The Exchange server message logs will show an elevated DLL loading on the server. This DLL typically contains a webshell payload and can be used to drop additional malware. If the webshell payload is written to disk, the executable will typically be dropped with it.
CVE-2021-26855, CVE-2021-26858 and CVE-2021-27065 are remote code execution vulnerabilities in the Microsoft Exchange Web Services (EWS). Due to an incomplete patch, these vulnerabilities were only patched in the Exchange Server 2016 CU12 and Exchange Server 2019 CU4 and are present in versions prior to these patches.
The ELOOKUP cyber actors have been active and indiscriminate in their targeting, using different compromise vectors, such as spear phishing, watering hole, and zero-day exploits. We believe that they are likely a criminal group responsible for attacks targeting a variety of organizations.
When the exploit failed to return the expected result, the Falcon team and Microsoft Exchange support engineers were able to use a combination of malware analysis and incident response to isolate and remediate the servers. We identified the unknown malicious code as an ELOOKUP Trojan, which we have observed being used in malware families that have been known to exploit the ETERNALBLUE vulnerability, such as MS16-074 , MS16-099 , Checkpoint , and BadSearch . The malware is designed to use DNS to fetch a URL, attempting to start the URL's associated content download.
The SSRF vulnerability is in the way that the search operation is sent to the LDAP server. An attacker can send a special search request that will be executed on the LDAP server and will return data that the attacker can view, modify or delete, depending on the request.
Because the attacker can spoof the web form, they can control what data is returned to the attacker by the LDAP server. This is a common problem in SSRF vulnerabilities. For example, the CVE-2016-7800 vulnerability that prompted Microsoft to release Windows 10 version 1607, used a vulnerability in RFC 2459 , which defines how email addresses are formatted. Attackers that were able to spoof a web form could attack Microsoft Exchange Server users, potentially stealing their identities and passwords. 827ec27edc