The following blog post was co-authored by Andrew Christian and Brendan Watters.
Beginning Feb. 27, 2021, Rapid7’s Managed Detection and Response (MDR) team has observed a notable increase in the automated exploitation of vulnerable Microsoft Exchange servers to upload a webshell granting attackers remote access. The suspected vulnerability being exploited is a cross-site request forgery (CSRF) vulnerability: The likeliest culprit is CVE-2021-24085, an Exchange Server spoofing vulnerability released as part of Microsoft’s February 2021 Patch Tuesday advisory, though other CVEs may also be at play (e.g., CVE-2021-26855, CVE-2021-26865, CVE-2021-26857).
The following China Chopper command was observed multiple times beginning Feb. 27 using the same DigitalOcean source IP (165.232.154.116):
cmd /c cd /d C:inetpubwwwrootaspnet_clientsystem_web&net group "Exchange Organization administrators" administrator /del /domain&echo [S]&cd&echo [E]
Exchange or other systems administrators who see this command—or any other China Chopper command in the near future—should look for the following in IIS logs:
165.232.154.116 (the source IP of the requests)
/ecp/y.js
/ecp/DDI/DDIService.svc/GetList
Indicators of compromise (IOCs) from the attacks we have observed are consistent with IOCs for publicly available exploit code targeting CVE-2021-24085 released by security researcher Steven Seeley last week, shortly before indiscriminate exploitation began. After initial exploitation, attackers drop an ASP eval webshell before (usually) executing procdump against lsass.exe in order to grab all the credentials from the box. It would also be possible to then clean some indicators of compromi ..
Support the originator by clicking the read the rest link below.
){kind=link}