Secureworks incident responders investigated a long-running intrusion that involved compromises of SharePoint and Exchange servers and multiple web shells with links to Iranian threat groups.
by Mike McLellan, Secureworks® Counter Threat Unit™ (CTU) research team
Monday, July 19th, 2021
In March and November 2020, third-party researchers reported on a campaign where threat actors targeted organizations using CVE-2020-0688, a remote code execution vulnerability in Microsoft Exchange Server. Secureworks® Counter Threat Unit™ (CTU) researchers observed a continuation of this activity through to at least April 2021, and potentially ongoing as of June 2021.
During a recent threat hunt, Secureworks incident responders identified web shells on multiple hosts in a customer’s environment, as well as other evidence of post-exploitation activity. Subsequent analysis suggested that since 2019 at least two threat groups accessed the compromised environment by exploiting vulnerabilities on internet-facing SharePoint and Exchange servers. The second threat group was observed moving laterally within the network and stealing credentials, possibly to enable ongoing access to the environment.
Secureworks incident responders determined that around April 2019, a threat actor compromised several SharePoint servers in the customer’s environment by exploiting SharePoint remote code execution vulnerability CVE-2019-0604. This compromise led to the creation of multiple web shells, including simple China Chopper web shells (see Figure 1). Some of these web shells used the same filename as their hard-coded parameter (e.g., t.aspx).
CTU™ researchers previously linked the IP addresses and filenames used by the attackers to widespread and opportunistic exploitation of CVE-2019-0604 in the April 2019 timeframe. Third-party reporting linked some of the exploitation activity to the China-based BRONZE UNION threat group (also known as Emissary Panda and APT27).
From June 2019 to June 2020, several C# web shells were installed on the same SharePoint servers, written to the same directories as the China Chopper web shells. These web shells take a key and a Base64-encoded buffer as input, use the key to decrypt the buffer to a byte array, and load the array into memory via the System.Reflection.Assembly.Load method (see Figure 2).
Other than being installed on the same compromised servers in the same locations, there is no evidence to link this second set of web shells to the earlier China Chopper deployment. By June 2019, the SharePoint vulnerability was widely known and multiple threat actors were opportunistically exploiting it.
Further analysis by Secureworks incident responders revealed that a basic file upload and command execution web shell (owafont.aspx) was installed on an Exchange Server within the customer’s environment in late 2020. Initial access was likely achieved by exploiting CVE-2020-0688. An attacker possessing valid user credentials can leverage this vulnerability to execute arbitrary code.
In early 2021, the same web shell was installed on other Exchange Servers within the environment, likely using the same compromised administrator account. CTU researchers identified a hostname for the threat actor’s system (WIN-P6LP3KP4SQ6) in associated Windows authentication events.
Approximately three months later, the attacker re-entered the environment using the same hostname and the same compromised credentials to upload the TransportClient.dll web shell. According to third-party analysis of this small C# web shell, it can execute commands directly via cmd.exe or can send commands to the ‘splsvc’ named pipe. CTU researchers observed that the attacker used a Base64-encoded PowerShell script to create the named pipe (see Figure 3). This script potentially leveraged open-source code available from GitHub.
CTU researchers identified a second variant of this script in the environment as well. In addition to creating the named pipe, this variant creates a scheduled task called ‘Google Updater’ (see Figure 4).
TransportClient.dll contains a PDB string (see Figure 5) that is also present in other identified copies of the web shell. Elements in the string led CTU researchers to name this web shell ‘SheepTransportShell’.
Figure 6 shows how the threat actor used the Appcmd.exe Internet Information Services (IIS) utility to install SheepTransportShell. Multiple threat groups have used this technique, including the Iranian COBALT LYCEUM threat group. Appcmd.exe could reportedly be used to install the RGDoor IIS backdoor used by COBALT LYCEUM and COBALT GYPSY. COBALT GYPSY and COBALT LYCEUM are subsets of the threat group described in open source as APT34.
By investigating the combination of the hostname and the compromised accounts, Secureworks incident responders identified additional intrusion activity in the customer’s environment. The attacker accessed a critical business server to deploy a web shell named service.aspx. Service.aspx provides file upload, file download, and remote code execution capabilities.
