Who are you sharing your mailbox with?
This blog follows on from part 1 of our previous blog, and is aimed at providing some of the more high-level, technical details about the real attack suffered by an anonymised company in the US.
The full CISA Alert can be found here:
The first thing worth noting about this method is the sheer duration of access. In this scenario, the bad actors had access to the organisation’s network and data. The entire breach lasted over 12 months, with the bad actors returning time and time again to the organisations network. They gradually installed more software to monitor and trap users, compromise devices and steal data. You will see this referred to as a APT or Advanced Persistent Threat.
What the alert report makes very clear, is that the bad actors are becoming increasingly known for conducting their activities “in the clear”. This involves appearing as legitimate users and using devices of software routines that run on an organisation’s systems.
The increased use of shared mailboxes has provided a perfect entry point for cyber criminals. These automatically generated mailboxes are usually unmonitored as other mailboxes are linked to the shared mailbox. However, a shared mailbox possesses the same attributes as a normal user, it has a mail account, an (Active Directory) AD profile, and thus can be manipulated.
Who logs on to this mailbox to check that things look OK? For example, the rules option has not been modified to include an RSS feed directly to a hacker’s IP address such as those successful in ransomware attacks detailed in our RSS hacking blog.
Bad actors are using the shared mailbox for more sophisticated spoofing attacks. Once they gain access to an organisation’s email system, the mail they send will have a legitimate domain name on them, defeating any anti-spam ware looking for the spoof attack from a different domain to the one shown in the email.
Because the shared mailboxes are not usually accessed the bad actors have all the time in the world to keep digging not your network, as shown in the CISA alert.
Perhaps the most vital piece of information coming from the alert, is the level of sophistication of these attacks. These don’t just take place on devices, but also Multi-functional Devices (MFD)’s.
Not only do these have the credentials of a standard user, but they also have the ability to have privileged access to parts of a network that normal users are not granted.
The MFD needs connection to anywhere that it might send or receive print or scan information from. It also usually has the usernames and passwords (for the MFD) for users intending to operate it, as well as that user’s email address.
In addition, if an organisation has already implemented an advanced security posture, the device may also have been granted a profile by AD with some conditional access rules attached. This would give the device access to sensitive users and network connections.
The alert makes it clear that patching MFD’s and regularly verifying that the software loaded on the MFD is genuine software from the vendor.
High level method of attack as described by the CISA:
“From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defence Industrial Base (DIB) Sector organization’s enterprise network. During incident response activities, CISA uncovered that likely multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data.”
“This joint Cybersecurity Advisory (CSA) provides APT actors tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified during the incident response activities by CISA and a third-party incident response organization. The CSA includes detection and mitigation actions to help organizations detect and prevent related APT activity. CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) recommend DIB sector and other critical infrastructure organizations implement the mitigations in this CSA to ensure they are managing and reducing the impact of cyber threats to their networks”.
Many attacks are coming from this outlook hack method but also being used as the access to information about your network, user directories, groups, email security in place etc.
All the security measures you have in place to repel attacks from outside your network are now being executed from inside your boarders and from a valid user with valid Active Directory credentials.
Another emerging target is the MFD Multi-Functional Device within your network as this also shares many of the same network domain credential attributes as the outlook shared mailbox.
What this means…
Bad APT actors gained initial access to the organisation’s Microsoft Exchange Server January 2021. Although the initial access to the system remains unknown, the report concludes that after the initial entry, most likely via a compromised user credential (week password, no MFA turned on etc) the APT actors moved within the exchange mailbox environment. It was here where they discovered further weak accounts including Admin accounts to devices which were then used to search deeper into the organisation user base and network. In this scenario, the bad actors were looking for “privileged” accounts – those accounts where access to the sensitive or important information had been granted. (for example shared mailbox and MFD credentials).
Using one of the compromised admin accounts the APT actors modified an important Application Programming Interface (API) in order to prepare the ground for further infiltration of the users network. Confident that they had accessed the organisation undetected the APT actors ceased their activity and only returned in February to use the same compromised admin credential returned to the network via a virtual private network (VPN). They also introduced Windows Command Shell which was designed to interact with organisations network to map the network and begin the exfiltration of sensitive information away from the organisation using the command-line tool, WinRAR.
The APT actors even stored the stolen data on the organisations own exchange system by splitting the files into 3MB chunks located on the Microsoft Exchange server within the CU2hedebug directory.
The CISA alert has more detail on the Command Shell in the appendix section
In additional the APT actors downloaded a Python toolkit for programmatically constructing and manipulating network protocols called Impacket, which can be used to move laterally within a network topology to gain access to adjacent or connected systems. This is a particular vulnerability in a Virtual Machine cluster where VM’s are legitimately attached for operational reasons. It is therefore vital that as part of any security posture, VM’s are regularly patched and inspected for unknown programs running.
A further worrying aspect of this alert is that legitimate Microsoft patches were compromised and a significant number of China Chopper webshells we installed on the exchange server. These patches were noted in the alert and are:
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
At a later date the HyperBro webshell was installed on the Exchange Server and other systems.
