APT35 Using ProxyShell Vulnerabilities to Deploy Multiple WebShells

A new burst of Iranian state-sponsored APT35 attacks has been observed by researchers over the past few months. A new study shows that APT35 (a.k.a. TA453, COBALT ILLUSION, Charming Kitten, ITG18, Phosphorus, Newscaster) has been increasingly exploiting Microsoft Exchange ProxyShell vulnerabilities for initial access and leveraging quite a bunch of different attack vectors once they gained access to victims’ networks.

Scroll down to see our latest detection rules that will help SOC teams to identify the latest activity of APT35 during and after the ProxyShell exploit.

Detecting APT35 Attacks Involving ProxyShell

APT35 doesn’t stop by simply exploiting the Microsoft Exchange ProxyShell vulnerabilities after their initial access campaigns. Discover the rules below created by our Threat Bounty developers Furkan Celik, Osman Demir, Nattatorn Chuensangarun, and Aytek Aytemur to spot the execution of a Webshell, threat actors’ persistence, and credential access. Log into your account on our platform to immediately access Sigma rules as well as 20+ translations to vendor-specific formats for easy deployment.

Possible APT35 Initial Access by Execution of Webshell After ProxyShell Exploit (via ps_script)

Possible APT35 Persistence by Adding of Scheduled Tasks After ProxyShell Exploit (via cmdline)

Possible APT35 Credential Access by Dumping lsass.exe Memory with comsvcs.dll (via cmdline)

Possible APT35 Execution by Testing Connectivity with Microsoft Exchange Management Snap-in (via cmdline)

These rules address the following techniques of MITRE ATT&CK® framework v.10: Exploit Public-Facing Application, Scheduled Task/Job, System Information Discovery, Exploitation for Credential Access, and OS Credential Dumping.

Also, the rules below will help you detect the exploitation of ProxyShell vulnerabilities before the post-exploitation tactics are triggered:

Exchange ProxyShell Pattern

Successful Exchange ProxyShell Attack

CVE-2021-34473 Exchange Server RCE (Proxyshell)

Hit the button below to check the latest detection content associated with the latest shift in APT35 tactics. And if you have any additional findings that you would like to share, you are encouraged to participate in our crowdsourcing initiative by submitting your own detection rules.

View Detections Join Threat Bounty

Exploitation of the ProxyShell Vulnerabilities

ProxyShell vulnerabilities (CVE-2021-31207,CVE-2021-34523,CVE-2021-34473)  enable remote code execution in Microsoft Exchange. They were detailed by Orange Tsai security researcher and first revealed in April 2021 at Pwn2Own hacking contest in Vancouver.

Recently, APT35 hackers were spotted to leverage ProxyShell exploits to reach their malicious purposes. Particularly, researchers suggest that APT35 has been using automated scripts for initial access and further activities because the same sequence and nature of commands were repeated in different cases over a short timeframe.

At the initial stages the attack, adversaries upload a web shell and disable any antivirus software. Next, they follow up with two persistence methods: scheduled tasks and a newly created account. The latter is added to local admin groups and remote users.

Right after that, attackers enumerated the environment with the help of Windows native programs such as net and ipconfig, disabling LSA protection, enabling WDigest, dumping the LSASS process memory, and downloading the results using the web shell.

To keep staying ahead of the newly emerging threats, organizations are turning their sights to a collaborative defense approach. Leverage the power of expertise delivered by the global community of the brightest cyber minds by registering for SOC Prime’s Detection as Code platform. Streamline your SOC operations and make threat detection faster, easier, and more efficient.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts