Email Compromised

works2020

Running a PowerEdge Server with Exchange 2016 running as one of the VM's in Hyper-V. The other day my client contacted me and said an email was sent on his behalf and it doesn't appear to be a spoofed email. I checked and someone sent an email on his behalf to the majority of his contacts. This is alarming to say the least.

I noticed a file in Quarantine around the time this happened that was found on the exchange server. File in question C:\ProgramData\ZING\BcByz\mrmrki.aspx. According to Bitdefender, the threat name is Generic.WebShell.X.3CAB5A63. I checked the server endlessly and didn't find anything else that was out of place. Appears to me Bitdefender quarantined a file and prevented further problems. This doesn't explain how the email was sent through.

I ran a scan on my client's desktop and a virus was removed from an email from 2014. Interestingly enough the time it was opened was around the time the suspicious email was sent out from his Outlook. The email also came up on a scan from a person within the company that was included in this attack, someone had sent email on her behalf as well.

Was this attack from the exchange server or client's Outlook? We immediately changed passwords and ran a full scan on the entire network. No other emails were sent since taking these actions.

I'm looking for definite answers to how this happened and look forward to discussing.

Mike_BD

Hello @works2020 ,

Your issue might be related to web shells attacks , which intensified during this spring. An article about it you may find here : https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/

What version of Bitdefener are you using?

cheers,

Mike

works2020

Hi Mike, thanks for the info. We performed the remediation procedures from CVE 2021-26855, CVE 2021-26857, CVE 2021-26858, and CVE 2021-27065. Everything came back clean.

We ran the Microsoft Mitigation Tool, came back clean.

Ran the Microsoft Safety Scanner, came back clean.

Followed the HAFNIUM targeting Exchange Servers with 0-day exploits article. Everything came back clean.

Running Bitdefender Gravity Zone.

works2020

Hi Mike, thanks for the info. Our remediation checklist included following CVE 2021-26855, CVE 2021-26857, CVE 2021-26858, and CVE 2021-27065 and we didn’t find anything. We also followed the recommendations after the “HAFNIUM Targeting Exchange Servers” report out by Microsoft, this too came back clean.

Running Bitdefender Gravity Zone with the Exchange Module. I have to say we were using Malwarebytes and it didn’t pick up anything on the exchange server and missed a lot of threats on workstations. Since this incident, we immediately switched to Bitdefender and are now rolling it out to all our clients.

Additional questions.

My belief is we proved the server had an attempted attack but it’s safe to say Bitdefender stopped it. Do you agree? I know some prefer to completely rebuild the server after anything like this happens worried there may be a sleeper element that could kick in later. I personally don’t believe this is the case and I do feel better now that Bitdefender is scanning for threats.

I’m trying to determine how my client emails were sent from his email address as him to his contacts? This wasn’t a spoofed email situation.

Would you agree that it’s safe to say the server wasn’t compromised? If agreed upon then this points more towards the email client on the workstation? My gut feeling is my client’s password was somehow compromised and if this is the case how emails were sent out to his contacts. If an admin account was compromised or full access to the exchange server, I find it hard to believe the attacker would only send an email on behalf of one user and not compromise the entire exchange server. What are your thoughts regarding this? Passwords were changed immediately after the attack and the exchange server scanned and confirmed clean and the emails stopped going out. Since then, no indication there’s still a threat. 

Mike_BD

Good to hear that Gravityzone proved in real life it is the better product 😊.

I agree with you, all the above lead to the conclusion the attacked was stopped and your server was not compromised. I wouldn't rule out a spoofing, but most likely it is the case of compromised passwords. I am really interested in your finding - if after password change everything is smooth, then you just have to enforce a more safe pass policy.

cheers,

Mike

works2020

Hi Mike, thanks for the info. We performed the remediation procedures from CVE 2021-26855, CVE 2021-26857, CVE 2021-26858, and CVE 2021-27065. Everything came back clean.

We ran the Microsoft Mitigation Tool, came back clean.

Ran the Microsoft Safety Scanner, came back clean.

Followed the HAFNIUM targeting Exchange Servers with 0-day exploits article. Everything came back clean.

works2020

Sorry for the multiple responses, I'm getting used to this forum and didn't realize the posts needed to be cleared prior to showing up.

Agree 100% on your password analysis. We configured 2FA about three months ago and I thought this would take care of password concerns. Now that this happened it's obviously not the case. Not 100% certain, still investigating but it appears there was a file on my client's workstation that went unnoticed, sleeping in a way, and was activated by another piece of code perhaps that was recently downloaded.

Still putting all the pieces together. The server is clean, pointing to the workstation/password, will keep you posted.