The Falcon Complete team began deep investigation into the nature of the threat immediately. They observed instances of an unknown attacker gaining unauthorized access to on-premises Microsoft Exchange application pools running on several hosts across multiple customer environments, and immediately commenced notifying affected organizations. 28, the Falcon OverWatch team of threat hunters saw the first signs of a novel intrusion. The Falcon Complete team provided a fast and effective response to the activity by quickly understanding the novel threat and potential (now confirmed) zero-day, identifying and isolating impacted systems, removing the associated webshells, and keeping impacted customers informed every step of the way. In the remainder of this report, you’ll get unique insight into the processes and operations of a world-class security operations team dealing with a confounding threat.
In nearly all instances, the webshell dropped was observed to be a China Chopper-like webshell. This is seen to impact multiple Exchange versions including 2013, 20. Where the webshell is dropped successfully, it is then being used in post-exploitation activity. This campaign is scanning and automatically exploiting multiple zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065) to drop an ASPX-based webshell onto vulnerable Microsoft Exchange servers. Together, our threat experts were able to seamlessly detect, understand and react to this novel threat within minutes, ultimately stopping breaches.
Joining the Falcon Complete team is the CrowdStrike Falcon OverWatch™ team of proactive threat hunters, who are imperative in providing early visibility into this new emerging threat, along with the CrowdStrike Intelligence team. Along the way, we’ll explore the critical role of collaboration among and within security teams.
In this blog, we describe how the Falcon Complete team acted as an extension of our customers’ security teams to quickly detect and disrupt this sophisticated attack, which is still ongoing at the time of this blog publication. Just another routine day for the CrowdStrike Falcon Complete™ team. This kind of attack - a previously unknown threat from a highly sophisticated adversary - presents one of the most challenging situations a security team will encounter. This week, Microsoft reported a rare cybersecurity event: an ongoing mass exploitation of Microsoft Exchange servers by an alleged state-sponsored adversary, driven through a variety of zero-day exploits.
0 kommentar(er)
