Cyber Incident Victim: Comisión para el Mercado Financiero
Date:
Mar 2021
Location:
Chile
Summary
The Comisión para el Mercado Financiero (CMF), Chile's financial regulatory body, experienced a cyberattack where threat actors exploited ProxyLogon vulnerabilities in its Microsoft Exchange server to deploy web shells and attempt credential theft. Analysis confirmed no ransomware presence, with the incident confined to the Exchange platform; attackers modified Offline Address Book settings to enable remote command execution and used a batch file to dump LSASS memory for harvesting Windows domain credentials. The CMF collaborated with external security experts and government response teams during the investigation, subsequently sharing indicators of compromise including web shell and malicious script hashes to aid other organizations in detection efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In March 2021, Chile's Comisión para el Mercado Financiero (CMF), the nation's financial regulatory authority operating under the Ministry of Finance, suffered a cybersecurity breach involving its Microsoft Exchange servers. The incident occurred following exploitation of the ProxyLogon vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065), which had been publicly disclosed by Microsoft earlier that month. Attackers compromised the CMF's email infrastructure, deploying web shells disguised as legitimate Exchange components to establish persistent remote access. Specifically, they modified the Microsoft Exchange Offline Address Book (OAB) configuration, altering the ExternalUrl setting to point to a China Chopper web shell interface. This manipulation enabled unauthorized command execution on the compromised servers. Forensic analysis identified two primary web shells—error_page.aspx (SHA-1: 0b15c14d0f7c3986744e83c208429a78769587b5) and supp0rt.aspx (SHA-1: bcb42014b8dd9d9068f23c573887bf1d5c2fc00e)—which provided attackers with administrative control over the environment. Additionally, a batch file named test.bat (SHA-1: 0aa3cda37ab80bbe30fa73a803c984b334d73894) was deployed to harvest Windows domain credentials through LSASS memory dumping and export user lists, indicating attempted lateral movement or data exfiltration. The CMF's internal security team, collaborating with external cybersecurity experts, confirmed the attackers’ activities were confined to the Exchange platform and found no evidence of ransomware deployment or broader network compromise beyond credential theft attempts.
The CMF publicly disclosed the incident on March 16, 2021, coordinating with the Computer Security Incident Response Team (CSIRT) of Chile's Ministry of Finance during their investigation. As part of their response, the regulator proactively shared indicators of compromise (IOCs), including cryptographic hashes of the malicious files and technical details about the web shells’ operation, to assist other organizations in detecting similar intrusions. Analysis revealed the attackers leveraged the web shells to execute commands remotely but did not progress to deploying secondary payloads like cryptominers or ransomware such as DearCry, which had been observed in other ProxyLogon exploitation campaigns globally. Microsoft provided supplementary detection tools, including log-scanning scripts and updates to the Microsoft Safety Scanner, to identify compromised systems. The CMF maintained operational continuity throughout the incident, with no reported disruptions to its regulatory functions or public services. Post-incident forensic work focused on determining the extent of data exposure and reinforcing Exchange server security configurations to prevent recurrence.