Application Security , Cyberwarfare / Nation-State Attacks , Digital Identity
Exchange Server Attacks Spread After Disclosure of FlawsForecast Calls for Backdoored Email as Well as Installing Ransomware, Cryptominers
UPDATED: Just days after Microsoft disclosed four zero-day flaws in Microsoft Exchange email servers, attackers are going on a wide hunt for vulnerable machines, some security experts say.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Steven Adair, CEO and founder of the firm Volexity, which first reported the vulnerabilities, says that over the past few days, the Chinese hacking group accused of initially exploiting the flaws has shifted into high gear, stepping up attacks on any vulnerable, unpatched Exchange servers worldwide.
At least 30,000 organizations across the United States are infected, and the attackers now have control over “hundreds of thousands” of Microsoft Exchange Servers worldwide, reports KrebsOnSecurity, citing unnamed U.S. national security advisers.
Infected machines are left with a “web shell,” password-protected hacking tool giving attackers access to a victim’s computer servers from any browser.
Reuters reports that on Friday, White House press secretary, Jen Psaki, told reporters that these vulnerabilities were “significant” and “could have far-reaching impacts.” (see also: Hackers Exploit Exchange Flaws to Target Local Governments)
If some U.S. federal agencies haven't been busy enough with the SolarWinds crisis, there's a new urgent immediate task at hand: looking for signs their Exchange servers may have been compromised.
The Cybersecurity and Infrastructure Security Agency issued an emergency directive on Wednesday ordering agencies to scour for forensics clues that servers may have been compromised (see: Microsoft Patches Four Zero-Day Flaws in Exchange).
Agencies should look in system memory, web and event logs and registry hives for signs of exploitation, CISA says. If there are no signs of exploitation, organizations should patch immediately. CISA has a guide to the latest list of attack indicators.
If there are signs of exploitation, it's going to be a heavy lift. CISA says on-premises Exchange servers should be disconnected immediately and not rejoined to the enterprise domain. Eventually, CISA will direct agencies to rebuild their Exchange Service operating system and reinstall the software package.
Microsoft issued patches on Tuesday, a week ahead of its normal patch for the vulnerabilities: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.
Beyond the U.S. federal government, the impact of the vulnerabilities continues to grow - and not just among the targeted sectors named by Microsoft. The company says those groups include infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and nongovernment organizations.
Volexity, which contributed research for the vulnerability findings, first noticed exploitation activity against its customers around Jan. 6. That activity has suddenly ticked up now that the vulnerabilities are public, says Adair.
"The exploit already looks like it has spread to multiple Chinese APT groups who have become rather aggressive and noisy - quite a marked change from how it started with what we were seeing," he says.
Threat detection company Huntress says it has seen compromises of unpatched Exchange servers in small hotels, one ice cream company, a kitchen appliance manufacturer and what it terms "multiple senior citizen communities."
"We have also witnessed many city and county government victims, healthcare providers, banks/financial institutions and several residential electricity providers," writes John Hammond, a senior threat researcher at Huntress.
The impact of more widespread attacks could lead to problems that go beyond backdoored email accounts. Kevin Beaumont, a senior threat intelligence analyst at Microsoft, tweets that the attacks could include ransomware campaigns. Adair says there's also a strong chance of cryptominers being installed.
By the way, one call out: I fully expect more threat actors, including ransomware etc, to start using these vulns soon.— Kevin Beaumont (@GossiTheDog) March 2, 2021
Those who know me know I don’t sound alarm on vulns often at all, I am hype train deflater in chief; but these are the real deal.
Beaumont created a tool to scan networks for vulnerable Exchange servers.
Hammond writes in a blog post that Huntress has seen more than 300 web shells installed on 2,000 vulnerable Exchange servers, most of which have either antivirus or endpoint detection and response software installed that apparently did not detect the attack. "This shouldn't be a major surprise as perfect prevention is ridiculously hard and does not suggest these solutions aren't solid investments," he says.
U.S. Hit Most, But Attacks Are Global
Microsoft pinned the attacks on a China-based group it calls Hafnium, which had been exploiting the flaws. Microsoft described the attacks as "limited and targeted."
But shortly after the news of the vulnerabilities broke, security firms said other hacking groups were using at least some of the flaws.
ESET, for example, tweets that CVE-2021-26855 has been used by three groups: LuckyMouse, Tick and Calypso. ESET says most of the organizations it has detected as having been targeted are in the U.S., but there are attacks in other regions, including Europe, Asia and the Middle East.
Adair says Volexity has seen instances in which attackers used their foothold in Exchange for lateral movement. That means cleanup efforts for those organizations will have to go far deeper to ensure attackers still don't have backdoors into systems.
"We have worked multiple cases where the attackers moved to other systems on the network," he says. "They did this both for obtaining credentials/data and for placing additional backdoors (primarily web shells) on more systems."
Editor Tony Morbin updated this report.