kirill_makarov - Fotolia

Sophos: How timely intervention stopped a ProxyLogon attack

A recent incident at an undisclosed customer sheds new light on how malicious actors exploit unpatched Microsoft Exchange servers

Cyber security researchers at Sophos have been sharing details of how they were able to cut off an ongoing cyber attack on one of their customers, which exploited the dangerous ProxyLogon vulnerabilities in on-premise instances of Microsoft Exchange Server.

The customer, whose identity has not been revealed, is a large North American organisation with about 15,000 endpoints in play. It was initially compromised on 16 March 2021, a couple of weeks after the ProxyLogon zero-days were disclosed, via CVE-2021-26855 and CVE-2021-27065, which were leveraged to execute a malicious PowerShell command on the vulnerable server.

“The target told their Sophos team that they thought they had patched the Exchange sever correctly, and then had tested whether the server was compromised using some scripts provided by Microsoft,” said Andrew Brandt, principal researcher at Sophos, in a blog detailing the incident.

“Unfortunately, they relied too heavily on those scripts, which Microsoft had subsequently revised. The initial tests showed the server had not been compromised, but the follow-up tests using the revised scripts revealed that the server had, in fact, been taken over.

“While it was a useful exercise to run the ‘Have I Been Compromised’ scripts, it also serves as a cautionary tale that organisations should not rely on a test script alone to give themselves peace of mind.”

Within 90 minutes, the attacker had discovered the organisation’s domain admin accounts, dumped the credentials from memory in order to work on cracking their passwords offline, and modified a registry key to clear stored credentials from memory – which would force any legitimate users to retype their password the next time they logged on.

Two days later, they returned and began to move through the target network, establishing footholds on other machines, grabbing other credentials and setting up a backdoor into the network. They also used their access to install a commercial IT helpdesk access tool called Remote Utilities, signed with a legitimate Sectigo-issued certificate.

They then went silent until 27 March, when they came back and tried to execute a Cobalt Strike beacon in memory – Sophos’ tools prevented this, as well as a second attempt on 31 March.

On 1 April, the attacker started to use the Remote Utilities tool to open a connection from a computer with a Paris IP address to one of the targeted internal servers, and was able to deliver the Mimikatz malware, a new PowerShell script, and to create new users with admin rights. A day later, the target enlisted Sophos’ Managed Threat Response (MTR) team.

Read more about the ProxyLogon attacks

The attack was likely a precursor to a full-blown ransomware attack, and its evasive, slow-burn nature meant it probably would have been successful had the target not approached its security partner for help. In many instances when malicious actors see their tooling is being blocked by security products, they rapidly escalate to deploy ransomware, so it is likely that the victim acted in the nick of time.

“Quick action by Labs and MTR ensured that the attackers’ actions were countered by reactions that prevented them from doing more damage,” wrote Brandt. “The greatest harm they caused resulted in the organisation requiring all employees to change their passwords.”

Dan Schiappa, chief product officer at Sophos, added: “As explained in the research report, the attackers returned repeatedly, sometimes with different tools and other times to deploy the same tool, such as Cobalt Strike, on different machines. They used a commercial remote access utility rather than the more standard RDP that threat hunters would more typically look for.

“This report explains the complex nature of human-operated cyber attacks and how multi-stage, multi-vector incidents are difficult for IT security teams to track and contain. The target simply couldn’t keep up with the attack activity taking place across all parts of the estate. Based on Sophos’ 2021 State of ransomware report, this issue is more widespread than this one incident. More than 54% of IT managers surveyed said cyber attacks are too advanced for their IT teams to handle on their own.”

Sophos is today launching a new extended detection and response (XDR) product that synchronises native endpoint, firewall and email security to provide a “holistic view” of an organisation’s environment with rich datasets and deep analysis for better threat detection, investigation and response.

Read more on Data breach incident management and recovery

Data Center
Data Management