Feeding Frenzy as criminal groups stake their claim on Outlook Web Access servers

This weekend, a few days after March 2, when Microsoft released fixes for the ProxyLogon vulnerability, Netcraft found more than 99,000 unpatched Outlook Web Access servers accessible from the Internet – several thousand of which were clear indications to have one or more installed web shells.

Outlook Web Access (OWA) provides remote access to local Microsoft Exchange mailboxes. A treasure trove of corporate email, while a tempting target in itself, can also serve as a starting point for deeper network access. Vulnerable versions allow unrestricted remote access to the mail server. Originally attributed to the Hafnium Group, the various web shells and file naming conventions found by Netcraft suggest that the shells belong to several groups that have been encouraged to act since the announcement by Microsoft because of the size of the opportunity.

Vulnerable OWA installations as of March 6, 2021, based on passive observation of version numbers. Source: Netcraft survey.

Netcraft has determined that at least 10% of all OWA installations visited are now infected with web shell backdoors that do not use random file names and can therefore be plausibly guessed by anyone. These implants allow continued administrative access to the server long after the underlying vulnerability has been resolved.

Web shell source code

One of the backdoor scripts disguised as a harmless variable dump in a file called supp0rt.aspx. The active component of the back door is “hidden” in the middle of the file.

All back doors are clearly visible in the web server’s file system, but are disguised as harmless scripts or information dumps to avoid detection. There are several flavors of the backdoor script, but they all have one thing in common: they pass the hacker’s commands to the JScript Eval command so that any code can be executed directly on the web server.

Most backdoor scripts accept the criminals’ arbitrary commands through a specially named GET or POST parameter, while others require the commands to be Base64 encoded first, and some only accept them through a POST parameter.

Server error page

Some variants of the backdoor script will generate a runtime error if the name of the secret variable is not displayed in the request. This makes it possible to independently detect their presence.

Netcraft has also seen several variants of these backdoor scripts uploaded to individual websites, likely to prevent unauthorized access to the compromised web server. If all of the backdoor scripts are not found and removed, the hackers can still create more.

the web shell when viewed in a browser

The web shell when viewed in a browser. There is no obvious indication of its malicious functionality.

While some of the backdoor variants look very different, they all work in a similar way and require the user to know a secret variable name before commands can be run on the server. The variable name effectively acts as a password and is the only security mechanism to ensure that the backdoor can only be used by the person or people responsible for uploading it.

However, some of the shells use easy-to-guess variable names like “o” and “orange”, which makes them plausible for other hackers to use if they can find the scripts and guess the correct variable names. This creates an even more dangerous situation in which other scammers could then upload their own web shells to gain a foothold on the server. Such a situation could escalate quickly … new battlefields could break out, with rival scammers trying to delete each other’s web shells and upload more of their own to secure access and decide how best to monetize their exploits , everything long after the initial OWA vulnerabilities were resolved.

Because some web shells are virtually impossible to detect remotely due to the use of random file names or the hiding places in existing files, the full extent of the OWA attacks is unknown. Hosting providers, system administrators and webmasters should ensure that their servers are protected against security holes that could allow attackers to upload shells onto their systems. You should also be on the lookout for unexpected changes to your web applications where shell scripts can easily be camouflaged between harmless files.

Hosting providers can get an alert service from Netcraft that notifies them when phishing, malware, or web shells are detected in their infrastructure.

Comments are closed.