Top Middle East Cyber Threats- 11 February 2019
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
Microsoft Exchange Zero-Day
A new zero-day vulnerability has been discovered in Microsoft Exchange, affecting versions 2013 and later. Named “PrivExchange” it allows a remote attacker with the credentials of just a single Exchange mailbox user to gain Domain Controller admin privileges. The discovered vulnerability is a combination of three default vulnerabilities that an attacker can exploit and escalate privileges from a hacked email account to the admin of the internal domain controller. As Microsoft Exchange servers are installed by default with access to many high privilege operations, this access also gives the attacker the ability to create more backdoor accounts at will.
Microsoft Exchange supports an API called Exchange Web Services (EWS). One of the EWS API functions is called PushSubscriptionRequest, which can be used to cause the Exchange server to connect to an arbitrary website.
Connections made using the PushSubscriptionRequest function will attempt to negotiate with the arbitrary web server using NTLM authentication. Starting with Microsoft Exchange 2013, the NTLM authentication over HTTP fails to set the NTLM Sign and Seal flags. The lack of signing makes this authentication attempt vulnerable to NTLM relay attacks.
Microsoft Exchange is by default configured with extensive privileges with respect to the Domain object in Active Directory. Because the Exchange Windows Permissions group has WriteDacl access to the Domain object, this means the Exchange server privileges obtained using this vulnerability can be used to gain Domain Admin privileges for the domain that contains the vulnerable Exchange server. According to researchers, the PoC tool exploits the fact that Exchange servers have very high privileges in Active Directory domains such as the WriteDacl privilege that allows them to change domain privileges.
Exchange Web Services (EWS) PushSubscription service, specifically PushSubscriptionRequest method, allows a user to subscribe for push events. The user specifies the location of the client Web service for push notifications. Once an event happens, the Exchange server will connect to the URL specified in the call to the PushSubscriptionRequest method.
Now, once a subscription has been created, relaying is the final step. The Exchange server will now try to connect to the attacker’s machine (the URL specified in the subscription) and will willingly pass NTLM credentials. These can be then relayed to a Domain Controller (provided there is no SMB signing – see below for mitigations). The PoC exploit relays the credentials to LDAP in order to escalate a user’s privilege, it adds the Replication-Get-Changes-All privilege to an account effectively allowing that account to perform any actions on the domain, including dumping all passwords from a Domain Controller by performing DCSync. With hashes of all users, the attacker can further impersonate any other user and take over the complete domain.
Affected Exchange versions:
The exploit has been tested and successfully found on the following Exchange server versions:
- Exchange 2013 (CU21) on Server 2012R2, relayed to a Server 2016 DC (all fully patched).
- Exchange 2016 (CU11) on Server 2016, relayed to a Server 2019 DC (all fully patched).
- Exchange 2019 on Server 2019, relayed to a Server 2019 DC.
- Exchange 2010 SP3 seems to be unaffected.
- Exchange 2007 is unknown at this time, although it appears to have the required methods (PushSubscriptionRequest) so it might be vulnerable.
It is important to note that any work-around should be tested in a Staging or Pre-production environment before being implemented in Production. Furthermore, any work-around must be assessed to avoid unintended impact to users or applications.
- If you have an exchange server that does not leverage EWS push/pull subscriptions, you can block the PushSubscriptionRequest API call that triggers this attack.
- Remove the unnecessary high privileges that Exchange has on the Domain object.
- Enable LDAP signing and enable LDAP channel binding to prevent relaying to LDAP and LDAPS respectively.
- Block Exchange servers from making connections to workstations on arbitrary ports.
- Enforce SMB signing on Exchange servers (and preferable all other servers and workstations in the domain) to prevent cross-protocol relay attacks to SMB.
- Remove the registry key which makes relaying back to the Exchange server possible, as discussed in Microsoft mitigation for CVE-2018-8518.
A registry value DisableLoopbackCheck exists under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. The vulnerability described by CVE-2018-8581 is unexploitable if the DisableLoopbackCheck registry value is removed.
To remove the registry value, type the following command in an elevated CMD window:
reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /vDisableLoopbackCheck /f
Neither a restart of the operating system nor the Exchange Server is required after the removal of this registry value. However, it is important to remove only the DisableLoopbackCheck value. Care should be taken to not remove the Lsa key.
As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.