Views:

Using Trend Micro Products for Investigation

The following highlights several post-exploitation detections and remediation technology that can be used by customers to investigate and help with potential remediation in a customer’s environment.

Trend Micro Vision One™

Trend Micro Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One.  The following outline some of the components of Trend Micro Vision One that can used for investigation.


Risk Insights > Executive Dashboard

Customers utilizing the Executive Dashboard component of Risk Insights can view proactive information about Trend Micro rules and mitigations, as well as act on potentially affected devices (if Vulnerability Detection is enabled):
 

Module state

 

Module state



Search Query

Alternatively, customers may utilize the General Search Query function in Trend Micro Vision One™ to do some preliminary investigation of potential exposure.
 

Module state


1. Open Trend Micro Vision One and navigate to Search.
2.  Select General for Search Method.
3.  Enter the following query:

eventSubId: 101 AND (FileFullPath:"C:\Perflogs\*.exe" OR FileFullPath:"C:\Perflogs\*.dll" OR FileFullPath:"*Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\*.ashx" OR FileFullPath:"*Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\*.aspx")

4. Execute the search (and save for later if desired).


Curated Intelligence Reports

An updated Curated Intelligence Report in Trend Micro Vision One for this campaign has been added that will automatically conduct some endpoint activity sweeping for XDR customers that have this enabled.
 

Module state

 

Trend Micro Protection and Detection Against Exploitation

First and foremost, it is always highly recommended that users apply the vendor's patches when they become available. Unfortunately, as of this time, this is considered a undisclosed 0-day, so an official patch is not yet available from Microsoft; however, they have released some initial guidance here .

As an original submission of the exploit was through the Trend Micro Zero Day Initiative, based on our analysis of the exploit information, Trend Micro can share that we have some existing detection rules and filters that can help provide against potential exploitation of this vulnerability.

Trend Micro Cloud One - Network Security & TippingPoint ThreatDV Malware Protection Filters
  • 39522: HTTP: Microsoft Exchange Server Autodiscover SSRF Vulnerability (PWN2OWN ZDI-21-821)
  • 41776: ZDI-CAN-18333: Zero Day Initiative Vulnerability (Microsoft Exchange)

Trend Micro Cloud One - Workload Security, Deep Security & Vulnerability Protection IPS Rules
  • 1011041 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-34473 and ZDI-CAN-18802)
  • 1011548 - Microsoft Exchange Server Remote Code Execution Vulnerability (ZDI-CAN-18333)

Trend Micro Deep Discovery Inspector (DDI) Rules  
  • 4593: EXCHANGE SSRF EXPLOIT - HTTP(REQUEST)
  • 4624: EXCHANGE EXPLOIT - HTTP(RESPONSE)

Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security w/Anti-malware, etc.)
  • The associated ASP Webshell is being detected as Backdoor.ASP.WEBSHELL.YXCI4
  • The known Chinese Chopper component is detected by Trend Micro Behavior Monitoring solutions
  • Several of the IPs listed in the GTSC reports are being blocked at the URL level by Trend Micro Web Reputation Services (WRS) as Malware Accomplices, Disease Vectors or C&C Servers
 

Other Containment and Detection Measures

GTSC has outlined in their blog some potential detection and mitigation information in addition to Trend Micro's protection listed above.  Trend Micro cannot officially confirm whether or not these are adequate mitigations, but advise customers to read through the blog and take actions if feasible. 

Microsoft has also released a blog on the issue with some initial guidance.  It is noted that authenticated access to the vulnerable Exchange server is necessary to exploit either of the vulnerabilities.

Trend Micro will continue to update this Security Alert with additional information, such as IOC detection and official patch information as they become publicly available. 
 

References