Forensic Analysis of Breaches that Used Cobalt Strike and MS Exchange Server Vulnerability

The ASEC analysis team is consistently monitoring the activities of Cobalt Strike, one of the trending cybersecurity issues that were discussed in previous blog posts regarding its distribution to Korean companies. (The link to a previous blog post can be found at the bottom of this post.)

While monitoring Cobalt Strike, the team detected its activities from specific IPs on July 15th and August 2nd, then suggested and conducted a forensic analysis for the client of these IPs. Upon tracking the attacker’s behavior in the breached system, it was confirmed that the breach occurred via MS Exchange Server vulnerability which was prevalent in March.

Revealed in March, the four MS Exchange Server vulnerabilities are called ProxyLogon. Attackers can use this type of vulnerability to request malicious HTTP to bypass the backend system authentication and allow arbitrary file write. 

  • CVE-2021-26855 (Microsoft Exchange Server remote code execution vulnerability)
  • CVE-2021-26857 (Microsoft Exchange Server remote code execution vulnerability)
  • CVE-2021-26858 (Microsoft Exchange Server remote code execution vulnerability)
  • CVE-2021-27065 (Microsoft Exchange Server remote code execution vulnerability)

The attacker connected to the OWA (Outlook Web APP) website of the client that operates MS Exchange Server externally, bypassed (CVE-2021-26855) the backend system’s authentication, and used file write vulnerability (CVE-2021-26858, CVE-2021-27065) to upload a web shell.

Since the vulnerability’s reveal on March 3rd, the client’s e-mail server received attacks targeting MS Exchange Server vulnerability from a total of 60 IPs. The attacks can be classified into 3 groups based on the time of the attack, IP, and malicious behavior. 

Figure 1. Breach flowchart

Attack Group 1

On March 3rd, attack group 1 attempted to exploit a vulnerability but did not create a web shell or perform additional malicious behavior. However, it has been confirmed that the IP 86.105.18[.]116 which was used for this attack is one of the C2 IPs of a threat group called The Opera Cobalt Strike.

ListAttack Group 1 Characteristics
Time of attack– March 3rd, 2021, 16:48:14
Attacker IP– 86.105.18[.]116
Malicious behavior– Exploit MS Exchange Server vulnerability
Filename used for vulnerability exploitation– /ecp/y.js
Web shell filename– None (Not called)
UserAgent– python-requests/2.18.4
– ExchangeServicesClient/0.0.0.0
Table 1. Attack group 1 characteristics
Figure 2. Traces of attack group 1’s breach attack (IIS Log)

Attack Group 2

Unlike attack group 1 which tested vulnerability only, attack group 2 created a web shell following the vulnerability exploit and used it to perform follow-up attacks via Cobalt Strike.

The attacker used a web shell to create the oci.dll file, a Cobalt Strike Stager, in C:\Windows\System32, loaded Cobalt Strike Beacon to msdtc.exe process memory via the DLL file, and executed it. Such behavior of Cobalt Strike Beacon was detected by AhnLab’s monitoring system on July 15th and August 2nd.

In order to collect AD account information, the attacker copied ntds.dit, a DB file of AD, along with registry hive files called SYSTEM and SECURITY to C:\test folder and leaked them.  Additionally, to collect the information of accounts that log into Windows, the attacker hooked NPLogonNotify API and used a malware named ns.dll that is capable of collecting passwords. As a result, the attacker obtained and leaked passwords of 60 local and domain accounts in plain text.

ListAttack Group 2 Characteristics
Time of attack– March 3rd, 2021, 18:52:29
Attacker IP– 158.247.227[.]46
Malicious behavior– Exploit MS Exchange Server vulnerability
– Execute Cobalt Strike Beacon
– Execute malware that collects account names and passwords (ns.dll)
– Collect and leak 60 account names and passwords in plain text
– Leak Active Directory DB file (ntds.dit)
– Leak registry hive file (SYSTEM, SECURITY)
– Check logged in accounts using psloggedon64.exe and pvefindaduser.exe
– Breach internal system additionally using the obtained admin account
Filename used for vulnerability exploitation– /ecp/x.js
Web shell filename– error.aspx
– logout.aspx
UserAgent– python-requests/2.23.0
– python-requests/2.25.1
– ExchangeServicesClient/0.0.0.0
– Mozilla/5.0+(compatible;+Nmap+Scripting+Engine;+hxxps://nmap[.]org/book/nse.html)
– antSword/v2.1 (Opensource web shell management tool)
Table 2. Attack group 2 characteristics
Figure 3. Traces of attack group 2’s breach (IIS Log)

Attack Group 3 

The team has found traces of breach that are different from attack group 1 or 2. Web shell was called on March 4th and a different type of PE backdoor malware was registered as a service.

