Ongoing campaign leveraging Exchange vulnerability potentially linked to Iran

Secureworks incident responders investigated a long-running intrusion that involved compromises of SharePoint and Exchange servers and multiple web shells with links to Iranian threat groups.

by Mike McLellan, Secureworks® Counter Threat Unit™ (CTU) research team
Monday, July 19th, 2021

In March and November 2020, third-party researchers reported on a campaign where threat actors targeted organizations using CVE-2020-0688, a remote code execution vulnerability in Microsoft Exchange Server. Secureworks® Counter Threat Unit™ (CTU) researchers observed a continuation of this activity through to at least April 2021, and potentially ongoing as of June 2021.

Discovering historic and current intrusion activity

During a recent threat hunt, Secureworks incident responders identified web shells on multiple hosts in a customer’s environment, as well as other evidence of post-exploitation activity. Subsequent analysis suggested that since 2019 at least two threat groups accessed the compromised environment by exploiting vulnerabilities on internet-facing SharePoint and Exchange servers. The second threat group was observed moving laterally within the network and stealing credentials, possibly to enable ongoing access to the environment.

Historic compromise of SharePoint servers

Secureworks incident responders determined that around April 2019, a threat actor compromised several SharePoint servers in the customer’s environment by exploiting SharePoint remote code execution vulnerability CVE-2019-0604. This compromise led to the creation of multiple web shells, including simple China Chopper web shells (see Figure 1). Some of these web shells used the same filename as their hard-coded parameter (e.g., t.aspx).

Figure 1
Figure 1. China Chopper web shells dropped onto compromised SharePoint servers. (Source: Secureworks)

CTU™ researchers previously linked the IP addresses and filenames used by the attackers to widespread and opportunistic exploitation of CVE-2019-0604 in the April 2019 timeframe. Third-party reporting linked some of the exploitation activity to the China-based BRONZE UNION threat group (also known as Emissary Panda and APT27).

From June 2019 to June 2020, several C# web shells were installed on the same SharePoint servers, written to the same directories as the China Chopper web shells. These web shells take a key and a Base64-encoded buffer as input, use the key to decrypt the buffer to a byte array, and load the array into memory via the System.Reflection.Assembly.Load method (see Figure 2).

Figure 2
Figure 2. Formatted C# web shell that loads decoded data into memory. (Source: Secureworks)

Other than being installed on the same compromised servers in the same locations, there is no evidence to link this second set of web shells to the earlier China Chopper deployment. By June 2019, the SharePoint vulnerability was widely known and multiple threat actors were opportunistically exploiting it.

Ongoing campaign leveraging compromised Exchange Servers

Further analysis by Secureworks incident responders revealed that a basic file upload and command execution web shell (owafont.aspx) was installed on an Exchange Server within the customer’s environment in late 2020. Initial access was likely achieved by exploiting CVE-2020-0688. An attacker possessing valid user credentials can leverage this vulnerability to execute arbitrary code.

In early 2021, the same web shell was installed on other Exchange Servers within the environment, likely using the same compromised administrator account. CTU researchers identified a hostname for the threat actor’s system (WIN-P6LP3KP4SQ6) in associated Windows authentication events.

Approximately three months later, the attacker re-entered the environment using the same hostname and the same compromised credentials to upload the TransportClient.dll web shell. According to third-party analysis of this small C# web shell, it can execute commands directly via cmd.exe or can send commands to the ‘splsvc’ named pipe. CTU researchers observed that the attacker used a Base64-encoded PowerShell script to create the named pipe (see Figure 3). This script potentially leveraged open-source code available from GitHub.

Figure 3
Figure 3. Extract of decoded PowerShell script that creates the splsvc named pipe. (Source: Secureworks)

CTU researchers identified a second variant of this script in the environment as well. In addition to creating the named pipe, this variant creates a scheduled task called ‘Google Updater’ (see Figure 4).

Figure 4
Figure 4. Decoded PowerShell script that creates splsvc named pipe and ‘Google Updater’ scheduled task. (Source: Secureworks)

TransportClient.dll contains a PDB string (see Figure 5) that is also present in other identified copies of the web shell. Elements in the string led CTU researchers to name this web shell ‘SheepTransportShell’.

Figure 5
Figure 5. PDB string in SheepTransportShell sample. (Source: Secureworks)

Figure 6 shows how the threat actor used the Appcmd.exe Internet Information Services (IIS) utility to install SheepTransportShell. Multiple threat groups have used this technique, including the Iranian COBALT LYCEUM threat group. Appcmd.exe could reportedly be used to install the RGDoor IIS backdoor used by COBALT LYCEUM and COBALT GYPSY. COBALT GYPSY and COBALT LYCEUM are subsets of the threat group described in open source as APT34.

