Intro
This isn’t a rant, far from it but I’ve been working on this for over a week now and some major questions are sprining to mind with regard to how the IOCs and detection details released may have hindered response efforts. These vulnerabilities were known about since at least December 2020, there were months to get detection intel and scripts/tools ready for people (that’s if you don’t question why did it take so long). So I’ve put some of my thoughts down here on some of the challenges with the IoCs initially released and the detection tools etc. I’ll probably update this later but wanted to publish it before it becomes virtual dust!
IOCs and Detection
- Why didn’t the IOCs include the really obvious indicators?
- By not including some of these they may have bought a week of time for people to patch (the IOCs not being shown however will have cost a lot of time and effort and also created uncertainty)
- There are things that could have been checked really fast to give a strong indicator of Remote Code Execution!
https://github.com/PwnDefend/Exchange-RCE-Detect-Hafnium
- A MAJOR IOC is the evidence of this in the IIS/Exchange Proxy logs:
- /ecp/VDirMgmt/ResetVirtualDirectory.aspx
- Orgs will really struggle to be able to detect SSRF and data exfiltration going back 6 months (as per CISA guidance)
Tools
- The scripts and tooling were great but also most people are struggling with the output.
- We’ve had to build community tools to bolter vendor tools.
Impact
- The RCE impact is critical and lateral movement to Active Directory etc. is a major issue.
- The ability for an unauthenticated actor to read email data is a major issue for both corporate business requirements as well as personal data privacy (e.g., GDPR)
- RCE and backdoors may lead to crypto mining and ransomware (Thanks Scraps!)
- Extortion from data theft
Response Process
The response process is basically:
- Validate version
- Patch
- Run Script
- Call IR team (basically regardless unless 0 things are flagged because without more detailed guidance even the sec community didn’t have the right level of knowlegde to interpret everything)
Proof of Concepts & Kill Chain Explanation
https://www.praetorian.com/blog/reproducing-proxylogon-exploit/