Fortinet: No more ProxyShell? Web shells lead to ZeroLogon and application impersonation attacks
FortiGuard Labs Threat Research Report
Platforms concerned: Microsoft Exchange
Parties concerned: Exchange mailboxes
Impact: Gives unauthorized users the ability to access and send emails from any user within the organization
Degree of severity: Review Special thanks to Angelo Cris Deveraturda, Wilson Agad, Lallum victoria, Wil Vidal, Jared Betts and Ken Evans
FortiGuard Labs recently discovered an unidentified threat actor exploiting ProxyShell exploits using techniques that have not yet been reported. Several instances of FortiEDR had detected malicious DLLs in memory, and we discovered these new techniques while visiting one of the organizations that had been compromised by ProxyShell. Through active threat hunting, we were then able to determine that other organizations had been compromised as well.
DLLs, which were previously unknown due to their SHA256 file hashes, were used to perform active discovery, get hashed passwords through Zerologon, and perform pass-the-hash authentication to establish persistence through borrowing. Exchange application identity. This blog aims to provide an analysis of these DLLs. We documented the malicious activity associated with them by recreating the incidents in a lab environment. The goal is to help the public and future customers determine if they have related activities in their environment and take appropriate action.
Overview of ProxyShell incidents
These events started around the time that ProxyShell hit the headlines. At first, they seemed to match what most organizations were already reporting. The operating details, from directories to the types of web shells used, matched almost verbatim. The difference was when web shells were performing post-exploitation activity through DLLs loaded into memory, which triggered events within FortiEDR.
FortiEDR detected these DLLs because they were loaded into the memory space allocated to vbc.exe, the Visual Basic compiler for .NET Applications, and were loaded from the w3wp.exe process, which is used to run the Microsoft Exchange Outlook web application. This, along with FortiEDR’s machine learning algorithm, determined that these files were likely malicious.
The figure below shows w3wp.exe injecting a thread into the vbc.exe process and accessing services on the Exchange server.
Fortinet inc. published this content on September 14, 2021 and is solely responsible for the information it contains. Distributed by Public, unedited and unmodified, on September 14, 2021 07:31:06 PM UTC.