Automatically mitigate ProxyLogon, detect IoCs associated with SolarWinds attackers’ activities

Microsoft has updated its Defender Antivirus to mitigate the ProxyLogon flaw on vulnerable Exchange Servers automatically, while the Cybersecurity and Infrastructure Security Agency (CISA) has released CHIRP, a forensic tool that can help defenders find IoCs associated with the SolarWinds attackers’ activities.

IoCs SolarWinds attackers

“Similar to the CISA-developed Sparrow tool—which scans for signs of APT compromise within an M365 or Azure environment—CHIRP scans for signs of APT compromise within an on-premises environment,” the agency noted.

Automatically mitigate ProxyLogon

Microsoft is determined to do everything in its power to make sure that as many Exchange Servers as possible are made safe from exploits that start with the exploitation of ProxyLogon, the vulnerability recently leveraged by attackers to breach on-premises Microsoft Exchange Servers around the world.

“With the latest security intelligence update, Microsoft Defender Antivirus and System Center Endpoint Protection will automatically mitigate CVE-2021-26855 on any vulnerable Exchange Server on which it is deployed. Customers do not need to take action beyond ensuring they have installed the latest security intelligence update (build 1.333.747.0 or newer), if they do not already have automatic updates turned on,” the Microsoft 365 Defender Team explained.

Kevin Beaumont, a senior threat intelligence analyst at Microsoft, praised its effectiveness:

For those who don’t have Microsoft Defender Antivirus, Microsoft advises using the recently released One-Click Microsoft Exchange On-Premises Mitigation Tool.

But, the company notes, both the updates and the one-click tool only mitigate CVE-2021-26855, not the rest of the vulnerabilities (CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065) exploited in the escalating attacks on Exchange servers, so “customers should still prioritize getting current on security updates for Exchange Server to comprehensively address the vulnerabilities.”

Detect IoCs associated with SolarWinds attackers’ activities

CHIRP – i.e., CISA Hunt and Incident Response Program – is offered in a form of a compiled executable or a Python script, and currently only works on machines running Windows operating systems, where it looks for:

  • The Teardrop backdoor and the Raindrop loader (leveraged by the SolarWinds attackers)
  • Credential dumping certificate pulls
  • Persistence mechanisms identified as associated with the SolarWinds attackers’ efforts
  • System, network, and M365 enumeration
  • Known observable indicators of lateral movement

The tool is meant to be run manually. It provides results in a JSON format, which can be perused via a SIEM system, web browser, or text editor. It does not make any changes on the underlying system.

“Network defenders can follow step-by-step instructions on the CISA CHIRP GitHub repository to add additional IOCs, YARA rules, or plugins to CHIRP to search for post-compromise threat activity related to the SolarWinds Orion supply chain compromise or new threat activity,” CISA added.

Don't miss