Cybercrime , Cyberwarfare / Nation-State Attacks , Email Security & Protection

List of Hacked Exchange Servers May Boost Recovery Efforts

Window Closing to Secure Small Organizations From Ransomware
List of Hacked Exchange Servers May Boost Recovery Efforts

Computer security researchers have acquired an enormous list of compromised email servers from the perpetrators of the mass Microsoft Exchange compromises - a lucky but not uncommon find that is now being put to use to alert infected organizations.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

The victim list contains 86,000 IP addresses of Exchange servers infected worldwide as the result of the latest vulnerabilities revealed by Microsoft last week, says Allison Nixon, chief research officer with Unit 221B, a New York-based cybersecurity company.

The list is now being used to power a web-based service that can help organizations identify if their email systems were infected in the first wave of attacks, Nixon says. That service, Check My OWA, is now active.

Allison Nixon

The list contains IP addresses and domains. Users can enter an email address, and Check My OWA will send an email response if the organization appears to be infected. Nixon says, however, that it's best to log into Exchange and visit the site using the IP address of an actual Exchange server because the list has many entries with just an IP address and no domain.

The site aims to solve a problem with mass compromises commonly encountered by researchers: A vast group doesn't know if they're infected, and it's difficult to let those that are affected know.

"Out of that frustration, we've had to try to figure out what's the best way to notify victims," Nixon says.

Nixon says she can't reveal who found the victim list or where it was located. But she says that while the mass Exchange compromise situation is extraordinary in its scope, it's not uncommon for researchers to come across lists like this one. The Check My OWA website says the list came "from perpetrators of this mass breach event."

As of Wednesday evening, Check My OWA has sent 1,032 alert emails to people who may have problematic Exchange servers. Nixon says the site has also alerted 309 people who visited from IPs that are on the list.

Perhaps encouragingly, there's been a noticeable decrease in recent days in new web shells planted in organizations, says Katie Nickels, director of intelligence for the security firm Red Canary. Nickels says that insight comes from Red Canary's own customer base.

"It seems like, from our visibility, the initial infections have slowed down, but because we saw a lot of activity end of last week and over the weekend, it's reasonable to assess there are still a lot of victim servers out there and organizations who don't know they've been compromised," Nickels says.

Nickels says Red Canary has published a blog post aimed at educating administrators at smaller organizations on how to detect infections. Nixon says that, at minimum, organizations should patch and run an email backup to ensure they at least have a copy of their data.

Frantic Patching, Cleanup

A frantic patching and cleanup effort is underway, and time is running out to hold off broader and uglier impacts than simply backdoored Exchange servers, experts say. That's due, in part, to the mystery behind how the attack spread so quickly.

On March 2, Microsoft released patches for four vulnerabilities in Exchange, two of which were found by Cheng-Da Tsai, better known as the security researcher Orange Tsai, of the Taiwanese security company Devcore.

Microsoft pinned the attacks on a China-based group it calls Hafnium, which has been exploiting the flaws.

On a website it has set up, ProxyLogon, Devcore describes the timeline for its findings. The real zinger bug, CVE-2021-26855, was found on Dec. 10, and Devcore found a second one, CVE-2021-27065, on Dec. 30. Devcore says that one day later, they chained the bugs together for a workable, preauthentication remote code execution exploit.

Efforts to reach Tsai and Devcore weren’t immediately successful.

Devcore reported the bugs to Microsoft through its MSRC portal on Jan. 5. But now it has emerged that various security companies were seeing signs of exploitation prior to that. Volexity said on Tuesday it has traced signs of exploitation of CVE-2021-26855 back to Jan. 3.

After Microsoft's announcement, security companies, including ESET, began seeing as many as five so-called advanced persistent threat groups using the bugs to indiscriminately target any exposed server. That activity started as early as Feb. 27, according to Rapid7. It's unknown how the information managed to fall into the hands of several groups.

"How they [the different attack groups] knew is indeed a puzzle," says Dmitri Alperovitch, co-founder and former CTO for CrowdStrike, who is now chairman of the Silverado Policy Accelerator.

Although the flaws can be exploited to plant a backdoor that allows access to email, they also can be used to pivot deeper into other infrastructure, posing a wide-ranging and long-term risk.

And that poses an interesting question: Why are organizations still using on-premises Exchange servers rather that hosted Exchange, which leaves patching in the hands of Microsoft?

Turns out, it's a long, complicated story, as shown in this Twitter thread started by Lesley Carhart of Dragos. Web-based Exchange isn't as customizable as on-premises Exchange, and just switching over is far from trivial given how Exchange is woven in deep and weird ways into organizations.

The reasons are varied, ranging from routing issues, user permissions, compatibility and compliance to even enabling something as mundane as scan-to-email functionality. This tweet sums it up succinctly:

Nickels says there's no right answer for every organization about whether to use the on-premises or hosted version of Exchange. She says it depends on each organization's specific network and their acceptance of risk - and there's risk in the cloud as well.

"Like many things in this industry, it's very easy for people to go to one extreme or the other," Nickels says. "It's not an easy answer. Each organization needs to make an assessment for themselves."

Shell Games

Nixon says large, well-connected organizations are likely to get a heads-up that they're infected, but there's a long trail of victims that need to be notified and take action.

She's hoping Check My OWA will get the word out because there is high concern over what is going to happen in the coming weeks. Nixon says there's a precious moment of opportunity now to fix the problems.

Infected Exchange servers can also be taken over by other attackers. Already, there are signs threat actors are playing "king of hill," dropping shells on servers, removing shells from other groups or renaming them, Nixon says.

Katie Nickels

Nickels says Red Canary saw one organization that had shells dropped on its systems on March 3, then one on March 4 and a third on March 5. She says that, due to intelligence gaps, it is impossible to tell if different attack groups placed those shells.

"We have seen some victims where there are multiple different shells," Nickels says.

Nixon believes there are storm clouds ahead. Eventually, a proof-of-concept exploit script will likely become public, and then there may be a full-force blitz to infect whatever Exchange servers haven't been fixed, she says. And that likely means ransomware.

"At some point in time, all of the Exchange servers that are exposed either implode in ransomware or are deleted," Nixon says. "That [ransomware] is the inevitable final outcome of this situation."

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.