Figure 6
Figure 6. Installing SheepTransportShell on host. (Source: Secureworks)

By investigating the combination of the hostname and the compromised accounts, Secureworks incident responders identified additional intrusion activity in the customer’s environment. The attacker accessed a critical business server to deploy a web shell named service.aspx. Service.aspx provides file upload, file download, and remote code execution capabilities.

A second web shell with a slightly different filename (services.aspx) was uploaded to the same server. Services.aspx appears to borrow code (see Figure 7) from the HighShell and HyperShell web shells. These tools are associated with COBALT GYPSY but were posted online in 2019 as part of the 'Lab Dookhtegan' leaks. As a result, they cannot be considered exclusive to this threat group.

Figure 7
Figure 7. Code overlap between services.aspx (top) and publicly available HighShell web shell (bottom). (Source: Secureworks, GitHub)

The threat actor uploaded an s.aspx web shell to the same SharePoint servers that were previously exploited in April 2019. This web shell has the same functionality as services.aspx. The attacker then used PowerShell to modify the file metadata timestamps (see Figure 8) to match those of srchrss.aspx, a legitimate file that builds an RSS feed based on a search query. This modification was likely an effort to make the web shell blend in with legitimate files. The s.aspx and services.aspx web shells are nearly identical, suggesting that the same threat actor deployed both of them.

Figure 8
Figure 8. Modifying s.aspx web shell timestamps to match those of an existing legitimate file. (Source: Secureworks)

As part of the same intrusion activity, the threat actor dumped and exfiltrated credentials from the organization’s certificate authority server and from a domain controller. After a dropped Mimikatz credential harvester binary (6.exe) was blocked by antivirus software, the threat actor used native system tools. Ntdsutil.exe was used on the domain controller to dump the credentials, which were then exfiltrated as a compressed file (a.zip) via one of the compromised Exchange Servers. Approximately one week later, a threat actor exploited a different administrator account to view the C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\ subdirectories for ASPX files. Endpoint telemetry captured the attacker viewing the file contents of the t.aspx China Chopper web shell (see Figure 9). It is likely that these actions were performed by the same threat actor, although CTU researchers do not have evidence to confirm this.

Figure 9
Figure 9. Threat actor viewing contents of a China Chopper web shell deployed in April 2019. (Source: Secureworks)

Attribution

CTU researchers assess with low confidence that an Iranian threat group, possibly COBALT GYPSY, was responsible for the activity that started with the compromise of the Exchange Servers:

Conclusion

Iranian threat groups continue to pose a significant threat. These and other threat actors actively search for vulnerabilities that they can weaponize. After gaining access to a compromised network, they attempt to establish multiple entry points and steal legitimate user credentials to maintain access even after vulnerabilities have been patched. In addition to patching, organizations must gain visibility on their endpoints, particularly internet-facing and business-critical servers. This visibility lets network defenders detect and rapidly respond to network intrusions.

Threat indicators

The threat indicators in Table 1 can be used to detect activity related to this threat.

