Don't Forget to Share this Post

Microsoft’s Big Email Hack – A Month Later

By Kamyar Kojouri | Tuesday, April 6th, 2021

It has been a little over one month since Microsoft released emergency security updates to plug four security holes in Exchange Server versions 2013 through 2019 that hackers were actively using to siphon email communications from Internet-facing systems running Exchange.

According to KrebsonSecrity, at least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations.

In each incident, the hackers have planted “China Chopper” web shell, an easy-to-use, password-protected hacking tool that can be accessed over the Internet using a client application with a slick graphical user interface (GUI) which facilities running arbitrary commands and transferring files to/from the victims’ machines. 

We followed the security incident response guidelines proposed by the National Institute of Standards and Technology (NIST) to perform the following.

Preparation

Upon disclosure of the zero-day attack by Microsoft, the issue was raised to Eze Castle’s Computer Security Incident Response Team (CSIRT). A task force comprising of CSIRT members, senior SOC analysts, and cloud engineers was put together to tackle this issue. The task force peformed the following actions:

  • Set up a call to review all documentation and blog articles posted by Microsoft and threat parties to better understand the tools, techniques, and procedures (TTPs) and determine the extent and severity of the attack.

  • Compiled a checklist comprising of all known Indications of Compromise (IOCs) provided by Microsoft, Elastic, Volexity, Rapid7, and other threat intelligence feed, along with action items for the next phases.

  • Sent out a preliminary message to our clients informing them that we are aware of the incident and will be investigating the issue further.

Detection and Analysis

Our SOC team was tasked with conducting detection, analysis, and threat hunting activity across Eze Castle’s corporate infrastructure, as well as all customers environments. The SOC team used Eze Managed SIEM, our custom SIEM solution that uses technologies from Elastic (Beats, Logstash, Elasticsearch, Kibana), to analyze logs and process information collected from not only the Exchange servers, but also front-end IIS servers, firewalls, and endpoint protection solutions. Thanks to the long retention period of log and process information, the SOC team was able to go all the way back to January when the exploit was first detected and reported to Microsoft by Volexity.

  • Suspicious descendants of Internet Information Services (IIS) servers front-ending Exchange OWA, EWS, and ECP

  • Suspicious URLs, URIs, and user agents connecting to the Internet Information Services (IIS) front-ending Exchange OWA, EWS, and ECP

  • Creation of any new files in IIS directories, including but not limited to potential webshell payload files

  • Suspicious command line activity reported by victims

  • Creation of large, compressed files and any other signs of data exfiltration attempts

  • Execution of any known bad process based on file hash and other IOCs

  • Creation of any new users on the Exchange servers or in Active Directory since the beginning of the attack
     

Containment, Eradication, and Recovery

While the SOC was conducting their investigation, the rest of Eze Castle’s CSIRT and engineering teams began to implement the following controls to contain the threat and prevent future attacks.

  • Patched all 70+ Exchange servers in our UAT and production environments with the applicable updates

  • Blocked ingress and egress traffic to/from the bad IP addresses on layer 3 (routing) and layer 4 (firewall) levels

  • Verified that the known bad hashes will be blocked by our Endpoint Protection tool

  • Conducted a manual review of the contents of the IIS directories across all Exchange servers looking for suspicious files

  • Ran scripts provided by Microsoft to identify tell-tale signs of the compromise

Post-Incident Activity

CSIRT sent follow-up communication to our clients outlining the actions taken, and advising on next steps. CSIRT also continued to work with the SOC team to create new alert definitions in our SIEM using a combination Elastic KQL and Lucene queries and tools such as Kibana Detection Signals and Elasticsearch Watchers. In addition, the IOCs were permanently added to MISP, an open-source threat intelligence platform that we have integrated with Logstash and Elasticsearch in order to alert on any activity related to the known bad source IP addresses, domain names, or file hashes.

When this kind of threat comes to light, it really shows the importance of a defense in depth approach utilizing SIEM and advanced endpoint protection. SIEM provides a leg up by analyzing patterns and trends, enabling corporations to know if they are susceptible to current or future security risks. As we've said before, the question isn't if a breach will occur, but when. SIEM helps companies respond quickly to protect themselves when something like this does happen.

What is SIEM?

SIEM provides real-time analysis of security alerts generated by applications and network hardware. Here are some key reasons on why you need to deploy SIEM:

  • Regulatory standards (GDPR, NYDFS, OCIE, etc.)

  • Cybersecurity guidelines (such as ISO27001, NIST, CIS)

  • Log management and retention

  • Continuous monitoring and incident response

Machine learning technology is used to apply correlation algorithms that systematically transform raw data into useful information. SIEM efficiently provides statistical analysis of data to identify anomalies, patterns, and trends which might indicate a current or future security risk. Log file and alert data is rapidly ingested, parsed, normalized, indexed and enriched using relevant third-party data.

Ready to deploy SIEM for your firm? Get more information on SIEM at eci.com/siem or contact us to learn more!
SIEM

Don't Forget to Share this Post

Related Posts

How Can Eze Castle Integration help you?Contact us today!

Contact Us