Enemy At The Gates

Surely by now you’ve heard about the attacks on Exchange architectures this week. The news largely broke with a couple of posts by Microsoft and Volexity on March 2, 2021.

March 3rd, the chickens came home to roost. So. Many. Chickens.

I’ll share some of my findings and provide some IOCs I have observed during the past week.

I won’t bore you with a rehash of what is already available, I will provide some links to some excellent resources and tools I used while working with some clients in response to this.

CISA also has a great deal of info that is constantly being updated.

Rapid Assessment

Using the IOCs and TTPs published by Microsoft and Volexity I was able to use Graylog queries to rapidly sift through proxy and NSM logs to identify suspicious traffic and further correlate those finding with Event logs.

Microsoft and Volexity did a great job of releasing enough information for incident responders to start their processes without leaking dangerous details that additional attackers could make use of. Kudos to those teams.

Mitigations

If for whatever reason you are unable to patch right away, Microsoft also published a list of mitigations to counter the chain of CVEs used in this attack.

Some of the evidence I witnessed leads me to believe that a reverse-proxy, or a decoupled 2010 type architecture where the CAS/Hubs are separated from the DAG might provide some level of counter-measure. However, at this time it is just a theory.

Tools

This is the first time I used CyberTriage to pull artifacts from a suspect machine. Seems like a capable and time-saving tool and worth your time to check out if you are an incident responder. Other than that, spent a bunch of time in SIEMs– folks, centralizing your logs is such a huge benefit in times like these. I also made good use of Netflow to help rule out data exfil and other suspect activities.

IOCs

IP Addresses

85.220.100.242
66.230.230.230
91.192.103.25
195.176.3.24
23.129.64.216

URI Requests

/owa/auth/errorFE.aspx?httpCode=500
/owa/auth/errorFE.aspx?httpCode=404
/owa/auth/Current/themes/resources/logonin.aspx
/owa/auth/Current/themes/resources/owaauth.aspx
/owa/auth/Current/themes/resources/owafont_vo.aspx
/owa/auth/errorEE.aspx