Chile's Financial Regulator Authority Report Microsoft Exchange Hack

Chile’s Financial Regulator Authority Report Microsoft Exchange Hack

Chile’s Comisión para el Mercado Financiero (CMF) is a new victim of recently disclosed Microsoft Exchange vulnerabilities this week.

CMF suffered a cyberattack after threat actors exploited the ProxyLogon vulnerabilities in their unpatched Microsoft Exchange Servers. The attackers installed web shells and attempted to steal credentials.

“The Commission for the Financial Market (CMF) updates information on the operational incident reported yesterday, caused by vulnerabilities in the Microsoft Exchange email platform.”

The CMF operates under Chile’s Ministry of Finance, it regulates and inspects banks and financial institutions in the country.

The information security and technology department of the CMF and external specialized experts conducted n investigation and have so far not found the presence of ransomware. The incident was limited to the Microsoft Exchange platform, Comisión para el Mercado Financiero disclosed.

CMF is further investigating the breach and has been working closely with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance in the country.

The CMF has released two IOCs of web shells which turned out to be China Choppers and a batch file that dumps lsass.exe they found on the compromised server:

  • 0b15c14d0f7c3986744e83c208429a78769587b5: error_page.aspx
  • bcb42014b8dd9d9068f23c573887bf1d5c2fc00e: supp0rt.aspx
  • 0aa3cda37ab80bbe30fa73a803c984b334d73894: test.bat 

The first two are Microsoft Exchange Offline Address Books (OAB) files whose ExternalUrl setting had been changed to the China Chopper web shell. This allows attackers to remotely execute commands on the compromised server.

Microsoft Exchange Offline Address Books (OAB) with web shell

Microsoft Exchange Offline Address Books (OAB) with web shell (BeepingComputer)

The attackers use the batch file, test.bat, to dump the LSASS process’s memory to steal Windows domain credentials. 

BeepingComputer describes the complete chain of the attack in their recent post

To help impacted organizations find attackers’ files dropped in these attacks, Microsoft released a script that finds IOCs and added web shell detection capabilities to Microsoft Safety Scanner (MSERT).

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.