In 2021, adversaries exploited vulnerabilities affecting popular enterprise platforms to drop web shells, spread ransomware, and more.
Pairs With This Song
High-profile proofs of concept like PrintNightmare and ProxyShell left our networks—and our hearts—feeling vulnerable.
Editors’ note: While the analysis and detection opportunities remain applicable, this page has not been updated since 2022.
Several high-profile vulnerabilities made it into the collective consciousness of the security community in 2021. ProxyLogon and ProxyShell targeted Microsoft Exchange servers and affected a massive number of systems, sometimes leading to ransomware deployment. The exploitation of vulnerabilities in Kaseya’s VSA appliance software also led to ransomware deployment on some of the thousands of organizations that used Kaseya software for remote administration of endpoints. In the latter half of the year, adversaries exploited multiple vulnerabilities in Zoho’s ManageEngine suite of products. PrintNightmare and an MSHTML vulnerability caused a ruckus among the security community and media; however, their actual impact appears to have been limited.
An important nuance to call out is that vulnerabilities are just flaws in code—a threat must exploit that vulnerability. Given the frequency with which vulnerabilities are disclosed and the ease with which adversaries can exploit newly reported weaknesses, particularly in common applications, Red Canary focuses on identifying and detecting the behavior we observe surrounding exploitation of a vulnerability. We recommend other organizations do the same. Understanding the threats and the ways in which adversaries operate in compromised networks allows defenders to protect against malicious activity regardless of the means by which their environment is accessed.
We’ve outlined several of 2021’s major vulnerabilities below, along with some detection guidance. Detecting exploitation of a vulnerability from an endpoint perspective can be difficult and depends on how exploitation occurs in practice. We have tried to supply detection guidance as close to the point of exploitation as possible. In other cases, we provide detection opportunities that would most likely appear as follow-on behavior, such as suspicious child processes or registry modifications. The targeting of vulnerabilities in enterprise applications and platforms is unlikely to slow down in 2022, so it’s important to detect the threats that exploit them head-on.
ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
In March 2021, Microsoft released details of four Exchange Server vulnerabilities collectively known as “ProxyLogon.” If chained together, the vulnerabilities would allow an adversary remote code execution on a targeted Exchange server. Multiple adversaries, including the suspected Chinese state-sponsored group HAFNIUM, used the vulnerability chain to drop web shells and collect data from thousands of Exchange servers. Other adversaries used the DearCry ransomware to target unpatched servers as well. Microsoft released patches for these vulnerabilities at the time of initial reporting.
Microsoft Exchange Mailbox Replication service writing Active Server pages
Adversaries exploited ProxyLogon to drop web shells on vulnerable systems, which manifested through the
msexchangemailboxreplication.exeservice writing an ASPX file to disk. Malicious web shells will likely be placed on the web server in a web-accessible directory. The following analytic looks for the Exchange mailbox replication service creating ASPX files.
process == msexchangemailboxreplication.exe && filemod_extension == '.aspx'
ProxyShell (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473)
Exchange servers remained a target throughout 2021. In July, Microsoft released details of three new vulnerabilities in the Exchange server, which were dubbed “ProxyShell.” ProxyShell exploitation allows an adversary to remotely execute code without authentication. Following the exploitation, adversaries dropped web shells to conduct reconnaissance, move laterally, and in some instances, deploy ransomware. Where ProxyLogon seemed to have a high impact over a short period of time, ProxyShell seemed to persist throughout the year; we detected exploitation as late as December. DetectingProxyShell exploitation is similar to ProxyLogon mentioned above, specifically
msexchangemailboxreplication.exe writing an ASPX web shell to disk.
On July 1, security researchers and Microsoft released details of a new vulnerability dubbed “PrintNightmare” (CVE-2021-34527). PrintNightmare permits an unprivileged user to remotely obtain elevated privileges on any system running the print spooler service, which is enabled by default. It abuses a vulnerability in how the print spooler service fails to properly authenticate users attempting to load a printer driver dynamic link library (DLL). This zero day affected all editions of Windows, allowing code execution with local SYSTEM-level privileges.
Though the vulnerability was concerning, there were not many reported campaigns exploiting it. That said, ransomware operators such as Vice Society and Magniber have exploited the vulnerability to gain initial access, and therefore it’s worth looking out for. We observed a single malicious instance of PrintNightmare exploitation leading to precursor ransomware behaviors.
Windows print spooler service spawning
PrintNightmare exploitation results in a shell being opened on the targeted system as a child process of the spooler service. This detection analytic identifies the Windows print spooler service spawning a shell on the system.
parent_process == spoolsv.exe && process == cmd.exe
Kaseya VSA (CVE-2021-30116)
On July 2, adversaries leveraged multiple vulnerabilities in Kaseya Virtual Systems Administrator (VSA) to distribute Sodinokibi ransomware, also known as REvil. VSA allows IT administrators to remotely administer endpoints. By compromising this software, an adversary gains remote execution capability to a large subset of customer endpoints, especially if Kaseya is operated by a managed service provider (MSP).
Red Canary detected the initial behavioral activity using a preexisting analytic for identifying
certutil.exe decoding content, as detailed below. Our Intelligence team had tracked Sodinokibi prior to this, which helped us identify the malicious registry modification of
blacklivesmatter seen below and attribute it to Sodinokibi.
Certificate utility tool (
certutil.exe) decoding content
This detection analytic will detect
certutil.exe running with the
-decode option. Adversaries frequently leverage certutil to decode Base 64-encoded content.
process == certutil.exe && command_line_includes ('decode')
ManageEngine products (CVE-2021-40539, CVE-2021-44077, CVE-2021-44515)
In November and December, we observed likely exploitation of remote code execution vulnerabilities in two different Zoho ManageEngine products: ADSelfService Plus (CVE-2021-40539) and ServiceDesk Plus (CVE-2021-44077). In one case, an incident response partner determined that ADSelfService Plus was used for initial access prior to deploying ransomware. The FBI noted that advanced adversaries exploited a vulnerability in a third ManageEngine product, Desktop Central. ManageEngine products are widely used among IT departments to manage various services across the enterprise. As such, this presents adversaries with a wide attack surface. Organizations using ManageEngine products in their environment should update accordingly. Patches for all the vulnerabilities listed here are available via ManageEngine.
Keytool.exe spawning system shell or PowerShell
For the vulnerability in ADSelfService Plus (CVE-2021-40539), we observed adversaries use the Java utility Keytool to move a web shell from the initial directory it was dropped into. As such,
keytool.exe spawning shells should be investigated, and the following detection analytic should surface related activity.
parent_process == keytool.exe && process == ('cmd.exe' || 'powershell.exe')