Indicator Type Context
7e63f43d61fa5ec8fbbafbe3dfc6d417 MD5 hash SheepTransportShell web shell likely associated with Iranian threat actors
25378e5370d63c0835a92cc53b400d3a82999b0b SHA1 hash SheepTransportShell web shell likely associated with Iranian threat actors
d4a9200bcc10945b92685298dcbcbee1b66fd0bd874e9b2bdcc40654c3092404 SHA256 hash SheepTransportShell web shell likely associated with Iranian threat actors
ddb1eaf4b3b27f7c120a261d512d7d74 MD5 hash Mimikatz binary (6.exe) likely associated with Iranian threat actors
fa2204f491844732a1942d07fd9f37c7cd4a7f4d SHA1 hash Mimikatz binary (6.exe) likely associated with Iranian threat actors
1a80ccdb125d754ae4f7c84f168ba225fa161500e2012c6dbdfc2c3eb25d056a SHA256 hash Mimikatz binary (6.exe) likely associated with Iranian threat actors
WIN-P6LP3KP4SQ6 Hostname Associated with likely Iranian threat actor’s system
bd020bcf23a934d0651d13103af6daa6 MD5 hash Web shell with file upload and execute capability (owafont.aspx) likely associated with Iranian threat actors
6c7526ca14bf1f98f5181ce378fce50d9fdd530a SHA1 hash Web shell with file upload and execute capability (owafont.aspx) likely associated with Iranian threat actors
e6c96d0a9da0ca2018e5e7c719ba04f1940a2499927cdfee3417091a96068833 SHA256 hash Web shell with file upload and execute capability (owafont.aspx) likely associated with Iranian threat actors
e10fbb596869b19accc16625e3e2166a MD5 hash Web shell with file upload and execute capability (service.aspx) likely associated with Iranian threat actors
9df006e1896d426469993b60d22079a5d5c93c69 SHA1 hash Web shell with file upload and execute capability (service.aspx) likely associated with Iranian threat actors
fd4a8684392664d180751246c088142be4d2bec8d77d4fedd5f18c480a938c90 SHA256 hash Web shell with file upload and execute capability (service.aspx) likely associated with Iranian threat actors
4bd64522dd13357b705b7456a5b4c473 MD5 hash Web shell similar to COBALT GYPSY web shells (services.aspx) likely associated with Iranian threat actors
0ce91e5fa9268007a1d409744916d16217ba7869 SHA1 hash Web shell similar to COBALT GYPSY web shells (services.aspx) likely associated with Iranian threat actors
84ac4199817b3944c9970862826523703d54c156fa10c5bd9fce2640e74ed003 SHA256 hash Web shell similar to COBALT GYPSY web shells (services.aspx) likely associated with Iranian threat actors
Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36 User-Agent Observed in web shell C2 traffic likely associated with Iranian threat actors
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 User-Agent Observed in web shell C2 traffic likely associated with Iranian threat actors
a92c8f626cf0298e145e49d2c3ffdacf MD5 hash Web shell similar to COBALT GYPSY web shells (s.aspx) likely associated with Iranian threat actors
9200e78e00200321d65a4213fbfea4ab171eb1b0 SHA1 hash Web shell similar to COBALT GYPSY web shells (s.aspx) likely associated with Iranian threat actors
68a4b8524bc6d4ceb107cb651dd7b31144095e25663d935ffb91491e72a774bd SHA256 hash Web shell similar to COBALT GYPSY web shells (s.aspx) likely associated with Iranian threat actors
8f241aaed1d6aebbee979796bd48fbca MD5 hash Web shell deployed via SharePoint exploit CVE-2019-0604 (cmd.aspx)
782c9d0453bbd9a216b754381c50b4f6fbc0fe66 SHA1 hash Web shell deployed via SharePoint exploit CVE-2019-0604 (cmd.aspx)
bb8213417bb5b58ed98cc9948853cd64b6cc0387f414122c946c4212b6c7a82d SHA256 hash Web shell deployed via SharePoint exploit CVE-2019-0604 (cmd.aspx)
b34883fb1630db43e06a38cebfa0bce2 MD5 hash Web shell deployed via SharePoint exploit CVE-2019-0604 (Layout1.aspx)
b871e9afd7da87ee818ed7349a1579f3b31e104f SHA1 hash Web shell deployed via SharePoint exploit CVE-2019-0604 (Layout1.aspx)
596b2a90c1590eaf704295a2d95aae5d2fec136e9613e059fd37de4b02fd03bb SHA256 hash Web shell deployed via SharePoint exploit CVE-2019-0604 (Layout1.aspx)
480e7039da17306a7eec814571f2b9bd MD5 hash China Chopper web shell (t.aspx)
995239a00a5220fae691199692aea70967f6cc14 SHA1 hash China Chopper web shell (t.aspx)
e47e339aab48bb54ab370311aecc990d6558047eb015f73615aa0c6ae1a7bfdf SHA256 hash China Chopper web shell (t.aspx)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0 User-Agent Observed in web shell C2 traffic likely associated with Iranian threat actors
90e20124e5d150321c02f3da95a90a49 MD5 hash Web shell deployed via Exchange exploit CVE-2020-0688 (owafont_vn.aspx) likely associated with Iranian threat actors
9f2b532d3d81453dfd8e96ab1de235d15ce3f815 SHA1 hash Web shell deployed via Exchange exploit CVE-2020-0688 (owafont_vn.aspx) likely associated with Iranian threat actors
7ccb39775dda1fa8207ec17b827d947e7cd436acad98fd4caf812e7c6f081651 SHA256 hash Web shell deployed via Exchange exploit CVE-2020-0688 (owafont_vn.aspx) likely associated with Iranian threat actors
c7678bfc5bcaec659b487db4408ee756 MD5 hash Web shell used to load secondary web shell payload (cmd.txt) likely associated with Iranian threat actors
48201b4c9e9300cd9605b8e5cd2bc4cc73ab95f4 SHA1 hash Web shell used to load secondary web shell payload (cmd.txt) likely associated with Iranian threat actors
3f30c8a795235290c5249cae99610063e32ff78947e7d46879672a0d72c748c7 SHA256 hash Web shell used to load secondary web shell payload (cmd.txt) likely associated with Iranian threat actors
splsvc Named pipe Used to execute commands passed to SheepTransportShell web shell likely associated with Iranian threat actors