More information on the HyperBro and webshell samples are available through CISA MAR-10365227-2 and -3.
By April 2021 the APT actor were using a custom exfiltration tool, CovalentStealer, to steal sensitive files not already taken and maintained access through mid-January 2022, likely by relying on legitimate credentials.
How Impacket was used as defined by the CISA:
The Impacket tools wmiexec.py and smbexec.py used Windows Management Instrumentation (WMI) and Server Message Block (SMB) protocol to creating a semi-interactive shell with the target device. Through the Command Shell, an Impacket user with credentials can run commands on the remote device using the Windows management protocols required to support an enterprise network.
A key finding in the CISA alert is:
“The APT cyber actors used existing, compromised credentials with Impacket to access a higher privileged service account used by the organization's multifunctional devices. The threat actors first used the service account to remotely access the organization’s Microsoft Exchange server via Outlook Web Access (OWA) from multiple external IP addresses; shortly afterwards, the actors assigned the Application Impersonation role to the service account by running the following PowerShell command for managing Exchange:
powershell add-pssnapin *exchange*;New-ManagementRoleAssignment – name:"Journaling-Logs" -Role:ApplicationImpersonation -User:
This command gave the service account the ability to access other users’ mailboxes.
The APT cyber actors used virtual private network (VPN) and virtual private server (VPS) providers, M247 and SurfShark, as part of their techniques to remotely access the Microsoft Exchange server. Use of these hosting providers, which serves to conceal interaction with victim networks, are common among this group. According to CISA’s analysis of the victim’s Microsoft Exchange server Internet Information Services (IIS) logs, the actors used the account of a former employee to access the EWS. EWS enables access to mailbox items such as email messages, meetings, and contacts. The source IP address for these connections is mostly from the VPS hosting provider, M247.
Use of Custom Exfiltration Tool: CovalentStealer
The threat actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate sensitive files.
CovalentStealer is designed to identify file shares on a system, categorize the files, and upload the files to a remote server. CovalentStealer includes two configurations that specifically target the victim's documents using predetermined files paths and user credentials. CovalentStealer stores the collected files on a Microsoft OneDrive cloud folder, includes a configuration file to specify the types of files to collect at specified times and uses a 256-bit AES key for encryption. See CISA MAR-10365227-1 for additional technical details, including IOCs and detection signatures.
MITRE ATT&CK Tactics and Techniques
A MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. CISA uses the ATT&CK Framework as a foundation for the development of specific threat models and methodologies. Table 1 lists the ATT&CK techniques employed by the APT actors.
This example covers a very sophisticated and continued attack on an organisation in the US, but the means by which the attack was enacted, is prevalent in every organisation that uses Microsoft Exchange and Microsoft 365.
The responsibility to keep these systems secure is that of the organisation, not Microsoft, which is why Microsoft have been progressively been rolling out security tools and products that provide higher and higher levels of security, threat management and intelligence and countermeasures to help keep systems safe.
These systems can be understood more fully in a series of free guides that Vissensa have written and which give detail on the elements of security that every organisation needs to implement to stay secure in the digital world we all transact in.
Want to know more?
The full document from the CISA alert that I used as part of this blog can be accessed here:
What to do if this blog has highlighted gaps in your cyber knowledge
Do not panic. Most of the remedial action you can take is already contained within Microsoft licences (and other options) so the costs for doing so will remain relatively low.
- Ensure you have enabled multifactor authentication on your devices. This alone can vastly reduce the threat of someone gaining unlawful access to your systems.
- It is also worth taking the time to ensure you understand how Active Directory operates. Being armed with this knowledge will ensure you are much better informed as to the risks currently active within your environment. Our Security guides include guides on what Active Directory (Azure AD) is and does and are available here:
In Active Directory Microsoft defined four “types” of users, if you can understand these simple terms then you can state to know where to look for problems:
Azure AD identity types are: users, service principles, managed identities and devices.
User – a representation of something that is managed by Azure AD. Employees and guests user accounts are represented as users in Azure AD.
Service Principal: – a security identity used by applications or services to accept specific Azure resources. You can think of it as an identity for an application.
Managed identity: – typically used to manage logon credential management for authenticating cloud applications with an Azure service, Two types: system assigned and user assigned.
Device: a piece of hardware, such as a mobile device, laptops, servers or printer. Device identities can be set up in different ways in Azure AD, to determine properties such as who owns the device.
- Checking that outlook shared mailboxes have strong password and credential management is key. it is also worth ensuring that this information cannot be changed without admin approval.
- Another potential option would be to remove shared mailboxes from your Microsoft exchange or 365 environments in favour of a secure group mailbox. One which does not possess the same login capabilities as the Outlook shared mailbox account. i.e. change info@ HR@, sales@ etc mailboxes.
- Check the password and credential management of any MFD (Multi Functional Device) i.e printer, scanner, copier and ensure these possess strong credential management within the device accounts. Also ensure that any remote access to the systems tools on these devices is disabled. Check for the patches applied and ensure these are all vendor specific. Where possible restrict the connectivity of these MFD’s to just the parts of the network required.
If you would like more information, advice or a chat with no obligations, then please give the Vissensa security team a call.