The Polish Cyber Command, as part of its activities in cyberspace, has observed the use of technique[1] that involved the modification of permissions to mailbox folders within Microsoft Exchange servers. It allows an attacker to provide covert, unauthorized access to email correspondence and was used after gaining access to email accounts through CVE-2023-23397 (Microsoft Outlook Vulnerability) or password-spraying. Activities using CVE-2023-23397 were first discovered by CERT-UA[2] and publicly described by Microsoft[3]. In the case of actions taken against entities in Poland, this was reported by CSIRT NASK[4]. As a result of the analyses carried out by POL Cyber Command, malicious actions against public and private entities in Poland were confirmed.

In order to identify and mitigate this threat, POL Cyber Command has developed a set of tools that can be run in Microsoft Exchange email environment. In the present case, within the framework of the National Cybersecurity System, actions were conducted in collaboration with CSIRT MON, CSIRT GOV, CSIRT NASK, Military Counterintelligence Service and with the support of Microsoft. Nevertheless, POL Cyber Command assesses that at the time of report publication, this technique is actively used by the adversary. POL Cyber Command recommends the use of developed tools for identifying activities within one's own resources.

Activities observed by POL Cyber Command associated with the exploitation of the CVE-2023-23397 vulnerability and a widespread campaign where the adversary uses password-spraying technique overlap with the actions described by USA and British government[5] entities and the Microsoft[6] company as related to the activity groups "APT28" and "Forrest Blizzard".

 

 

The first stage of the adversary's actions is to gain access to the mailbox. The malicious activity observed so far consists of bruteforce[1] attacks. Another observed vector for gaining access to mailboxes is the exploitation of the CVE-2023-23397[2] vulnerability, which allows the theft of a user's NTLM hash.

In the next stage of malicious activity, the adversary modifies folder permissions within the victim's mailbox[3]. In most cases, the modifications are to change the default permissions of the "Default" group (all authenticated users in the Exchange organization) from "None" to "Owner". By making this type of modification, the contents of folders that have been granted this permission can be read by any authenticated person within the organization[4]. In the default configuration, the folder permissions in mailboxes are set to "None" for the "Default" and "Anonymous" user groups, as shown in the figure below (Fig. 1). The exception is the Calendar folder, which default permission level allows to read only whether the user has a busy or free appointment in the calendar – "AvailabilityOnly, Free/Busy Time".

 

In cases identified by POL Cyber Command, folders permissions were modified, among others, in mailboxes that were high-value information targets for the adversary. As a result of this change, the adversary was able to gain unauthorized access to the resources of high-value informational mailboxes through any compromised email account in the Exchange organization, using the Exchange Web Services (EWS) protocol. It should be emphasized that the introduction of such modifications allows for the maintenance of unauthorized access to the contents of the mailbox even after losing direct access to it. Figure 2 presents a diagrammatic view of the described process. 

 

 

Another indicator that can be used to detect malicious activity is when and how permissions are modified. A characteristic feature of the described activity is the modification of permissions to all folders within the mailbox in a relatively short time (a few seconds), which physically excludes the possibility of making these changes manually by the user. An example of modifying the permissions of all mailbox folders is shown in Fig. 3. At the same time, it should be emphasized that any unusual modifications to folder permissions may indicate malicious activity.

 

 

The above actions, in POL Cyber Command assessment, indicate a high level of adversary sophistication and thorough knowledge of the architecture and mechanisms of the Microsoft Exchange mail system. Identification of this type of attack is challenging due to the intentional avoidance of using any offensive tools that could be detected by cybersecurity systems. Building a custom detection requires the analysis of event logs, which are saved by default on mail servers.  

Among the attacker's OPSEC (Operations Security) measures, it can be noted that they utilize commercial services of VPN, which geolocation indicates the territory of Poland, as well as the addresses of local Internet service providers. This allows the attacker to partially blend into trusted network traffic. In addition, in the cases analysed by POL Cyber Command , it was found that different IP addresses were used against different targets.
 
POL Cyber Command assesses that the technique in question (MITRE ATT&CK – T1098.002) could have been used against a number of domestic and foreign entities, both government and private sector, with particular emphasis on those targeted in the Silence campaign and  related to the compromise of Microsoft Exchange mail servers.

 

 

POL Cyber Command recommends the implementation of the following guidelines. In case of detecting any concerning permission modifications, POL Cyber Command advises contacting the relevant national-level CSIRT team.

1.   Running the toolkit provided by POL Cyber Command and implementation of countermeasures as instructed. Tools and instructions can be found in the ZIP attachment. 

2.   Implementing mechanisms to detect connections to a mailbox that shares folders with another mailbox based on event logs from the location:

      a.   %ExchangeInstallPath%Logging\HttpProxy\Ews\  

      b.   %ExchangeInstallPath%Logging\Ews\ 

      c.   %ExchangeInstallPath%logging\Mapihttp\Mailbox\ 

3.   Verification of accounts that are assigned the ApplicationImpersonation role[11]. 
4.   Verification of mailbox delegation settings in the entire Exchange organization.

5.   Implementation of recommendations described by Microsoft https/www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ and USA and British government entities https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
6.   Audit of email access methods to identify potential attack vectors. 

 

1. exchange-cleanup-eng.zip (SHA256: F1D896D884B931C11263ADCAC8219DD0A74B4890C64785A813F5862DE15B8E4B):
    a. 00a-get-allMailboxes.ps1
    b. 00b-divide-csvfile.ps1
    c. 01-get-MBXFoldersPermissions.ps1
    d. 01a-merge-csvFiles.ps1
    e. 02-fix-MBXFoldersPermissions.ps1
    f.  EWSCheck
               i.  EWSCheck.ps1
               ii. Microsoft.Exchange.WebServices.dll
               iii. Output
    g. ReadMe_First.pdf
    h. get-AllMBXPermissions.ps1
    i.  Attachment 1 Instruction.pdf
    j.  Attachment 2 Audit.pdf

 

 

[1] https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/

[2] https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/

[3] https://cert.pl/posts/2023/03/outlook-cve-2023-23397/

[4]  MITRE ATT&CK classified and described this technique as T1098.002.

[5] https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF

[6] https://www.microsoft.com/content/dam/microsoft/final/en-us/microsoft-brand/documents/MDDR_FINAL_2023_1004.pdf

[7] Especially password spraying

[8] “Silence” campaign – codename given by DKWOC for the campaign described for the first time by Microsoft - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397

[9] At the moment, it has been identified that the described activity pertains to mailboxes within Microsoft Exchange server environments.

[10] The default security policies allow the user to make such modifications within their mailbox.

[11] https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/impersonation-and-ews-in-exchange