A second web shell with a slightly different filename (services.aspx) was uploaded to the same server. Services.aspx appears to borrow code (see Figure 7) from the HighShell and HyperShell web shells. These tools are associated with COBALT GYPSY but were posted online in 2019 as part of the 'Lab Dookhtegan' leaks. As a result, they cannot be considered exclusive to this threat group.
The threat actor uploaded an s.aspx web shell to the same SharePoint servers that were previously exploited in April 2019. This web shell has the same functionality as services.aspx. The attacker then used PowerShell to modify the file metadata timestamps (see Figure 8) to match those of srchrss.aspx, a legitimate file that builds an RSS feed based on a search query. This modification was likely an effort to make the web shell blend in with legitimate files. The s.aspx and services.aspx web shells are nearly identical, suggesting that the same threat actor deployed both of them.
As part of the same intrusion activity, the threat actor dumped and exfiltrated credentials from the organization’s certificate authority server and from a domain controller. After a dropped Mimikatz credential harvester binary (6.exe) was blocked by antivirus software, the threat actor used native system tools. Ntdsutil.exe was used on the domain controller to dump the credentials, which were then exfiltrated as a compressed file (a.zip) via one of the compromised Exchange Servers. Approximately one week later, a threat actor exploited a different administrator account to view the C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\ subdirectories for ASPX files. Endpoint telemetry captured the attacker viewing the file contents of the t.aspx China Chopper web shell (see Figure 9). It is likely that these actions were performed by the same threat actor, although CTU researchers do not have evidence to confirm this.
CTU researchers assess with low confidence that an Iranian threat group, possibly COBALT GYPSY, was responsible for the activity that started with the compromise of the Exchange Servers:
Iranian threat groups continue to pose a significant threat. These and other threat actors actively search for vulnerabilities that they can weaponize. After gaining access to a compromised network, they attempt to establish multiple entry points and steal legitimate user credentials to maintain access even after vulnerabilities have been patched. In addition to patching, organizations must gain visibility on their endpoints, particularly internet-facing and business-critical servers. This visibility lets network defenders detect and rapidly respond to network intrusions.
The threat indicators in Table 1 can be used to detect activity related to this threat.
Indicator | Type | Context |
---|---|---|
7e63f43d61fa5ec8fbbafbe3dfc6d417 | MD5 hash | SheepTransportShell web shell likely associated with Iranian threat actors |
25378e5370d63c0835a92cc53b400d3a82999b0b | SHA1 hash | SheepTransportShell web shell likely associated with Iranian threat actors |
d4a9200bcc10945b92685298dcbcbee1b66fd0bd874e9b2bdcc40654c3092404 | SHA256 hash | SheepTransportShell web shell likely associated with Iranian threat actors |
ddb1eaf4b3b27f7c120a261d512d7d74 | MD5 hash | Mimikatz binary (6.exe) likely associated with Iranian threat actors |
fa2204f491844732a1942d07fd9f37c7cd4a7f4d | SHA1 hash | Mimikatz binary (6.exe) likely associated with Iranian threat actors |
1a80ccdb125d754ae4f7c84f168ba225fa161500e2012c6dbdfc2c3eb25d056a | SHA256 hash | Mimikatz binary (6.exe) likely associated with Iranian threat actors |
WIN-P6LP3KP4SQ6 | Hostname | Associated with likely Iranian threat actor’s system |
bd020bcf23a934d0651d13103af6daa6 | MD5 hash | Web shell with file upload and execute capability (owafont.aspx) likely associated with Iranian threat actors |
6c7526ca14bf1f98f5181ce378fce50d9fdd530a | SHA1 hash | Web shell with file upload and execute capability (owafont.aspx) likely associated with Iranian threat actors |
e6c96d0a9da0ca2018e5e7c719ba04f1940a2499927cdfee3417091a96068833 | SHA256 hash | Web shell with file upload and execute capability (owafont.aspx) likely associated with Iranian threat actors |
