Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2

Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2

September 26, 2021 | Jie Ji

Event Overview

Recently, NSFOCUS CERT discovered a slew of security incidents that exploited security vulnerabilities (ProxyShell) in Microsoft Exchange. Also, NSFOCUS found that the new LockFile ransomware group LockFile took advantage of these ProxyShell and PetitPotam vulnerabilities to target enterprise domain environments, finally encrypting quite a few hosts from enterprises for ransom.

In April, a security researcher reported multiple Exchange Server vulnerabilities to Microsoft, three of which were fixed in Microsoft’s April and May security updates and two were disclosed until the release of July security updates. Vulnerability details are as follows:

Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-34473): This vulnerability arises due to the lack of proper validation of access privileges for URIs. An unauthenticated attacker could leverage this issue to access restricted internal APIs via a known API.

Official security bulletin:

Microsoft Exchange Privilege Escalation Vulnerability (CVE-2021-34523): As Microsoft Exchange Server does not properly validate an access token before executing the Exchange PowerShell command, an attacker could execute arbitrary code in the restricted environment via a crafted identity.

Official security bulletin:

Microsoft Exchange Server Security Feature Bypass Vulnerability (CVE-2021-31207): Certain Microsoft Exchange PowerShell command APIs do not restrict the file path and suffix when writing files, allowing attackers to write arbitrary files.

Official security bulletin:

Windows LSA Spoofing Vulnerability (CVE-2021-36942): An attacker could exploit EFSRPC (Encrypting File System Remote Protocol) to launch an NTLM relay attack dubbed PetitPotam, to escalate their system privileges.

Official security bulletin:

Currently, exploits of the preceding vulnerabilities have been made publicly available and weaponized. Attackers could exploit a combination of these vulnerabilities to cause remote code execution on an affected Exchange server to gain the highest system privileges of the target host. Recently, attack activities rage on, and affected users should take precautions as soon as possible.


April, 2021: A security researcher reported multiple Microsoft Exchange Server vulnerabilities to Microsoft.

April–May, 2021: Microsoft released security updates to fix ProxyShell vulnerabilities.

July 14, 2021: Microsoft’s July security updates feature security bulletins for CVE-2021-34473 and CVE-2021-31207 vulnerabilities.

July 19, 2021: A French researcher found a vulnerability (PetitPotam) that could lead to a relay attack through the exploitation of EFSRPC in Windows systems and released PoC code.

July 24, 2021: Microsoft released the security bulletin ADV210003 to warn of an NTLM relay attack (no patch available) due to the lack of the Active Directory Certificate Service (AD CS).

August 6, 2021: A Taiwan security researcher announced Exchange vulnerability details at BlackHat USA 2021 and dubbed the vulnerabilities ProxyShell.

August 11, 2021: Microsoft’s August security updates feature patches to fix the NTLM relay attack vulnerability (PetitPotam) assigned CVE-2021-36942.

August 20, 2021: The exploit of ProxyShell vulnerabilities was made publicly available on multiple platforms like GitHub and Reddit. Also, the exploit of these vulnerabilities was also updated in the well-known Metasploit framework.

August 23, 2021: Hacking groups behind viruses, like the ransomware LockFile, exploited ProxyShell and PetitPotam vulnerabilities to launch attacks in the wild at frequent intervals. August 25, 2021: Microsoft’s Exchange team posted a security warning on the blog to urge users to apply related patches to fix vulnerabilities as soon as possible.

Analysis of the Kill Chain of the LockFile Ransomware Group

WebShell Planted in ProxyShell

Microsoft Exchange Server’s improper path verification, coupled with path obfuscation, could lead to SSRF. In this way, attackers could access PowerShell endpoints and pack malicious email information into external files through a remote PowerShell session. By writing such information to files, attackers could cause getshell. By default, WebShell is written to C:\inetpub\wwwroot\aspnet_client\.

First, Microsoft Exchange Server lacks proper verification of a PowerShell endpoint’s /Autodiscover/Autodiscover.json path requested by the Autodiscover backend. By triggering the URL request formatting of the ExplicitLogon function, an attacker could exploit this issue to directly access arbitrary restricted backend APIs via a combination of a crafted URL and cookies. The CVE-2021-34473 vulnerability is exploited during the process. The vulnerable core code is as follows:

Finally, the following malicious request is crafted:

Via a malicious URL, the attacker could obtain LDAP DN information of an account with desired privileges and then locate the system storage of the victim account.

