Traces of attack group 1’s breach attack (IIS Log)
Since the vulnerability’s reveal on March 3rd, the client’s e-mail server received attacks targeting MS Exchange Server vulnerability from a total of 60 IPs. The attacks can be classified into 3 groups based on the time of the attack, IP, and malicious behavior.įigure 2. The attacker connected to the OWA (Outlook Web APP) website of the client that operates MS Exchange Server externally, bypassed (CVE-2021-26855) the backend system’s authentication, and used file write vulnerability (CVE-2021-26858, CVE-2021-27065) to upload a web shell.
COBALT STRIKE BEACON LIST FILES CODE
CVE-2021-27065 (Microsoft Exchange Server remote code execution vulnerability).CVE-2021-26858 (Microsoft Exchange Server remote code execution vulnerability).CVE-2021-26857 (Microsoft Exchange Server remote code execution vulnerability).CVE-2021-26855 (Microsoft Exchange Server remote code execution vulnerability).Attackers can use this type of vulnerability to request malicious HTTP to bypass the backend system authentication and allow arbitrary file write. Revealed in March, the four MS Exchange Server vulnerabilities are called ProxyLogon. While monitoring Cobalt Strike, the team detected its activities from specific IPs on July 15th and August 2nd, then suggested and conducted a forensic analysis for the client of these IPs. Upon tracking the attacker’s behavior in the breached system, it was confirmed that the breach occurred via MS Exchange Server vulnerability which was prevalent in March. (The link to a previous blog post can be found at the bottom of this post.) The ASEC analysis team is consistently monitoring the activities of Cobalt Strike, one of the trending cybersecurity issues that were discussed in previous blog posts regarding its distribution to Korean companies. Posted on OctoForensic Analysis of Breaches that Used Cobalt Strike and MS Exchange Server Vulnerability
0 kommentar(er)
