Microsoft Releases Exchange Emergency Patch to Fix Actively Exploited Vulnerability

Published: 2021-03-03
Last Updated: 2021-03-05 12:29:30 UTC
by Johannes Ullrich (Version: 1)

Microsoft today released an emergency patch for Microsoft Exchange Server. The patch fixes seven different vulnerabilities. Four of these vulnerabilities are currently being used in targeted attacks.

Quick Summary / What you need to do:

Verify that you are not already compromised. Microsoft has some indicators here.
Patch. But currently, the patch is only available if you applied recent updates. So you may have to apply them first if you are behind. See the first table below for details.
Review your Exchange Server configuration. Microsoft has tips here.

The attacks gain access via a Server Side Request Forgery (SSRF) vulnerability. Exploiting this vulnerability requires access to port 443. This vulnerability can be used to trick the Exchange server to send requests essentially to itself, bypassing authentication. This will give access to an insecure deserialization vulnerability that can be leveraged to execute arbitrary code as SYSTEM. Finally, two file upload vulnerabilities are used to upload files to the system.

Microsoft observed the attackers uploading web shells for persistent access and exfiltrating credentials and email from affected servers.

Microsoft currently only makes patches available for the exact versions listed below in the "Patch Available For" column. You will first need to apply the respective RU/CU before applying today's patch.

Version	Vulnerable	Patch Available For
Exchange Server 2010	no	2010 RU 31 for SP 3 (defense-in-depth update) KB5000978
Exchange Server 2013	yes	2013 CU 23 (KB5000871)
Exchange Server 2016	yes	2016 CU 19 CU 18 (KB5000871)
Exchange Server 2019	yes	CU 8 CU 7 (KB5000871)

March 2, 2021 Exchange Emergency Patch Summary.

Description
CVE	Disclosed	Exploited	Exploitability (old versions)	current version	Severity	CVSS Base (AVG)	CVSS Temporal (AVG)
Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-26412	No	No	Less Likely	Less Likely	Critical	9.1	8.2
CVE-2021-26854	No	No	Less Likely	Less Likely	Important	6.6	5.8
CVE-2021-26855	No	Yes	Detected	Detected	Critical	9.1	8.4
CVE-2021-26857	No	Yes	More Likely	Detected	Critical	7.8	7.2
CVE-2021-26858	No	Yes	Detected	Detected	Important	7.8	7.2
CVE-2021-27065	No	Yes	Detected	Detected	Critical	7.8	7.2
CVE-2021-27078	No	No	Less Likely	Less Likely	Important	9.1	8.2

Qakbot infection with Cobalt Strike

Published: 2021-03-03
Last Updated: 2021-03-03 00:01:13 UTC
by Brad Duncan (Version: 1)

0 comment(s)

Introduction

On Tuesday 2021-03-02, I generated a Qakbot (Qbot) infection on a Windows host in one of my Active Directory (AD) test environments, where I saw Cobalt Strike as follow-up activity. I've seen Cobalt Strike from Qakbot infections before. Below are two that I documented in December 2020.

I haven't documented one for the ISC yet, so today's diary reviews my Qakbot infection with Cobalt Strike seen on Tuesday 2021-03-02.

Shown above: Flow chart for the Qakbot infection with Cobalt Strike from Tuesday 2021-03-02.

Images

Shown above: Spreadsheet extracted from a zip archive attached to malspam pushing Qakbot.

Shown above: Traffic from the infection filtered in Wireshark (image 1 of 3).

Shown above: Traffic from the infection filtered in Wireshark (image 2 of 3).

Shown above: Traffic from the infection filtered in Wireshark (image 3 of 3).

Shown above: Initial DLL saved a the victim's Windows host.

Shown above: Artifact saved to disk during the Qakbot infection.

Shown above: Registry updates caused by Qakbot.

Indicators of Compromise (IOCs)

Malware from the infected Windows host:

SHA256 hash: 16a0c2f741a14c423b7abe293e26f711fdb984fc52064982d874bf310c520b12

File size: 87,552 bytes
File name: document-1955896638.xls
File description: Excel spreadsheet with macro for Qakbot (Qbot)
Any.Run analysis: https://app.any.run/tasks/713d7a1f-6905-4ddd-92e4-84c0bbc97f89
Cape analysis: https://capesandbox.com/analysis/121176/
Triage analysis: https://tria.ge/210302-1lphqmv2px

SHA256 hash: 24753d9f0d691b6d582da3e301b98f75abbdb5382bb871ee00713c5029c56d44

File size: 434,744 bytes
File location: hxxp://kfzhm28pwzrlk02bmjy[.]com/mrch.gif
File location: C:\Users\[username]\IEUDLK.CJF
File description: Initial DLL for Qakbot (Qbot) retrieved by Excel macro
Any.Run analysis: https://app.any.run/tasks/957a9919-b411-4724-b49f-8c9a1a4c95ab
Cape analysis: https://capesandbox.com/analysis/120925/
Triage analysis: https://tria.ge/210302-y9rqfzcq5x

Traffic to retrieve the initial Qakbot DLL:

8.209.64[.]96 port 80 - kfzhm28pwzrlk02bmjy[.]com - GET /mrch.gif

Qakbot C2 traffic:

207.246.77[.]75 port 995 - HTTPS traffic

Cobalt Strike traffic:

45.144.29[.]185 port 443 - HTTPS traffic
45.144.29[.]185 port 443 - logon.securewindows[.]xyz - HTTPS traffic
45.144.29[.]185 port 8080 - 45.144.29[.]185:8080 - GET /WjSH
45.144.29[.]185 port 8080 - logon.securewindows[.]xyz:8080 - GET /cx
45.144.29[.]185 port 8080 - 45.144.29[.]185:8080 - GET /en_US/all.js
45.144.29[.]185 port 8080 - 45.144.29[.]185:8080 - POST /submit.php?id=248927919

Final words

A pcap of the infection traffic and the associated malware can be found here.

---

Brad Duncan
brad [at] malware-traffic-analysis.net

Keywords: Cobalt Strike DLL Excel macros Qakbot Qbot

0 comment(s)