Ongoing campaign leveraging Exchange vulnerability potentially linked to Iran

Secureworks incident responders investigated a long-running intrusion that involved compromises of SharePoint and Exchange servers and multiple web shells with links to Iranian threat groups.

by Mike McLellan, Secureworks® Counter Threat Unit™ (CTU) research team
Monday, July 19th, 2021

In March and November 2020, third-party researchers reported on a campaign where threat actors targeted organizations using CVE-2020-0688, a remote code execution vulnerability in Microsoft Exchange Server. Secureworks® Counter Threat Unit™ (CTU) researchers observed a continuation of this activity through to at least April 2021, and potentially ongoing as of June 2021.

Discovering historic and current intrusion activity

During a recent threat hunt, Secureworks incident responders identified web shells on multiple hosts in a customer’s environment, as well as other evidence of post-exploitation activity. Subsequent analysis suggested that since 2019 at least two threat groups accessed the compromised environment by exploiting vulnerabilities on internet-facing SharePoint and Exchange servers. The second threat group was observed moving laterally within the network and stealing credentials, possibly to enable ongoing access to the environment.

Historic compromise of SharePoint servers

Secureworks incident responders determined that around April 2019, a threat actor compromised several SharePoint servers in the customer’s environment by exploiting SharePoint remote code execution vulnerability CVE-2019-0604. This compromise led to the creation of multiple web shells, including simple China Chopper web shells (see Figure 1). Some of these web shells used the same filename as their hard-coded parameter (e.g., t.aspx).

Figure 1. China Chopper web shells dropped onto compromised SharePoint servers. (Source: Secureworks)

CTU™ researchers previously linked the IP addresses and filenames used by the attackers to widespread and opportunistic exploitation of CVE-2019-0604 in the April 2019 timeframe. Third-party reporting linked some of the exploitation activity to the China-based BRONZE UNION threat group (also known as Emissary Panda and APT27).

From June 2019 to June 2020, several C# web shells were installed on the same SharePoint servers, written to the same directories as the China Chopper web shells. These web shells take a key and a Base64-encoded buffer as input, use the key to decrypt the buffer to a byte array, and load the array into memory via the System.Reflection.Assembly.Load method (see Figure 2).

Figure 2. Formatted C# web shell that loads decoded data into memory. (Source: Secureworks)

Other than being installed on the same compromised servers in the same locations, there is no evidence to link this second set of web shells to the earlier China Chopper deployment. By June 2019, the SharePoint vulnerability was widely known and multiple threat actors were opportunistically exploiting it.

Ongoing campaign leveraging compromised Exchange Servers

Further analysis by Secureworks incident responders revealed that a basic file upload and command execution web shell (owafont.aspx) was installed on an Exchange Server within the customer’s environment in late 2020. Initial access was likely achieved by exploiting CVE-2020-0688. An attacker possessing valid user credentials can leverage this vulnerability to execute arbitrary code.

In early 2021, the same web shell was installed on other Exchange Servers within the environment, likely using the same compromised administrator account. CTU researchers identified a hostname for the threat actor’s system (WIN-P6LP3KP4SQ6) in associated Windows authentication events.

Approximately three months later, the attacker re-entered the environment using the same hostname and the same compromised credentials to upload the TransportClient.dll web shell. According to third-party analysis of this small C# web shell, it can execute commands directly via cmd.exe or can send commands to the ‘splsvc’ named pipe. CTU researchers observed that the attacker used a Base64-encoded PowerShell script to create the named pipe (see Figure 3). This script potentially leveraged open-source code available from GitHub.

Figure 3. Extract of decoded PowerShell script that creates the splsvc named pipe. (Source: Secureworks)

CTU researchers identified a second variant of this script in the environment as well. In addition to creating the named pipe, this variant creates a scheduled task called ‘Google Updater’ (see Figure 4).

Figure 4. Decoded PowerShell script that creates splsvc named pipe and ‘Google Updater’ scheduled task. (Source: Secureworks)

TransportClient.dll contains a PDB string (see Figure 5) that is also present in other identified copies of the web shell. Elements in the string led CTU researchers to name this web shell ‘SheepTransportShell’.

