Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange 0-day

Starting February 27, 2021, Rapid7 has observed a notable increase in the exploitation of Microsoft Exchange through existing detections in InsightIDR’s Attacker Behavior Analytics (ABA).  The Managed Detection and Response (MDR) identified multiple, related compromises in the past 72 hours. In most cases, the attacker is uploading an “eval” webshell, commonly referred to as a “chopper” or “China chopper”. With this foothold, the attacker would then upload and execute tools, often for the purpose of stealing credentials. Further investigative efforts have identified overlap in attacker techniques and infrastructure.


Summary


At close to midnight UTC on February  27, 2021, Managed Detection and Response SOC analysts began observing alerts for the following ABA detections in InsightIDR:


Attacker Tool - China Chopper Webshell Executing Commands
Attacker Technique - ProcDump Used Against LSASS

Upon further inspection of Enhanced Endpoint Telemetry data produced by InsightAgent, Rapid7 analysts identified that attackers had successfully compromised several systems and noted that they were all on-premise Microsoft Exchange servers with web services accessible to the public Internet. Exposing web services to the public internet is a common practice for customers with on-premise instances of Microsoft Exchange to provide their users with email services over the web through Outlook Web Access (OWA).


Using Project Sonar, Rapid7's Labs team was able to identify how target-rich an environment attackers have to work with: Nearly 170,000 servers vulnerable to a different recent Exchange CVE (for which proof-of-concept exploit code is readily available) were exposed to the public internet.


With the compromise identified, our team of Customer Advisors alerted our customers to this activity.  Meanwhile, our analysts quickly began performing deeper ..