ListAttack Group 3 Characteristics
Time of attack– March 4th, 2021, 22:14:59
Attacker IP– 115.144.69[.]20
– 103.127.124[.]117
Malicious behavior– MS Exchange Server vulnerability exploitation unconfirmed on IIS log
– Execute PE backdoor
Filename used for vulnerability exploitation– Unconfirmed
Web shell filename– shell.aspx
UserAgent– antSword/v2.1 (OpenSource web shell management tool)
Table 3. Attack group 3 characteristics
Figure 4. Traces of attack group 3’s breach (IIS Log)

After the successful vulnerability exploitation on March 4th, attack group 3 downloaded a backdoor malware (TosBtKbd.dll) and a Bluetooth keyboard program (avupdate.exe).

The original filename of avupdate.exe is TosBtkbd.exe, and it is a Bluetooth keyboard-related program that was compiled on July 24th, 2008, normally signed by TOSHIBA. Given that this program has a vulnerability that loads the TosBtKbd.dll file located in the same folder upon execution, it appears that the attacker inserted this to load malicious DLL. When avupdate.exe is run, the TosBtKbd.dll backdoor is loaded.

No additional malicious behavior was found beside the execution of the PE backdoor.

Figure 5. TosBtKbd.exe (= avupdate.exe) file signature information

Conclusion

  • 1-day vulnerability exploitation is an attack that exploits known vulnerabilities immediately after the reveal of a security patch. This means that environments where real-time patches cannot be applied are vulnerable to such attacks.
  • When a vulnerability is revealed, numerous attack groups focus on exploiting the vulnerability, and some of them go beyond the simple scan and inflict actual damage.
  • After the attacker succeeded in exploiting the vulnerability and gained system control, they collected information using Cobalt Strike or self-produced backdoors, and infiltrated the internal network.
  • It appears that the attacker’s goal was to collect account information. Because the attacker leaked about 60 employees’ account passwords, we expect there to be secondary damages in other online services used by the employees.
  • Normally signed executables can be used for attacks as well. 
  • Companies must operate AD servers internally to prevent external exposure and block direct Internet access.
  • When all the internal systems shared the same administrator’s password, the attacker could easily dominate all systems of the internal network. We recommend increasing the complexity of the passwords and refraining from using the same accounts or passwords for each system.

The following is V3 detection information and IOC information of the files found in the breached system.

[File Detection]

Exploit/ASP.Cve-2021-27065.S1406
WebShell/JSP.Chopper
InfoStealer/Win.WinAuthSniff
Downloader/Win.Stager
Unwanted/Win.Proxy
Backdoor/Win.Agent.R437776
Exploit/ASP.Cve-2021-27065.S1406
Exploit/ASP.Cve-2021-27065.S1406
Exploit/ASP.Cve-2021-27065.S1406
Exploit/ASP.Cve-2021-27065.S1406
Exploit/ASP.Cve-2021-27065.S1406
Trojan/Win32.RL_Cometer

[IOC Info]

D348530A2D16E4D4FF809F01FE4DAF9C
66379AD443C432E68555C9CF5655F56B
AC465E35ED0B83D6E9731E06DB52ADE3
5E4C5509E09AE780C3B3F9CF29259005
F860286242AFC5151D9FF68F0C7B8A56
682DC12E435A91F75703B165C61713AD
1B1BACF2C91E8A48EAF813AE69C5E30C
F676B511BF5F0BDEEBC8E7B8E00C400C
9A73B05682F1160D0B78F43EF29A465F
38F58DD9CEC38F9026527E3F0285354E
321B04FCDD6BA92CEA4435E5DA269036
377e5d1bf1c2f64d7032607641dd938f

103.127.124[.]117
115.144.69[.]116
115.144.69[.]20
139.162.123[.]108
141.164.34[.]38
158.247.207[.]201
158.247.227[.]46
161.129.64[.]124
172.105.18[.]72
172.105.228[.]71
77.83.159[.]15
86.105.18[.]116
89.34.111[.]11

back.rooter[.]tk
hxxp://172.105.228[.]71:80/9Aot
hxxp://172.105.228[.]71:80/ptj
hxxp://34.90.207[.]23/ip
hxxp://cloudflare.linker[.]best/nova_assets/Sys/_Getcode/keywords=ed4520486
hxxp://p.estonine[.]com/p?e
kr3753.co[.]in
lab.symantecsafe[.]org
mm.portomnail[.]com
rawfuns[.]com
www[.]averyspace[.]net
www[.]domesfocus[.]com
www[.]eamoncar[.]com
www[.]komdsecko[.]net
yolkish[.]com

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

[Relevant Blog Post]

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments