How cybercrime groups are exploiting the latest Microsoft Exchange flaws
Criminals have been targeting organizations that run Exchange hoping to breach ones that haven’t patched the latest bugs, says ESET.
Four critical zero-day vulnerabilities in Microsoft Exchange have paved the way for attackers to take over accessible Exchange servers even without knowing the credentials. On March 2, Microsoft released a series of updates to patch the flaws. But cybercriminals have been rushing to hack affected organizations that haven’t yet applied the patches. Plus, many organizations were compromised after the vulnerabilities were discovered and exploited but before Microsoft released its patches.
SEE: The 10 most important cyberattacks of the decade (free PDF) (TechRepublic)
Most of the fingers so far have been pointing at a China-based cybercrime group called Hafnium as the major culprit exploiting these flaws and attacking organizations. But security provider ESET has detected a number of different APT (Advanced Persistent Threat) groups also taking advantage of the bugs. In a report published Wednesday, ESET looks at several of these APT attacks and advises organizations on the right steps to take.
The four Exchange vulnerabilities in question were first uncovered by vulnerability researcher Orange Tsai, who reported them to Microsoft on Jan. 5, according to ESET. But security firm Volexity, which also alerted Microsoft, claims the exploitation of these flaws started on Jan. 3. Assuming these dates are accurate, either the bugs were independently discovered by these two research teams, or the information was obtained by a hacker, ESET said.
SEE: Microsoft: These Exchange Server zero-day flaws are being used by hackers, so update now (ZDNet)
As part of the attacks, hackers have been able to control compromised servers through webshells, malicious code that gives them remote administrative access. Over just the past few days, ESET has found 5,000 unique Exchange servers across more than 115 countries where webshells were detected. And this number includes only servers on which ESET products are installed.
APT activity
The following are some of the APT groups or activities discovered by ESET that have either installed or are taking advantage of webshells on victimized organizations.
Tick. An APT group active since 2008, Tick targets organizations in Japan but also South Korea, Russia and Singapore, with the goal of stealing intellectual property and classified information. On Feb. 28, Tick (also known as Bronze Butler) hacked into the Exchange server of an IT company in East Asia, which means it exploited the vulnerabilities before Microsoft patched them.
LuckyMouse. Also known as APT27 and Emissary Panda, LuckyMouse is an APT group that has breached government networks in Central Asia and the Middle East. On March 1, this group compromised the Exchange server of a governmental department in the Middle East, another incident that occurred before the patches were released.
Calypso. A cyber espionage group targeting government agencies in Central Asia, the Middle East, South America and Asia, Calypso hacked into the Exchange servers of government groups in the Middle East and South America on March 1. The group subsequently targeted additional servers in both the public and private sectors across Africa, Asia and Europe.
Websiic. On March 1, a cluster of activity dubbed Websiic by ESET targeted seven Exchange servers at private companies in the IT, telecommunications and engineering sectors. The companies were located in Asia and Eastern Europe, while the date indicates that the attackers had access to the exploit before the patches were released.
Winnti Group. Active since at least 2012, the Winnti Group has conducted high-profile supply-chain attacks against the video game and software industries. Starting March 2, the group (also known as BARIUM or APT41) compromised the Exchange servers of an oil company and a construction equipment company, both based in East Asia.
Tonto Team. An APT group around since at least 2009, Tonto Team (also known as CactusPete) typically targets governments and institutions mostly based in Russia, Japan and Mongolia. On March 3, this group compromised the Exchange servers of a procurement company and a consulting company involved in software development and cybersecurity, both located in Eastern Europe.
Unattributed ShadowPad activity. ShadowPad is a modular backdoor that was exclusive to the Winnti Group until the end of 2019 but is now used by at least five additional groups: Tick, Tonto Team, KeyBoy, IceFog and TA428, according to ESET. On March 3, this backdoor compromised the Exchange servers at a software development company in East Asia and a real estate company in the Middle East.
“Opera” Cobalt Strike. On March 3, a few hours after Microsoft released its patches, ESET discovered another batch of malicious activities that so far it can’t link to any group already being tracked. From March 3 though March 5, these activities hit around 650 servers, mostly in the U.S., Germany, the UK and other European countries. Given the timing of these attacks, ESET said it’s unsure whether the hackers had access to the exploit beforehand or reverse-engineered the patches.
IIS backdoors. On March 3, webshells were used to install backdoors on IIS (Internet Information Services) on four email servers in Asia and South America.
Mikroceen. An APT group around since at least 2017, Mikroceen (aka Vicious Panda) mainly targets governmental institutions and telcos in Central Asia, Russia and Mongolia. On March 4, this group attacked the Exchange server of a utility company in Central Asia.
DLTMiner. DLTMiner is a malicious cryptomining operation that primarily hits companies in Asia. Starting March 5, this campaign deployed several PowerShell downloaders on multiple Exchange servers that had previously been targeted through the Exchange flaws.
“Our ongoing research shows that not only Hafnium has been using the recent RCE vulnerability in Exchange, but that multiple APTs have access to the exploit, and some even did so prior to the patch release,” ESET said in its report. “It is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later.”
Recommendations
First, all organizations with Exchange servers should patch their systems as soon as possible. You can download the patches for Exchange Server 2019, 2016 and 2013 from Microsoft’s Support site. Microsoft also offers a blog post describing the update process and a page for older Cumulative Updates of Exchange Server.
Even organizations with Exchange servers not directly exposed to the internet should apply the patches, ESET advised. That’s because an attacker with low, or unprivileged, access to your network can exploit these vulnerabilities to raise their privileges while compromising an internal Exchange server and then move laterally from it.
Microsoft recommends two other actions: Check your patch levels of Exchange Server, and scan your Exchange log files for indicators of compromise. A script from Microsoft can automatically scan your Exchange servers for IOCs. If you detect that your Exchange server has been compromised, you should remove the webshells, change login credentials, and then investigate for any additional malicious activity.
Finally, ESET recommends that complex applications such as Microsoft Exchange or SharePoint should not be open to the internet. With a massive public exploit, you’ll find it difficult, if not impossible, to patch your systems in time.