Magic Hound Exploiting Old Microsoft Exchange ProxyShell Vulnerabilities

Threat Advisories

Magic Hound Exploiting Old Microsoft Exchange ProxyShell Vulnerabilities

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here

APT35 aka Magic Hound, an Iranian-backed threat group, has begun using Microsoft Exchange ProxyShell vulnerabilities as an initial attack vector and to execute code through multiple web shells. The group has primarily targeted organizations in the energy, government, and technology sectors based in the United States, the United Kingdom, Saudi Arabia, and the United Arab Emirates, among other countries.

The threat actor exploits the Microsoft Exchange ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to gain initial access to create web shells and disable antivirus services on the victim’s system.  To gain persistence in the environment, the threat actor employs both account creation and scheduled tasks. For future re-entry, the account is added to the “remote desktop users” and “local administrator’s users” groups. The threat actors use PowerShell to issue multiple commands to disable Windows Defender. Then they create a process memory dump from LSASS.exe that is zipped before exfiltration via web shell.  The threat actor uses native Windows programs like “net” and “ipconfig” to enumerate the compromised server. A file masquerading as dllhost.exe is used to access certain domains for command and control. Therefore, data can be exfiltrated by the threat actor which could potentially resulting in information theft and espionage.

The Microsoft Exchange ProxyShell vulnerabilities have been fixed in the latest updates from Microsoft. Organizations can patch these vulnerabilities using the patch links given below.

The MITRE TTPs commonly used by APT35 are:

TA0001: Initial Access
TA0002: Execution
TA0003: Persistence
TA0004: Privilege Escalation
TA0005: Defense Evasion
TA0006: Credential Access
TA0007: Discovery
TA0011: Command and Control
T1190: Exploit Public-Facing Application
T1003: OS Credential Dumping
T1098: Account Manipulation
T1078: Valid Accounts
T1105: Ingress Tool Transfer
T1036: Masquerading
T1036.005: Masquerading: Match Legitimate Name or Location
T1543: Create or Modify System Process
T1543.003: Create or Modify System Process: Windows Service
T1505: Server Software Component
T1505.003: Server Software Component: Web Shell
T1082: System Information Discovery
T1016: System Network Configuration Discovery
T1033: System Owner/User Discovery
T1059: Command and Scripting Interpreter
T1059.003: Command and Scripting Interpreter: Windows Command Shell

Actor Details

Magic-Hound-Exploiting-Old-Microsoft-Exchange

Vulnerability Details

Magic-Hound-Exploiting-Old-Microsoft-Exchange

Indicators of Compromise (IoCs)

Magic-Hound-Exploiting-Old-Microsoft-Exchange

Patches

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523

References

https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/