Figure 5. PDB string in SheepTransportShell sample. (Source: Secureworks)

Figure 6 shows how the threat actor used the Appcmd.exe Internet Information Services (IIS) utility to install SheepTransportShell. Multiple threat groups have used this technique, including the Iranian COBALT LYCEUM threat group. Appcmd.exe could reportedly be used to install the RGDoor IIS backdoor used by COBALT LYCEUM and COBALT GYPSY. COBALT GYPSY and COBALT LYCEUM are subsets of the threat group described in open source as APT34.

Figure 6. Installing SheepTransportShell on host. (Source: Secureworks)

By investigating the combination of the hostname and the compromised accounts, Secureworks incident responders identified additional intrusion activity in the customer’s environment. The attacker accessed a critical business server to deploy a web shell named service.aspx. Service.aspx provides file upload, file download, and remote code execution capabilities.

A second web shell with a slightly different filename (services.aspx) was uploaded to the same server. Services.aspx appears to borrow code (see Figure 7) from the HighShell and HyperShell web shells. These tools are associated with COBALT GYPSY but were posted online in 2019 as part of the 'Lab Dookhtegan' leaks. As a result, they cannot be considered exclusive to this threat group.

Figure 7. Code overlap between services.aspx (top) and publicly available HighShell web shell (bottom). (Source: Secureworks, GitHub)

The threat actor uploaded an s.aspx web shell to the same SharePoint servers that were previously exploited in April 2019. This web shell has the same functionality as services.aspx. The attacker then used PowerShell to modify the file metadata timestamps (see Figure 8) to match those of srchrss.aspx, a legitimate file that builds an RSS feed based on a search query. This modification was likely an effort to make the web shell blend in with legitimate files. The s.aspx and services.aspx web shells are nearly identical, suggesting that the same threat actor deployed both of them.

Figure 8. Modifying s.aspx web shell timestamps to match those of an existing legitimate file. (Source: Secureworks)

As part of the same intrusion activity, the threat actor dumped and exfiltrated credentials from the organization’s certificate authority server and from a domain controller. After a dropped Mimikatz credential harvester binary (6.exe) was blocked by antivirus software, the threat actor used native system tools. Ntdsutil.exe was used on the domain controller to dump the credentials, which were then exfiltrated as a compressed file (a.zip) via one of the compromised Exchange Servers. Approximately one week later, a threat actor exploited a different administrator account to view the C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\ subdirectories for ASPX files. Endpoint telemetry captured the attacker viewing the file contents of the t.aspx China Chopper web shell (see Figure 9). It is likely that these actions were performed by the same threat actor, although CTU researchers do not have evidence to confirm this.

Figure 9. Threat actor viewing contents of a China Chopper web shell deployed in April 2019. (Source: Secureworks)

Attribution

CTU researchers assess with low confidence that an Iranian threat group, possibly COBALT GYPSY, was responsible for the activity that started with the compromise of the Exchange Servers:

• The long-running nature of the intrusion ─ The emphasis on persistence, the multiple entry points, and the lengthy duration are typical of threat actors focused on espionage rather than on financial gain.
• The nature of affected organizations ─ The targeting and activity observed by CTU researchers and described in third-party reporting is consistent with Iranian threat groups’ objectives.
• The data ingress and egress technique ─ The threat actors used a subdomain of pipedream, which is a service that provides webhook-like functionality. Iranian groups have previously used similar services. These services allow the attacker to return custom responses to command and control traffic, and traffic to these services may appear legitimate to network defenders.
• Use of web shells ─ The web shells are generic but are stylistically similar to those previously associated with Iranian threat groups such as COBALT GYPSY. The use of a malicious IIS module for the SheepTransportShell web shell is reminiscent of the RGDoor backdoor, which is linked to COBALT GYPSY and COBALT LYCEUM.

Conclusion

Iranian threat groups continue to pose a significant threat. These and other threat actors actively search for vulnerabilities that they can weaponize. After gaining access to a compromised network, they attempt to establish multiple entry points and steal legitimate user credentials to maintain access even after vulnerabilities have been patched. In addition to patching, organizations must gain visibility on their endpoints, particularly internet-facing and business-critical servers. This visibility lets network defenders detect and rapidly respond to network intrusions.

Threat indicators

The threat indicators in Table 1 can be used to detect activity related to this threat.