Back to BlogProduct Update: Detect Microsoft Exchange Attacker Activity
Here’s a roundup of the latest security detection rules written by our incident detection engineering team, integrated into Blumira’s cloud SIEM platform to identify new potential threats in your environment.
Last week, Microsoft publicly disclosed four zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065) that were being actively exploited by an advanced persistent threat (APT) actor targeting U.S. organizations in attacks, with reports of at least 30,000 servers hit with the exploit already. U.S. agencies were urged to update their servers by midday last Friday in response (ZDNet). We provided an overview last week with resources on how to install updates and why it’s critical to take action as soon as possible.
According to our Director of Security Mike Behrmann, the initial concern with the Exchange zero-days was that attackers were exploiting vulnerable systems and implanting web shells for persistent network access to victim networks. See below for our latest detection released this week to help our customers detect any indicators of Exchange-related attacks, and what you need to enable for the detection to work in your environment.
Written by Incident Detection Engineer Brian Laskowski:
Detection: Potential IIS Web Shell Activity
According to MITRE, adversaries can backdoor web servers with web shells to establish persistent access to systems – a web shell is a script placed on an openly-accessible web server that allows a threat actor to use the web server as a gateway to a target network. In this detection, Blumira leverages Microsoft’s Sysmon to detect any instances of IIS’s (Internet Information Services) primary web process spawning a child instance of cmd.exe.
How to Get This Detection
You will need to enable Sysmon to configure it to send Windows logs to Blumira’s platform in order to start detecting, alerting and responding to potentially malicious web shell activity related to the recent Exchange exploits. See how to do that in three easy steps – How to Enable Sysmon for Windows Logging and Security.
You can also edit your config file for any IIS web servers in order to stream logs to Blumira for detection. You can leverage Flowmira, a set of customized NXLog configurations created to help simplify Windows machine log collection for all organizations. It includes a number of predefined security-centric event logs, including PowerShell, IIS, Windows Firewall, and classic Windows Event Logs.
How to Remediate
Blumira provides a remediation playbook to help you determine if the finding is malicious and requires triggering immediate incident response procedures. If it is, we recommend containing the threat by taking the affected device offline, suspending related user accounts and monitoring for other suspicious behavior.
MITRE: T1505.003, Tactic: Persistence
Detection: Feodo Threat Feed Hit
The Feodo Tracker from abuse.ch monitors and tracks existing botnet command and control infrastructure like Trickbot, Dridex, and others. Blumira recommends that the first step for investigation is to review this hit with the data in the Feodo Tracker.
Remediation varies based on what is found in next steps – it could include triaging and isolating a device that is likely an initial intrusion point of entry, from a malicious email attachment or file.
This detection works for a variety of Blumira integrations, including IDS/IPS, firewalls, Sysmon and Windows firewall.
MITRE: T1071, Tactic: Command And Control
Written by Lead Incident Detection Engineer Amanda Berlin:
Detection: ARP (Address Resolution Protocol) Poisoning
ARP poisoning/spoofing is a technique by which an attacker sends spoofed Address Resolution Protocol (ARP) messages onto a local area network. By associating the attacker’s MAC address with the IP address of another host, such as the default gateway, it will result in any traffic meant for that IP address to be sent to the attacker instead.
This could allow an attacker to intercept data frames on a network, modify the traffic or stop all traffic. This attack is often used as an opening for other attacks like denial of service, man in the middle or session hijacking attacks.
Blumira recommends putting static ARP entries or spoofing prevention software in place where possible for highly sensitive assets to prevent man-in-the-middle attacks.
MITRE: T1557.002, Tactics: Credential Access, Collection
Detection: Forescout Blocklisted File Operation
Blumira surfaces this finding from Forescout: A user has read or written a blocklisted file or folder. User-defined blocklists include resources whose access should be limited to prevent confidentiality or integrity breaches.
Default blocklisted file extensions indicate files which are not supposed to be accessed or transferred in the network because they may pose a security threat, or they may indicate lateral movement of malware or other malicious content.
The Forescout finding includes additional information on the specific file or folder location, what type of activity was detected, and why it’s important. For next steps, Blumira recommends verifying if this was a planned administrative activity.
This type of finding is important for the OT/IT industrial sector, as anything that falls under this category should be escalated and taken seriously, according to our partners at ThreatGEN, Pascal Ackerman.
Blumira + ThreatGen Roundtable: Cybersecurity Visibility for IT/OT Threats
Join Patrick Garrity, VP operations at Blumira and Pascal Ackerman, Managing Director of Threat Services for Threatgen, for a discussion on cybersecurity visibility across the organization to learn more about how to detect and respond to industrial sector threats.
Watch On-Demand >
Missed last month’s additions to Blumira’s detection and response platform? Check out:
Or sign up for a free trial of Blumira to deploy a cloud SIEM in hours and start protecting your organization against these attacks.