In January 2021, Dubex investigated suspicious activity on a set of Exchange servers. Generic post exploitation activity was seen, and many POST requests were sent to webshells hosted in the OWA directory. It was initially suspected the servers might be backdoored directly through the OWA and that webshells were being used for ease of access. As a result, Dubex started its incident response efforts and acquired system memory (RAM) and disk images to initiate a forensics investigation. This investigation revealed a zero-day exploit being used in the wild.

Explaining the vulnerability

Through the investigation of the systems, it was revealed that the webshells were written by the UMWorkerProcess, a part of the Unifying Messaging module.

The UM server allows an Exchange organisation to store voicemail and faxes along with emails, calendars, and contacts in users' mailboxes. A unified messaging server also allows users access to voicemail features via smartphones, Microsoft Outlook and Outlook Web App.

Most users and IT departments manage their voicemail separately from their email, and voicemail and email exist as separate inboxes hosted on separate servers. Unified Messaging offers an integrated store for all messages and access to content through the computer and the telephone.

Through analysis of the systems, Dubex Incident Response Team determined that feeding the UM Server with a sufficiently malformed voicemail file caused it to spawn a UMWorkerProcess that deserialised the voicemail and executed contents. After code execution, the process crashes and the malicious file is not removed from disk. Exchange recovers the service after 1-2 minutes and the process repeats as the file is still there for processing.

In this case, the code executed by UM runs as ‘NT Authority\SYSTEM’ and can unhindered alter the system.

Post-exploitation tasks seen in this attack:

• Spawning common webshells in the public accessible OWA directory for easy remote access. Observed files were written in ASP.NET and allowed remote code execution via POST requests. This is a common way to gain a foothold on the system for further exploration and exploitation
• LSASS process dump to gather more credentials.

As seen in the Microsoft Security Advisory hafnium-targeting-exchange-servers, there are now multiple paths for attackers to exploit Exchange servers, and we therefore recommend patching as soon as possible as well as checking publicly accessible paths on the Exchange servers for unknown files. Webserver and Exchange log files can also be queried for activity related to these attacks.

IOCs linked to this attack

Files larger than 1kb located in the Exchange Voicemails directory with nonstandard content.

The following ASPX files were found on the compromised systems – however the attacker can name them as they wish:

• errorEEE.aspx
• errorEW.aspx
• errorFF.aspx

Be aware of the fact that your Exchange Installation may have their webserver files in non-standard paths, and all OWA/ECP related directories should be checked for non-standard files.

Using ProcDump to dump LSASS triggers Behavior: Win32/DumpLsass.A!attk (not unique)

And we also caught several attempts to upload webshells that were immediately quarantined by antimalware protection.

If you have concerns that your servers may have been compromised from this vulnerability, please reach out to the Dubex team, and we can help you determine if further investigation is needed.