Update, September 30, 2022:
What's Old Is New Again: ProxyNotShell in Exchange
On September 29, Microsoft announced that they are investigating two zero-day vulnerabilities in Microsoft Exchange Server, CVE-2022-41040 and CVE-2022-41082. The first, CVE-2022-41040 is a server-side request forgery (SSRF) vulnerability, while the second, CVE-2022-41082, allows for remote code execution (RCE) through Microsoft PowerShell.
The recently disclosed vulnerabilities, known as ProxyNotShell, appear to be closely related to the cluster of vulnerabilities known as ProxyShell disclosed in March of 2021 that also enabled SSRF and RCE attacks. According to Microsoft, the most recent vulnerabilities are being actively exploited in targeted, but limited attacks. At the time of writing, Microsoft has not released a patch for either vulnerability.
The ExtraHop Threat Research Team is actively monitoring for exploit attempts and is confident that the existing detectors and Threat Briefing for ProxyShell are effective against the ProxyNotShell vulnerabilities. We have updated the Threat Briefing with new information about the attack, and will continue to provide updates as necessary.
Exchange Server Vulnerabilities and Attacks
The news of active exploitation of the Microsoft Exchange Server vulnerabilities has highlighted the importance of network visibility in securing critical server infrastructure. Microsoft has quickly patched vulnerabilities, but there remain important points to note.
First, the general class of server-side request forgery (SSRF) attacks that were used against Microsoft Exchange Server in this case can also target other public-facing services, possibly turning servers into new threat vectors that bypass your perimeter defenses. That makes clear that network visibility and decryption are central to securing public-facing infrastructure. Second, monitoring and securing Microsoft Exchange Server has its own set of unique challenges that administrators and security analysts need to be aware of.
A note: the Microsoft Exchange Server vulnerabilities are also being referred to as the ProxyLogon vulnerabilities. ProxyLogon is technically the name given specifically to CVE-2021-26855, but the name is being used in some cases to refer to a cluster of four vulnerabilities in MS Exchange Server.
Microsoft Exchange ProxyShell Vulnerabilities
CVE-2021-34473 is one of a cluster of Exchange ProxyShell vulnerabilities. It can enable remote code execution (RCE), allowing attackers to bypass access control to execute commands as if they were a user. The flaw is part of the Autodiscover service, which helps automate and simplify Exchange Server configuration.
Hackers have actively exploited this in combination with the other ProxyShell vulnerabilities (CVE-2021-34523 and CVE-2021-31207) to access Exchange Server, launch Lockfile ransomware attacks, and execute PetitPotam attacks.
ExtraHop Reveal(x) network detection and response automatically detects exploitation of CVE-2021-34473 to stop attacks.
In an SSRF attack, a malicious client sends a request to a server. That request triggers the server to send another request; often a malicious request made to internal resources behind your network perimeter. When combined with other exploits, SSRF enables attackers to very quickly escalate privileges and move laterally within the network.
In many SSRF attacks, including this most recent MS Exchange Server attack, the malicious traffic is encrypted. The ability to decrypt traffic to the Microsoft Exchange Server is critical to detect and track this SSRF attack's activity.
SSRF attacks are only the latest example of the global trend towards attackers leveraging encryption to circumvent detection. Multiple sources estimate that approximately 70% of all malicious traffic in 2020 was encrypted. Some of the most common types of attacks use encryption, including:
- Suspicious authentication activity (if LDAP is encrypted, a best practice for enterprises)
- Database access attempts & exfiltration
- Command and control communications
- Cross-site scripting (XSS) attacks
- SQL injection attacks
In the Microsoft Exchange Server SSRF attack and the attack scenarios listed above, decryption is the only way to detect and investigate the malicious activity. While many network security vendors claim to detect encrypted attacks using Encrypted Traffic Analytics (ETA) which analyzes network traffic telemetry, including the volume, frequency, and pattern of communications, this type of analysis works best for detecting known and derivative types of malware. However, ETA cannot detect the SSRF-style attacks used by cybercriminals in the Microsoft Exchange Server exploits.