After obtaining the storage position of the victim account, the attacker further exploits this SSRF vulnerability to invoke the EMSMDB email transmission interface of Exchange MAPI. As Exchange’s web application runs with SYSTEM privileges, MAPI is invoked with SYSTEM privileges, instead of privileges of the victim account. In this case, an error is reported to indicate that the attacker uses different privileges before and after MAPI invocation. Besides, the victim account SID is disclosed in this error message.

A malicious request is as follows:

Error information is as follows:

The attacker could use both the SID of the victim account and the fixed SID of a privilege group on Windows to craft a session token for Windows authentication. This token is supposed to be crafted by the frontend reverse proxy server and transmitted to the backend via an HTTP request header. Due to improper verification, if the HTTP header for sending the token does not exist, the attacker could try to parse the URL parameter and manipulate the URL during SSRF to obtain the Exchange Remote PowerShell Management Session privilege on the Exchange server. The vulnerability exploited in the process is CVE-2021-34523. The core vulnerable code is as follows:

After the Exchange Remote PowerShell Management Session privilege is obtained, commands other than Exchange PowerShell Cmdlet cannot be executed because this session belongs to a restricted PowerShell environment. The FilePath parameter, which specifies the path to save the file exported via the New-MailboxExportRequest command (for export backup of the individual mailbox), has no restriction on the file path, file name, and file extension name. This allows attackers to write arbitrary files. During the process, the vulnerability CVE-2021-31207 is used. The used shell command is as follows:

By exploiting the preceding SSRF vulnerability, the attacker invokes the corresponding Exchange API endpoint to store the encrypted WebShell file that contains malicious code in the Drafts folder in the victim’s mailbox or send the file to the victim’s mailbox. This ensures that WebShell information can be restored during secondary encryption of the WebShell file that is exported from the victim’s mailbox for backup. In this way, the attacker can write WebShell. WebShell information is encrypted with permutative encoding that Microsoft uses to encrypt PST files, to make sure that characters can be encrypted and decrypted after being parsed by a replacement algorithm.

Most of the captured samples are the following encrypted one-line backdoor:

Cobalt Strike Planted Through DLL Hijacking

The attacker executes the wget command in PowerShell to download attack toolkits for subsequent use and frequently changes server ports and uses random file names (like http://x.x.x.x:45261/5rFxNBwH6ol0Q9z1sAaIZ) to prevent samples from being captured by researchers. Currently, server IP addresses known to be used by attackers include,,, and The attacker first uses EfsPotato.exe in the toolkit for local privilege escalation, and then runs the Cobalt Strike loader active_desktop_launcher.exe with highest system privileges. The privilege escalation tool EfsPotato exploits the CVE-2021-36942 vulnerability which is also known as PetitPotam. The attacker leverages EFSRPC to launch NTLM relay attacks to escalate local privileges or privileges in the AD domain.

active_desktop_launcher is the legitimate KuGou launcher which provides valid digital signatures to load active_desktop_render.dll for malicious code execution.

The launcher invokes two functions, SetDesktopMonitorHook and ClearDesktopMonitorHook, both of which reside in active_desktop_render.dll. SetDesktopMonitorHook performs the following steps:

1. Try to open desktop.ini in the current directory. If this file does not exist, exit the program.

2. Create a new thread, open desktop.ini in this thread, and map the file to the memory.

3. Read file contents through memory mapping, perform XOR decryption on file contents, and execute them as shellcode.

ClearDesktopMonitorHook reads files for string comparison and exits the process, without providing other actual functions. The C&C address of the Cobalt Strike trojan in the captured sample is

Group Policy in the AD Domain for Bulk Script Dispatch

The attacker copies the ransomware-related tool to the NETLOGON shared directory on the domain controller. The absolute path of the directory is C:\Windows\Sysvol\Sysvol\[DomainName]\Scripts so that hosts in the domain can access related tools via the UNC path \\server\netlogon. Create a group policy object (GPO) for script execution in the Group Policy Management window on the domain controller, and then link it and dispatch it to hosts in the domain.

Analyzing the captured script file autologin.bat, we find that the attacker first copies the ransomware file autoupdate.exe in the NETLOGON shared directory and KDU kernel program tools (including autologin.exe, autologin.dll, and autologin.sys) to the local directory C:\Windows\Temp. Then, the attacker uses the KDU tool to obtain system kernel privileges to terminate the antivirus process before finally executing the ransomware file.

To be continued.