Chile’s Comisión para el Mercado Financiero (CMF) is a new victim of recently disclosed Microsoft Exchange vulnerabilities this week.
CMF suffered a cyberattack after threat actors exploited the ProxyLogon vulnerabilities in their unpatched Microsoft Exchange Servers. The attackers installed web shells and attempted to steal credentials.
“The Commission for the Financial Market (CMF) updates information on the operational incident reported yesterday, caused by vulnerabilities in the Microsoft Exchange email platform.”
The CMF operates under Chile’s Ministry of Finance, it regulates and inspects banks and financial institutions in the country.
The information security and technology department of the CMF and external specialized experts conducted n investigation and have so far not found the presence of ransomware. The incident was limited to the Microsoft Exchange platform, Comisión para el Mercado Financiero disclosed.
CMF is further investigating the breach and has been working closely with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance in the country.
The CMF has released two IOCs of web shells which turned out to be China Choppers and a batch file that dumps lsass.exe they found on the compromised server:
- 0b15c14d0f7c3986744e83c208429a78769587b5: error_page.aspx
- bcb42014b8dd9d9068f23c573887bf1d5c2fc00e: supp0rt.aspx
- 0aa3cda37ab80bbe30fa73a803c984b334d73894: test.bat
The first two are Microsoft Exchange Offline Address Books (OAB) files whose ExternalUrl setting had been changed to the China Chopper web shell. This allows attackers to remotely execute commands on the compromised server.
Microsoft Exchange Offline Address Books (OAB) with web shell (BeepingComputer)
The attackers use the batch file, test.bat, to dump the LSASS process’s memory to steal Windows domain credentials.
BeepingComputer describes the complete chain of the attack in their recent post.
To help impacted organizations find attackers’ files dropped in these attacks, Microsoft released a script that finds IOCs and added web shell detection capabilities to Microsoft Safety Scanner (MSERT).