ExtraHop Reveal(x) 360 goes far beyond telemetry analysis and signatures, performing line-rate decryption of SSL/TLS 1.0 to 1.3-encrypted traffic, including cipher suites that support perfect forward secrecy (PFS). This decryption can scale to 64,000 SSL transactions per second (TPS) using 2048-bit keys. For encrypted, high-traffic-volume attacks, this level of visibility into encrypted sessions is a critical detection, investigation and response capability for security operations teams.
Decryption is complex and computationally expensive. This is why many vendors don't do it, especially those whose products are in-line. Providing visibility into encrypted traffic, while also protecting sensitive customer data, requires an approach that intentionally unites security and privacy—one that we at ExtraHop have worked very hard to achieve.
As the growing volume of encrypted malicious traffic illustrates, attackers will continue to leverage this trend to hide malicious traffic in plain sight. Don't let them. Detecting threats in malicious traffic isn't as simple as shaking the wrapped box and guessing. When it comes to your business, you need to know.
Preventing Lateral Movement with Network-Based Behavioral Analysis
In the days after Microsoft patched the four zero-day bugs in Microsoft Exchange Server, multiple APT groups are thought to have joined in with attacks exploiting the vulnerabilities. The result was at least 30,000 victim organizations in the US alone, and many more worldwide. One report claimed that exploit attempts rose ten-fold over just five days.
Scenarios like this make rapid, effective network-based detection and response critical.
Why Exchange Is So Security-Relevant
Microsoft Exchange Server is an attractive target for attackers. Not only does it contain sensitive business data in its own right, but it can also be exploited to move laterally to other high value systems. As Microsoft says: "If compromised, Exchange servers provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance."
These so-called "living-off-the-land" techniques are increasingly popular among threat actors today. Because they leverage legitimate Microsoft tools like PSExec and Windows Management Instrumentation rather than malicious code, they're also less likely to be detected by legacy security controls. In the case of the recent Exchange attacks, threat actors have been stealing (dumping) passwords from the compromised servers, allowing them to move laterally across networks without being noticed.
This route could theoretically enable attackers to find and access customer databases for large-scale information theft, or to move through the network, deploying ransomware at strategic points for maximum impact, for example. This is why network-based behavioral detection is critical.
Behavior-Based Detection for Zero-Day Vulnerabilities
Network detection and response (NDR) is your best option for finding threat actors that have already breached the perimeter. Unlike log or endpoint data, which can be turned off, evaded or modified, network traffic offers continuous visibility into the activity of adversaries. Monitoring network behaviors is also more effective than alternative approaches, as there are just a handful of ways to exfiltrate stolen data across the network. These can be used to detect attacker TTPs across the MITRE ATT&CK Framework. Finally, the network offers greater depth and visibility into the behavior and attributes of any attached devices.
Given the bad guys are using legitimate tools or credentials to stay hidden, you must monitor for abnormal behavior at this network layer. This is where machine learning comes in. It's a more effective way to detect malicious activity, with a much lower false-positive rate than legacy, signature-based intrusion detection systems (IDS). This fact is due to its ability to learn what normal looks like, and then spot anomalies in the behavior of individual devices as well as groups of peer devices. When a device deviates from known normal behavior, or starts to exhibit behaviors that resemble known attack techniques, the system will raise an alarm.
Advanced machine learning allows NDR to detect threats other tools miss. However, the truth is that not all machine-learning-powered behavioral analysis is created equal. Critical visibility into encrypted traffic can access crucial Layer 7 application details that allow defenders to detect attackers that are leveraging encrypted protocols to hide their actions.
NDR for a New Threat Landscape
The new reality is that determined attackers are increasingly capable of breaching your perimeter—whether they have zero-day vulnerabilities to exploit, leverage a supply chain attack, or use one of any number of techniques. That's why effective NDR featuring machine learning-powered behavioral analysis should be table stakes for today's CISOs. The strategic challenge going forward is finding a provider that doesn't merely tick the boxes on machine learning, but has a deep set of powerful capabilities to support enhanced detection and response.
These exploits are another in a string of high profile attacks which bring home the importance of monitoring attack behaviors that can be detected regardless of whether someone got in using a known vulnerability or a zero-day exploit.