e10fbb596869b19accc16625e3e2166a | MD5 hash | Web shell with file upload and execute capability (service.aspx) likely associated with Iranian threat actors |
9df006e1896d426469993b60d22079a5d5c93c69 | SHA1 hash | Web shell with file upload and execute capability (service.aspx) likely associated with Iranian threat actors |
fd4a8684392664d180751246c088142be4d2bec8d77d4fedd5f18c480a938c90 | SHA256 hash | Web shell with file upload and execute capability (service.aspx) likely associated with Iranian threat actors |
4bd64522dd13357b705b7456a5b4c473 | MD5 hash | Web shell similar to COBALT GYPSY web shells (services.aspx) likely associated with Iranian threat actors |
0ce91e5fa9268007a1d409744916d16217ba7869 | SHA1 hash | Web shell similar to COBALT GYPSY web shells (services.aspx) likely associated with Iranian threat actors |
84ac4199817b3944c9970862826523703d54c156fa10c5bd9fce2640e74ed003 | SHA256 hash | Web shell similar to COBALT GYPSY web shells (services.aspx) likely associated with Iranian threat actors |
Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36 | User-Agent | Observed in web shell C2 traffic likely associated with Iranian threat actors |
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 | User-Agent | Observed in web shell C2 traffic likely associated with Iranian threat actors |
a92c8f626cf0298e145e49d2c3ffdacf | MD5 hash | Web shell similar to COBALT GYPSY web shells (s.aspx) likely associated with Iranian threat actors |
9200e78e00200321d65a4213fbfea4ab171eb1b0 | SHA1 hash | Web shell similar to COBALT GYPSY web shells (s.aspx) likely associated with Iranian threat actors |
68a4b8524bc6d4ceb107cb651dd7b31144095e25663d935ffb91491e72a774bd | SHA256 hash | Web shell similar to COBALT GYPSY web shells (s.aspx) likely associated with Iranian threat actors |
8f241aaed1d6aebbee979796bd48fbca | MD5 hash | Web shell deployed via SharePoint exploit CVE-2019-0604 (cmd.aspx) |
782c9d0453bbd9a216b754381c50b4f6fbc0fe66 | SHA1 hash | Web shell deployed via SharePoint exploit CVE-2019-0604 (cmd.aspx) |
bb8213417bb5b58ed98cc9948853cd64b6cc0387f414122c946c4212b6c7a82d | SHA256 hash | Web shell deployed via SharePoint exploit CVE-2019-0604 (cmd.aspx) |
b34883fb1630db43e06a38cebfa0bce2 | MD5 hash | Web shell deployed via SharePoint exploit CVE-2019-0604 (Layout1.aspx) |
b871e9afd7da87ee818ed7349a1579f3b31e104f | SHA1 hash | Web shell deployed via SharePoint exploit CVE-2019-0604 (Layout1.aspx) |
596b2a90c1590eaf704295a2d95aae5d2fec136e9613e059fd37de4b02fd03bb | SHA256 hash | Web shell deployed via SharePoint exploit CVE-2019-0604 (Layout1.aspx) |
480e7039da17306a7eec814571f2b9bd | MD5 hash | China Chopper web shell (t.aspx) |
995239a00a5220fae691199692aea70967f6cc14 | SHA1 hash | China Chopper web shell (t.aspx) |
e47e339aab48bb54ab370311aecc990d6558047eb015f73615aa0c6ae1a7bfdf | SHA256 hash | China Chopper web shell (t.aspx) |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0 | User-Agent | Observed in web shell C2 traffic likely associated with Iranian threat actors |
90e20124e5d150321c02f3da95a90a49 | MD5 hash | Web shell deployed via Exchange exploit CVE-2020-0688 (owafont_vn.aspx) likely associated with Iranian threat actors |
9f2b532d3d81453dfd8e96ab1de235d15ce3f815 | SHA1 hash | Web shell deployed via Exchange exploit CVE-2020-0688 (owafont_vn.aspx) likely associated with Iranian threat actors |
7ccb39775dda1fa8207ec17b827d947e7cd436acad98fd4caf812e7c6f081651 | SHA256 hash | Web shell deployed via Exchange exploit CVE-2020-0688 (owafont_vn.aspx) likely associated with Iranian threat actors |
c7678bfc5bcaec659b487db4408ee756 | MD5 hash | Web shell used to load secondary web shell payload (cmd.txt) likely associated with Iranian threat actors |
48201b4c9e9300cd9605b8e5cd2bc4cc73ab95f4 | SHA1 hash | Web shell used to load secondary web shell payload (cmd.txt) likely associated with Iranian threat actors |
3f30c8a795235290c5249cae99610063e32ff78947e7d46879672a0d72c748c7 | SHA256 hash | Web shell used to load secondary web shell payload (cmd.txt) likely associated with Iranian threat actors |
splsvc | Named pipe | Used to execute commands passed to SheepTransportShell web shell likely associated with Iranian threat actors |