{"id":7507,"date":"2021-09-15T19:45:16","date_gmt":"2021-09-16T02:45:16","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7507"},"modified":"2023-04-11T10:21:55","modified_gmt":"2023-04-11T17:21:55","slug":"microsoft-exchange-proxyshell-and-windows-petitpotam-vulnerabilities-chained-in-new-attack","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/microsoft-exchange-proxyshell-and-windows-petitpotam-vulnerabilities-chained-in-new-attack\/","title":{"rendered":"Microsoft Exchange ProxyShell and Windows PetitPotam vulnerabilities chained in New Attack"},"content":{"rendered":"

{Updated on November 11, 2021}: <\/strong>On November 4, 2021, a new threat actor called the Tortilla Gang was identified as actively hacking Exchange Servers and breaching corporate networks using the ProxyShell vulnerabilities, leading to device encryption by deployment of Babuk ransomware. The Tortilla gang was also noted using the China Chopper webshell on breached servers. It is still uncertain whether Tortilla is an affiliate of the original Babuk gang, or if they are using a strain of the source code that was released on hacker forums in September 2021. Most of the attacks targeted US-based companies although other attacks in Germany, Thailand, Brazil and the UK, were also attributed to the Tortilla gang.<\/p><\/blockquote>\n

On July 23, 2021, Microsoft published an advisory<\/a> about a new NTLM relay attack called PetitPotam. The PetitPotam technique (tracked as CVE-2021-36942<\/a>) performs a relay attack that does not rely on the Microsoft Print System Remote Protocol (MS-RPRN) API, but instead uses the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC), which maintains and manages operations on encrypted data that is stored remotely and accessed over a network. This vulnerability can allow a remote attacker to take full control of a domain controller, and thus, an entire Windows domain.<\/p>\n

Soon after the proof-of-concept (POC) of the attack was released on July 22, Microsoft issued a security advisory<\/a> to mitigate the issue. CISA issued an alert<\/a> to Microsoft customers to fix the NTLM issue, but unfortunately, the update was inefficient<\/a> and PetitPotam was still open to active abuse.<\/p>\n

It was not until August 23<\/a> that security researchers discovered that the new LockFile ransomware was actively abusing the faulty patch to the PetitPotam vulnerability, post-exploitation, to gain access to domain controllers and spread across the network. The LockFile ransomware had been exploiting the Microsoft ProxyShell since August 13<\/a> and most likely used the ProxyShell vulnerabilities<\/a> to gain access to victims\u2019 networks before abusing the PetitPotam flaw.<\/p>\n

Microsoft Exchange servers were actively being exploited by the ProxyLogon vulnerabilities in early 2021. The Exchange instances are now back again, dubbed as ProxyShell. Tracked as CVE-2021-34473<\/a>, CVE-2021-34523<\/a>, and CVE-2021-31207<\/a>, the ProxyShell vulnerabilities can allow an attacker to execute arbitrary code on a victim\u2019s system and be able to run code remotely without authentication, if the vulnerabilities are chained. The ProxyShell vulnerabilities are also being used to exploit networks and install backdoors which can later be used as access points for persistence attacks. After breaching unpatched Exchange servers, threat actors drop web shells that allow them to upload malicious tools and execute them.<\/p>\n

Interestingly, CISA issued an alert <\/a>to Microsoft on August 21 regarding these vulnerabilities in MS Exchange.\u00a0<\/strong><\/p>\n

Our CVE Analysis<\/strong><\/h2>\n

CSW researchers looked at ProxyShell and PetitPotam vulnerabilities. Here is their analysis:<\/strong><\/p>\n