August 2021 Microsoft Exchange Data Breach Analysis

Posted by jhern034 on

In early 2021, a gentleman by the name of Orange Tsai from DEVCORE research team uncovered three vulnerabilities in the on-site version of Microsoft Exchange. This exploit was known simply as “ProxyShell.” ProxyShell was three separate vulnerabilities that when used in tandem could remotely control an email server. These vulnerabilities were related to those previously exploited by Hafnium in March of the same year. These vulnerabilities were named: CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass, CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend, and CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE. Unlike the previous similar vulnerability identified a few months prior, what made this exploit particularly dangerous was its ability to not only bypass password authentication, but also bypass Exchange administrator identification, thus allowing the user to execute arbitrary commands without knowing the identity of an Exchange administrator.

To execute this vulnerability, first the malicious code is delivered to the target mailbox utilizing SMTP. Second, a proxy server is used to hijack the PowerShell connection to modify the traffic. Rewriting the URL path to EwsAutodiscoverProxyRequestHandler then triggers a path confusion bug, providing access to the PowerShell backend. Then, inserting the parameter X-Rps-CAT allows the impersonation of users. This can be used to impersonate admin users to gain admin privileges. Lastly, PowerShell commands are executed to execute the malicious code.

Although Microsoft quickly identified and patched the vulnerabilities, these patches were not pushed as a priority to Exchange users, and instead were included in a monthly patch cycle. Additionally, Microsoft did not allocate CVEs (Common vulnerabilities and exposures) for these vulnerabilities until months after they were identified. These factors presented a problem as most organizations were not made aware of the severity of these vulnerabilities, and thus did not push these patches to their systems.

This vulnerability was exploited by ransomware known as LockFile to access and attack numerous Exchange servers, including numerous servers utilized by the US government. As a result of these attacks, tens of thousands of Microsoft email accounts were compromised. These accounts had emails stolen and were able to be surveilled by the intruding party. Microsoft attributed this hack to China, and as a result the Chinese government responded negatively to these accusations, with Chinese spokesperson Wang Wenbin stating “China has reiterated on multiple occasions that given the virtual nature of cyberspace and the fact that there are all kinds of online actors who are difficult to trace, tracing the source of cyberattacks is a complex technical issue. It is also a highly sensitive political issue to pin the label of cyberattack to a certain government.” Clearly, this attack had not only technological and social implications, but diplomatic implications as well.
There were several measures that could have been taken to help mitigate the abuse of this vulnerability. To start, Microsoft should have assigned CVEs to these vulnerabilities earlier than was done. Many organizations manage vulnerabilities solely through CVE, and as a result they were slow to apply fixes to patch the vulnerability. Microsoft also failed to publicly disclose the severity of these vulnerabilities, and as a result entities were slow to patch, resulting in increased risk for attack. Lastly, according to Kevin Beaumont in Exploiting Exchange ProxyShell vulnerabilities, “To make matters worse, in terms of customer protection, Microsoft pays $0 — no bounty at all — for on premise Exchange vulnerabilities to researchers (compared to millions for Office 365 vulnerabilities).” Because of the lack of financial incentive for researchers to locate these vulnerabilities before malicious parties did, increased risk resulted while researchers were focusing their efforts on identifying Office 365 vulnerabilities. If Microsoft were to have included bounties for providing them on premise Exchange vulnerabilities, the likelihood of identifying and patching vulnerabilities before they could be exploited would have increased drastically.

There is much to be learned from this incident, and it seems Microsoft has already implemented some of these fixes. As an example, Microsoft now rewards bounties for on-site Exchange vulnerabilities. Although these vulnerabilities are considered ongoing, steps are continuously being taken to mitigate their impact on the Exchange user base.

References
Beaumont, K. (2021, August 21). Multiple threat actors, including a ransomware gang, exploiting exchange proxyshell vulnerabilities. DoublePulsar. Retrieved January 22, 2023, from https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c
Conger, K., & Frenkel, S. (2021, March 6). Thousands of Microsoft customers may have been victims of Hack tied to China. The New York Times. Retrieved January 22, 2023, from https://www.nytimes.com/2021/03/06/technology/microsoft-hack-china.html
Gatlan, S. (2022, April 14). Microsoft increases awards for high-impact Microsoft 365 bugs. Retrieved January 22, 2023, from https://www.bleepingcomputer.com/news/security/microsoft-increases-awards-for-high-impact-microsoft-365-bugs/
Tsai, O. (2021, August 18). From pwn2own 2021: A new attack surface on Microsoft Exchange – ProxyShell! Zero Day Initiative. Retrieved January 22, 2023, from https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell

Leave a Reply

Your email address will not be published. Required fields are marked *