These fixes will also be included in later cumulative updates for Exchange Server 2013. This cumulative update includes fixes for nonsecurity issues and all previously released fixes for security and nonsecurity issues. Cumulative Update 20 for Microsoft Exchange Server 2013 was released on March 20, 2018.
Backup Exchange IIS/Server logs and ensure you have applied the July 2021 security updates for Microsoft Exchange What should you do?Watch the video above as Mat Gangwer, head of the Sophos Managed Threat Response (MTR) team, shares details about the threat and offers advice about how to respond.If you are using Microsoft Exchange server: This exposure has led to widespread exploitation by threat actors who are commonly deploying web shells to remotely execute arbitrary code on compromised devices, similar to that seen in the HAFNIUM attack.
Exchange Server 2013 Cumulative 24 Software Patches Do
Identify and remove any persistence established by an actor Review process activity for instances of w3wp.exe Identify and delete web shells and malicious binaries (For non Sophos MTR customers) Identify and investigate your exposure windows for adversarial activity If you have already been breached, the software patches do not address post-exploit behavior by a threat actor
Troj/ASPDoor-Y (detects malicious PST files) They can be used by threat hunters to perform searches in their own environments. Verify that all protections have been enabled and your exclusions are kept to a minimumSophos customers are protected by multiple detections for the exploitation of these vulnerabilities.
Investigate exposure Verifying current Microsoft Exchange versionTo determine whether you are running an unpatched version of Exchange or not, the below XDR query for live Windows devices will produce a table of Exchange servers, their current version, and guidance whether they need patching or not.The version numbers identified in the below query were gathered from this Microsoft article. Determining impact with Sophos XDR 1. SophosLabs has released additional behavior-based protection for LockFile provided by the Mem/LockFile-A detection for Windows devices running Sophos endpoint and server protection managed through Sophos Central. CXmal/WebAgnt-A (detects malicious PST files in the context of customers’ environments)SophosLabs has also published IPS signatures: CVEIn addition, on August 24th, SophosLabs released a new, more generic signature 2305979 to detect attempted vulnerability exploit in Microsoft Exchange server.LockFile is a new ransomware family that appears to exploit the ProxyShell vulnerabilities to breach targets with unpatched, on premises Microsoft Exchange servers. Troj/Agent-BHQD (detects the binary component of LockFile ransomware)
Recommend also updating with recent July Patch.'WHEN '.23' THEN 'Exchange 2013 CU23 Jul21 patched against ProxyShell.'WHEN '.18' THEN 'Exchange 2013 CU23 May21 patched against ProxyShell. Recommend also updating with recent July Patch.'WHEN '.14' THEN 'Exchange 2016 CU19 May21 patched against ProxyShell. Recommend also updating with recent July Patch.'WHEN '.12' THEN 'Exchange 2016 CU21 Jul21 patched against ProxyShell.'WHEN '.10' THEN 'Exchange 2016 CU20 May21 patched against ProxyShell. Recommend also updating with recent July Patch.'WHEN '.14' THEN 'Exchange 2016 CU21 Jul21 patched against ProxyShell'WHEN '.8' THEN 'Exchange 2016 CU21 patched against ProxyShell. Recommend also updating with recent July Patch.'WHEN '15.2.858.15' THEN 'Exchange 2019 CU9 Jul21 patched against ProxyShell'WHEN '15.2.858.12' THEN 'Exchange 2019 CU9 May21 patched against ProxyShell. Manually verify build number from MS documentation./' Note,WHEN '15.2.922.13' THEN 'Exchange 2019 CU10 Jul21 patched against ProxyShell'WHEN '15.2.922.7' THEN 'Exchange 2019 CU10 patched against ProxyShell.
This cmdlet enables an email to be written to disk, using a UNC path, that contains an arbitrary email attachment. SELECT grep.*CROSS JOIN grep ON (grep.path = file.path)File.path LIKE 'C:\inetpub\logs\LogFiles\W3SVC%\u_ex210%'AND grep.pattern = 'autodiscover.json' Windows Events for New-MailboxExportRequest abuseCVE-2021-31207 enables a threat actor to write files to disk by abusing a feature of the Exchange PowerShell backend, specifically the New-MailboxExportRequest cmdlet. Please note that this query can be slow depending on the volume of logs it needs to parse. GET /autodiscover/autodiscover.json below XDR query for live Windows devices will query the IIS logs on disk for any lines that contain the string ‘autodiscover.json’.Should you later identify web shells, this same query can be repurposed to query for the web shell file name to reveal requests made to the web shell – simply change ‘autodiscover.json’ to ‘webshell_name.aspx’. HTTP requests inbound to the IIS server will be detailed including the request type and path.By default, IIS logs are written to C:\inetpub\logs\LogFiles\A common artifact seen in these logs for abuse of CVE-2021-34473 is the presence of &Email=autodiscover/autodiscover.json in the request path to confuse the Exchange proxy to erroneously strip the wrong part from the URL.E.g.
Instances of w3wp.exe should be investigated to reveal further actions the adversary may have taken by pivoting from the sophosPID of the process, clicking the (…) button next to the sophosPID, and selecting the “Process activity history” query. C:\inetpub\LIKE 'C:\inetpub\LIKE 'C:\inetpub\LIKE 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\%.aspx'OR sf.path LIKE 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\%.aspx'OR sf.path LIKE 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\current\%.aspx'OR sf.path LIKE 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\current\themes\%.aspx'OR sf.path LIKE 'C:\ProgramData\%\%.aspx'With the results, you can pivot from the path column of a suspected web shell by clicking the (…) button and selecting “File access history” to query and identify what processes have interacted with the file and which process created the file.
0 kommentar(er)
