Summary: Cybersecurity experts have recently identified a new post-exploitation framework, IceApple, which adversaries are using to harvest credentials and deploy malware on compromised Exchange Servers. In this blog, we have discussed the IceApple framework in detail and the ways on how to protect your Exchange Server from such threats.
Contents
IceApple is a novel Internet Information Services (IIS) .NET-based post-exploitation framework deployed on Microsoft Exchange Servers for surveillance and stealing or encrypting the business data. Hackers use it on compromised Microsoft Exchange Servers to harvest credentials from OWA servers, local or remote host registries, and data exfiltration.
First uncovered by the CrowdStrike cybersecurity firm back in late 2021, the IceApple framework has been observed on multiple Exchange Servers located in geographically different areas. Additionally, it targeted a wide range of sectors, such as academics, technology, etc.
Once again, the emergence of a new and improved IceApple post-exploitation framework indicates active development and deployments.
How IceApple Evades Detection on Exchange Servers?
IceApple uses an in-memory framework to maintain a low forensic footprint on the infected host and uses a number of features to evade detection. The analysis of IceApple suggests that the module is developed by adversaries with deep insights and experience of the inner workings of Internet Information Services (IIS).
Figure 1: Tasking deserialization and processing flowchart (Source: CrowdStrike)
Until now, intrusions observed on Microsoft Exchange Servers involved malware being loaded to steal or encrypt information. However, IceApple can run under any Internet Information Service (IIS) web app. Moreover, it can install malicious components to establish persistence under IIS, providing a mechanism to extend the web servers’ functionality. It also blends into the compromised server by generating assembly files that appear to be generated by the IIS web server, making the IceApple a potent threat.
According to OverWatch ? a CrowdStrike’s managed threat hunting service:
“At its core, IceApple is a post-exploitation framework focused on increasing an adversary’s visibility of a target through the acquisition of credentials and exfiltration of data. None of the modules observed by OverWatch provides exploitation or lateral movement capabilities.”
How to Protect Your Exchange Organization from IceApple?
Currently, the best defense is to safeguard your Exchange environment, especially the web applications, from malicious access. Thus, it’s important to identify the Exchange security challenges to strengthen your baseline security and fully patch all applications and servers to prevent IceApple from infiltrating your Exchange organization.
Follow our guide on installing the latest Security and Cumulative Updates to protect Exchange Servers from malicious attacks.
Also, use technology to identify and prevent known threats and emerging threats proactively. For example, here are some best Exchange security practices in 2023 you must follow to fortify server security.
To Wrap Up
IceApple is a highly advanced and sophisticated post-exploitation framework, which isn’t easy to detect. To safeguard your Exchange organization from IceApple, you must update and patch the applications, including your Exchange environment with the latest Security Updates. To stay updated on the latest Security and Cumulative Update releases, you can follow our blog on Exchange vulnerabilities, flaws, and fixes.
However, if you suspect that the server is compromised, you should set up a new Exchange Server and stop using the compromised one. You can use your backup to restore mailboxes or install an Exchange recovery software, such as Stellar Repair for Exchange, to extract mailboxes from the database files on the compromised Exchange Server and export them directly to the newly set up server. The software comes in handy when backups are not available. It can repair damaged or corrupt databases, and thus, you can use it if the database doesn’t mount due to inconsistencies or corruption caused by the malicious attacks.
