Examples of virus mails from a compromised Exchange server

Sicherheit (Pexels, allgemeine Nutzung)[German]I had warned here in the blog several times that unpatched Exchange servers are attacked by thread actors, and that they are abused to send spam after a takeover. A blog reader has now sent me a short info (thanks) because he found a compromised Exchange server that was compromised and sent infected spam mails.

An example of compromised mails

German blog reader Fabian M. works as an administrator and contacted me by mail on December 1, 2021. He had access to emails sent from a compromised Exchange server and wrote me the following.

Attached is an example of emails that were sent through a compromised Exchange. In this case, a craft business.

The emails were replies to original emails.

There were always two links to different pages.

Common was the prefix *) and the same number combination at the end of the links.

However, the websites concerned were different each time.

The blog reader still sent me the above screenshot, which contains the URLs on pages that the recipient of the mails should visit. Fabian wrote that as of 11:30 a.m. (1.12.2021), only Kaspersky has detected the virus, according to Virustotal. Now one is well advised not to simply type the above addresses in the browser to see what happens. I visited Virustotal on Dec. 2, 2021 and typed then the first URL from the above screenshot into the URL tab. As a result, I was shown the following result (see the following image).

Exchange Virus

When tested again, 6 virus scanners detected the link as Malicious. Even with the second URL, the result from Virustotal does not look much more positive (the following image). I did the test at the time of writing this post (on Dec 2, 2021, at 12:41), with 9 out of 93 scanners detecting the link target as malicious.

Exchange Virus

The first URL still returns status code 200 (OK) when queried by the web server, while the second URL returns status code 404 (not found) when queried by the server. At least the second download has been detected and removed from the server – Virustotal seems to be accessing a saved internal analysis.

In this German comment to the article about hacked Exchange servers, reader Blacki reported something similar – without disclosing the URLs.

Exchange servers as a security risk

It's a topic I've picked up several times in blog posts over the days. Cyber criminals try to attack Exchange servers via security holes and implement a WebShell. This WebShell can then be used to compromise mailboxes and then misuse them to send phishing or SPAM mails. Since the messages arrive at the recipients from known senders, they may be less suspicious.

My feeling is that the IKEA case (see Cyber attack on IKEA's mail system, Trojan distributed?) could have gone through this channel, since the attackers presumably did not just abuse one mailbox for their Reply mail chain attack. CERT-Bund had the Internet scanned for Exchange servers whose Outlook Web Access (OWA, sometimes mocked as Open Web Access) interface is accessible via the Web. The following is the result of this scan:

CERT-Bund-Warnung Exchange-Schwachstellen

Round about 30 % (12,000) known Exchange servers in Germany, that can be reached from Internet due to an open OWA are vulnerable to already patched CVEs. The following links referencing to articles in which I have discussed hacks of Exchange servers via the ProxyShell vulnerabilities in recent days and weeks.

German CERT-Bund warns about vulnerable Exchange Server with OWA reachable from Internet
CERT-Federation, USA, GB warns about attacks on Exchange and Fortinet
CERT-Federation, USA, GB warns about attacks on Exchange and Fortinet
ProxyShell, Squirrelwaffle and a new PoC Exploit, patch your Exchange Server!

Some blog readers may wonder why the hell they don't patch in a timely manner. Often these are Exchange installations that were once set up by service providers. These are not really maintained and run unpatched with known vulnerabilities and are accessible via OWA over the Internet.

But there is another, unknown danger, which I briefly mentioned in the German blog post CERT-Bund-Warnung: 30% der deutschen Exchange Server mit offenem OWA angreifbar. Administrators install CUs and Exchange security updates promptly, but the vulnerabilities are still not closed. The Exchange Server reports a fully patched system during a check, even though the vulnerabilities still exist.

The root cause is not quite clear, it is assumed that the installation of the updates did not go through cleanly and the patches remained ineffective. Here I would like to refer to this German comment by reader D, who posted a PowerShell script that can be used to compare the file date stamps on the Exchange server with the defaults from the update package. Maybe it helps.

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *