Last Updated: 2021-03-03 03:22:36 UTC
by Johannes Ullrich (Version: 1)
Microsoft today released an emergency patch for Microsoft Exchange Server. The patch fixes seven different vulnerabilities. Four of these vulnerabilities are currently being used in targeted attacks.
Quick Summary / What you need to do:
- Verify that you are not already compromised. Microsoft has some indicators here.
- Patch. But currently, the patch is only available if you applied recent updates. So you may have to apply them first if you are behind. See the first table below for details.
- Review your Exchange Server configuration. Microsoft has tips here.
The attacks gain access via a Server Side Request Forgery (SSRF) vulnerability. Exploiting this vulnerability requires access to port 443. This vulnerability can be used to trick the Exchange server to send requests essentially to itself, bypassing authentication. This will give access to an insecure deserialization vulnerability that can be leveraged to execute arbitrary code as SYSTEM. Finally, two file upload vulnerabilities are used to upload files to the system.
Microsoft observed the attackers uploading web shells for persistent access and exfiltrating credentials and email from affected servers.
Microsoft currently only makes patches available for the exact versions listed below in the "Patch Available For" column. You will first need to apply the respective RU/CU before applying today's patch.
|Version||Vulnerable||Patch Available For|
|Exchange Server 2010||no||2010 RU 31 for SP 3 (defense-in-depth update)
|Exchange Server 2013||yes||2013 CU 23 (KB5000871)|
|Exchange Server 2016||yes||2016 CU 19 CU 18 (KB5000871)|
|Exchange Server 2019||yes||CU 8 CU 7 (KB5000871)|
March 2, 2021 Exchange Emergency Patch Summary.
|CVE||Disclosed||Exploited||Exploitability (old versions)||current version||Severity||CVSS Base (AVG)||CVSS Temporal (AVG)|
|Microsoft Exchange Server Remote Code Execution Vulnerability|
|CVE-2021-26412||No||No||Less Likely||Less Likely||Critical||9.1||8.2|
|CVE-2021-26854||No||No||Less Likely||Less Likely||Important||6.6||5.8|
|CVE-2021-27078||No||No||Less Likely||Less Likely||Important||9.1||8.2|
Related Microsoft Posts:
HAFNIUM targeting Exchange Servers with 0-day exploits
Multiple Security Updates Released for Exchange Server
Released: March 2021 Exchange Server Security Updates
Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)
Description of the security update for Microsoft Exchange Server 2010 Service Pack 3: March 2, 2021 (KB5000978)
Last Updated: 2021-03-03 00:01:13 UTC
by Brad Duncan (Version: 1)
On Tuesday 2021-03-02, I generated a Qakbot (Qbot) infection on a Windows host in one of my Active Directory (AD) test environments, where I saw Cobalt Strike as follow-up activity. I've seen Cobalt Strike from Qakbot infections before. Below are two that I documented in December 2020.
I haven't documented one for the ISC yet, so today's diary reviews my Qakbot infection with Cobalt Strike seen on Tuesday 2021-03-02.
Indicators of Compromise (IOCs)
Malware from the infected Windows host:
- File size: 87,552 bytes
- File name: document-1955896638.xls
- File description: Excel spreadsheet with macro for Qakbot (Qbot)
- Any.Run analysis: https://app.any.run/tasks/713d7a1f-6905-4ddd-92e4-84c0bbc97f89
- Cape analysis: https://capesandbox.com/analysis/121176/
- Triage analysis: https://tria.ge/210302-1lphqmv2px
- File size: 434,744 bytes
- File location: hxxp://kfzhm28pwzrlk02bmjy[.]com/mrch.gif
- File location: C:\Users\[username]\IEUDLK.CJF
- File description: Initial DLL for Qakbot (Qbot) retrieved by Excel macro
- Any.Run analysis: https://app.any.run/tasks/957a9919-b411-4724-b49f-8c9a1a4c95ab
- Cape analysis: https://capesandbox.com/analysis/120925/
- Triage analysis: https://tria.ge/210302-y9rqfzcq5x
Traffic to retrieve the initial Qakbot DLL:
- 8.209.64[.]96 port 80 - kfzhm28pwzrlk02bmjy[.]com - GET /mrch.gif
Qakbot C2 traffic:
- 207.246.77[.]75 port 995 - HTTPS traffic
Cobalt Strike traffic:
- 45.144.29[.]185 port 443 - HTTPS traffic
- 45.144.29[.]185 port 443 - logon.securewindows[.]xyz - HTTPS traffic
- 45.144.29[.]185 port 8080 - 45.144.29[.]185:8080 - GET /WjSH
- 45.144.29[.]185 port 8080 - logon.securewindows[.]xyz:8080 - GET /cx
- 45.144.29[.]185 port 8080 - 45.144.29[.]185:8080 - GET /en_US/all.js
- 45.144.29[.]185 port 8080 - 45.144.29[.]185:8080 - POST /submit.php?id=248927919
A pcap of the infection traffic and the associated malware can be found here.
brad [at] malware-traffic-analysis.net