, so in some cases, these were not detected and the attack was therefore successful."
In other situations, threat actors created their own mailboxes and accessed them via Outlook Web Access (OWA), in a move that targets the email service directly, rather than targeting the operating system of the email servers, according to Goddard.
CISA, the FBI, the U.K. National Cyber Security Centre and Australian Cyber Security Centre earlier this week issued a joint advisory about advanced persistent threat activity from actors sponsored by Iran. That warning involved exploitation of vulnerabilities from Fortinet FortiOS and Microsoft Exchange, CVE-2021-34473 in order to target various critical infrastructure facilities.
The Fortinet vulnerabilities were used to target a U.S. children's hospital in June and a municipal government in May.
"Joint advisories exemplify our commitment to working with international and interagency partners to share timely and actionable information so we can build collective resilience against cyberthreats," said Matt Hartman, deputy executive assistant director for cybersecurity at CISA. "This alert provides a comprehensive view into Iranian government sponsored threat-actor activity, their tactics and techniques and steps organizations should take to detect, mitigate, and reduce their risk of compromise."
When asked about the Iranian attacks, Goddard said, "they may have been using some of these new tactics, but we don't have sufficient data to link them up."