ProxyShell (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473)
Exchange servers remained a target throughout 2021. In July, Microsoft released details of three new vulnerabilities in the Exchange server, which were dubbed “ProxyShell.” ProxyShell exploitation allows an adversary to remotely execute code without authentication. Following the exploitation, adversaries dropped web shells to conduct reconnaissance, move laterally, and in some instances, deploy ransomware. Where ProxyLogon seemed to have a high impact over a short period of time, ProxyShell seemed to persist throughout the year; we detected exploitation as late as December. DetectingProxyShell exploitation is similar to ProxyLogon mentioned above, specifically
msexchangemailboxreplication.exe writing an ASPX web shell to disk.
On July 1, security researchers and Microsoft released details of a new vulnerability dubbed “PrintNightmare” (CVE-2021-34527). PrintNightmare permits an unprivileged user to remotely obtain elevated privileges on any system running the print spooler service, which is enabled by default. It abuses a vulnerability in how the print spooler service fails to properly authenticate users attempting to load a printer driver dynamic link library (DLL). This zero day affected all editions of Windows, allowing code execution with local SYSTEM-level privileges.
Though the vulnerability was concerning, there were not many reported campaigns exploiting it. That said, ransomware operators such as Vice Society and Magniber have exploited the vulnerability to gain initial access, and therefore it’s worth looking out for. We observed a single malicious instance of PrintNightmare exploitation leading to precursor ransomware behaviors.
Windows print spooler service spawning
PrintNightmare exploitation results in a shell being opened on the targeted system as a child process of the spooler service. This detection analytic identifies the Windows print spooler service spawning a shell on the system.