Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

How to Identify Compromised Microsoft Exchange Server Assets Using Tenable

As organizations continue to respond to a flurry of attacks by HAFNIUM and other threat actors leveraging Proxylogon (CVE-2021-26855) and related vulnerabilities (CVE-2021-26857, CVE-2021-26858, CVE-2021-27065), Tenable has released a plugin to help you identify potentially compromised assets.

Background

Microsoft published an out-of-band advisory for four zero-day vulnerabilities in Microsoft Exchange Server on March 2 in response to in-the-wild exploitation of these flaws by a nation-state threat actor known as HAFNIUM as well as several other threat actors. Initial reports suggested that over 30,000 organizations may have been compromised as a result, but that number has since been revised to over 60,000.

On March 9, Microsoft found more than 100,000 publicly accessible Exchange servers were still vulnerable. On March 12, Microsoft said that number had decreased to 82,000, which shows that while efforts to patch have been successful, there are still many Exchange servers exposed, leaving them vulnerable to attacks.

On March 11, Michael Gillespie, founder of the ID Ransomware service, discovered a new ransomware family called DearCry targeting vulnerable Exchange servers. This was subsequently confirmed by Microsoft Security Intelligence.

As more and more organizations focus their efforts on patching these flaws, it is increasingly important for them to take the time to look for signs of existing compromise in the process.

Exchange Server Plugins

Tenable released four plugins since the March 2 out-of-band advisory, including two version check plugins, a direct check plugin and an indicator of compromise (IOC) plugin.

Plugin Plugin Type Description
Security Update for Microsoft Exchange Server 2010 SP 3 (March 2021) Version Check Identify vulnerable Exchange Server 2010 systems.
Security Updates for Microsoft Exchange Server (March 2021) Version Check Identify vulnerable Exchange Server 2013, 2016 and 2019 systems.
Microsoft Exchange Server Authentication Bypass Direct Check Directly identify vulnerable Exchange Server systems uncredentialed.
Potential exposure to Hafnium Microsoft Exchange targeting Local Check Identify potential web shells in selected directories for further analysis.

The IOC plugin, identified as plugin ID 147193, can be used by organizations scanning for vulnerable Exchange servers in their environment to collect IOCs. The results from this plugin can aid defenders in determining if attackers successfully compromised their systems.

Examining the output from the IOC plugin

The IOC plugin will flag files in select Exchange Server directories where attackers are known to have implanted webshells. These details can be seen in the output section of the scan results:

In the example above, three files were discovered in these selected directories.

Comparing files from the plugin output against known IOCs

Knowing which files are in these directories is just the first step. The next step is to compare these results against publicly available indicators of compromise associated with these attacks. Fortunately, Microsoft has published a list of IOCs in both CSV and JSON format that list files known to be malicious.

The image above is a section within Microsoft’s list of IOCs. When comparing this list with the output for the IOC plugin, we see that one file, discover.aspx, is a direct match, including the path. This is a strong indication that the attackers implanted a webshell on a vulnerable Exchange Server.

In addition to Microsoft’s list of IOCs, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory about the Exchange Server attacks and included a list of File Path Indicators to examine for potential compromise.

For example, the FBI/CISA advisory calls out the presence of files within the \inetpub\wwwroot\aspnet_client\\system_web\ path as well as any file or modified file not part of the standard Exchange Server Install for a number of file paths, including \\FrontEnd\HttpProxy\owa\auth\.

When we review the output from our IOC plugin, we see there is an aspx file under the system_web path called 1302992a.aspx, as well as a file, HttpProxy.aspx, under the \\FrontEnd\HttpProxy\owa\auth\ path. The presence of these files does not definitively confirm additional compromise, but warrants further exploration as they may also be associated with these attacks.

It is important to note that with more and more threat actors targeting vulnerable Exchange servers, the list of known bad filenames and hashes will continue to grow. We highly recommend reviewing all files within the paths provided by the FBI/CISA and Microsoft.

Solution

Webshells give attackers an effective way to maintain persistent access to a victim’s systems. Once webshells associated with these Exchange Server vulnerabilities have been identified in your environment, it is important to immediately activate incident response processes to remove the webshells and determine the scope of these attacks. Removing the webshells is not just a step to prevent the threat actors who implanted them from maintaining persistence, but to prevent other threat actors from “piggybacking” by scanning for and using them as well, as was recently confirmed by security researcher Marcus Hutchins.

Frequently Asked Questions

Q: Why didn’t the IOC plugin trigger for all of my Exchange servers?

A: The IOC plugin will only trigger on Exchange Servers where potential IOCs have been found within the identified Exchange Server paths.

Q: How do I know the IOC plugin ran?

A: When reviewing the output for plugin ID 147193, there are two expected results:

Status Expected Output Results
Potential Compromise Detected The following .aspx files have been found in directories linked to the Hafnium attack: -
Potential Compromise Not Detected The remote host is not affected as no potential IOCs were found. Note that this does not mean the target is not vulnerable to the Hafnium CVEs. See vendor advisory

If the plugin runs successfully, you will see one of the two expected outputs above. If you do not see these results after completing a scan, you can refer to this troubleshooting article.

Q: I patched my Exchange servers but the IOC plugin is still triggering?

A: Patching Exchange Servers addresses the underlying vulnerabilities. It does not remediate potential web shells that may have been implanted on those servers through the exploitation of these flaws, which is why the IOC plugin will still trigger even after patches have been applied. If potential compromise is detected, it is important to follow our recommendations to remediate by activating incident response processes to remove any web shells and investigate for further compromise.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training