How ExeonTrace can help detect the Microsoft Exchange hack

More than hundreds of thousands of Microsoft Exchange servers have been hacked globally, whereas the DACH region seems to be highly affected. This article explains how ExeonTrace can help to detect the intrusion through automated and manual network analysis.

An Overview on the Microsoft Exchange hack

Microsoft has been reporting a massive attack on their Exchange Server throughout the last few days. Attackers have successfully penetrated Microsoft Exchange Server versions 2013 through 2019 via four vulnerabilities. Though the extent of the attack is yet unknown, it is set to affect hundreds of thousands of organizations worldwide. This will make it one of the most significant attacks to date. Worse, according to Kaspersky’s IT security experts, Germany and Switzerland are among the countries most affected.

The hackers managed to penetrate the affected systems and install so-called web shells. Using these, they can access the Exchange servers and mails even after the security patches. Dangerously, attackers can leverage the web shell to deploy additional malware tools in the company network, such as PowerShell scripts, Mimikatz or Cobalt Strike. This leaves victims exposed to attackers spreading throughout the network, compromising, stealing, and encrypting data for ransom (ransomware attack) as they advance.

The scale of the attack is on a completely unprecedented scale. Reputable security media report that even if patched on the same day of the announcement, there is a high probability that the web shell has been installed on servers. Those who have not patched yet have a high likelihood of being affected by the attack.

Faced with this critical situation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive: all civilian and government-run Microsoft Exchange servers should be updated immediately or, if necessary, disconnected from the systems.

How ExeonTrace can help to detect compromised servers

Although the attack is very advanced, ExeonTrace can help to detect the intrusion. The detection relies on two functionalities of ExeonTrace:

Automated network traffic analysis

ExeonTrace features several models detecting irregular data flows and patterns occurring when attackers try to spread within a network (Internal Reconnaissance, Lateral Mocvement, and Data Exfiltration). We suggest treating ExeonTrace's alarms triggered for on-premise Microsoft Exchange Servers with the highest priority. Typical anomalies include:

  • Vertical scanning (flow)
  • Horizontal scanning (flow)
  • New internal services and new incoming connections (flow)
  • Outgoing connections to new port/server/service (flow)
  • Bytes to external endpoint (flow)
  • Command and control (proxy)
  • DNS volume (proxy & DNS)
  • Domain Generation Algorithm (proxy & DNS)

Depending on the applications that run on the Exchange servers some of those communication patterns might go unseen to automated detection. Therefore, we strongly recommend conducting a manual analysis through ExeonTrace in addition to the automatic detection.

Investigation of Microsoft Exchange servers’ communication patterns

The "Client server pairs" flow visualization is particularly powerful for this investigation. There, an analyst can filter for the exchange servers by adding their IPs to the search bar at the top of the page. We recommend to check the three connection matrix visualizations (internal traffic/outbound traffic/inbound traffic) regarding the following aspects:

Client server pairs - Internal:

  • Are there any signs of lateral movement? For example, the server is communciating with other internal devices newly via SSh (port 22/TCP), RCP (port 135/TCP), SMB (port 445/TCP), WinRm (port 5985/TCP and 5986/TCP).
  • Is there any elevated Kerberos (port 88) or LDAP activity?

Client server pairs - Outbound:

  • Does the server establish connections as a client that cannot be explained?

Client server pairs - Inbound:

  • Are there connections with large amounts of outbound data?
  • Are there connections from clients from unexpected geographic regions?
  • Are there connections via remote control / administration tools? For example, Remote Desktop Protocol (RDP) on port 3389.

To summarize, unless there were already applications on the Exchange server that created similar data flows before the attack, ExeonTrace automatically detects the anomalies with a high likelihood. The additional manual analysis of the Exchange server through ExeonTrace’s traffic visualization provides you with the additional confidence.