The cloud-native platform for centralized log management
Analytics, visualizations, and workflows purpose built for practitioners
Leading firms gaining more value from their machine data
Any source, any velocity – centralize logs, metrics, and traces for full visibility.
Close the gap between detection and response with an analyst-focused, cloud-native approach.
Understand complex environments with visual analysis and KPIs that matter most.
The most recent articles & research from Devo
Black Kingdom is targeting Exchange servers that remain unpatched against the ProxyLogon vulnerabilities disclosed by Microsoft earlier this month. It strikes the on-premises versions of Microsoft Exchange Server, abusing the remote code execution (RCE) vulnerability also known as ProxyLogon (CVE-2021-27065).
BlackKingdom runs a script on all vulnerable Exchange servers via ProxyLogon vulnerability.
Executable seems to be py2exe, and if run successfully users see something like this:
The bitcoin address included in the script has a couple of transactions when these words are written (11:30 UTC, March 25th).
The encryption process includes three main stages:
In the first samples found, it seems that there is a list of locations that will not be affected by file encryption. The directories are all related to the operating system in order not to affect its operation.
Orchestrated from a remote server 126.96.36.199 and operated from 188.8.131.52. The threat actor exploited the on-premises versions of Microsoft Exchange Server, abusing the remote code execution (RCE) vulnerability also known as ProxyLogon (CVE-2021-27065).
These two IP addresses are part of the anonymous network TOR. If we get all the information related to these two TOR nodes we can show that the network usage has increased in the last few days. Also, both servers have an uptime of only almost five days.
The Devo Security Operations alert dataset includes an alert that can be used because detects anonymous connections over firewall logs.
Due to the threat type we’re trying to detect we can add a new alert to monitor all connections to our web servers from anonymous servers.
Both alerts could be improved for this threat by adding some filtering:
Once the server compromise has occurred, the attacker installs a webshell. This webshell offers remote access to the server and allows the execution of arbitrary commands.
The process in charge of webshell creation is named “w3wp.exe.”
One of the actions that is triggered is an attempt to stop all services that include the word “sql” in their name. Surely this is done with the intention of being able to encrypt all the files in the existing databases.
Devo released a new alert to detect a command execution that appears to be in charge of creating the webshell file. This alert could be correlated with others to detect the complete or partial behaviour of the ransomware.
Devo released a new alert to detect attempts to stop services that are related by name with SQL services. This alert could be correlated with others to detect the complete or partial behavior of the ransomware.
The Devo security team is pushing all the indicators into a lookup that is available in all domains across the platform. Customers can use it to create new alertes, perform hunting, or create active dashboards.
Additionally, it is necessary to activate the alerts related to the ProxyLogon (HAFNIUM) threat available in Devo.
Follow the recommendations from Microsoft. They release the “Exchange On-premises Mitigation Tool (EOMT)”. This script contains mitigations to help address CVE-2021-26855 vulnerability.
By Fran Gomez
Sign up to stay informed with the latest updates from Devo.