Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/26/2021
03:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Microsoft Shares Exchange Server Post-Compromise Attack Activity

Microsoft shares the details of post-exploitation attack activity, including multiple ransomware payloads and a cryptocurrency botnet.

Microsoft has shared intelligence detailing post-compromise activity seen in ongoing Exchange Server attacks, which have infected vulnerable targets with ransomware and a botnet, among other activity.

Related Content:

Microsoft Exchange Server Attacks: 9 Lessons for Defenders

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: In Secure Silicon We Trust

Organizations around the world were urged to patch their systems when Microsoft released a fix for Exchange Server zero-days on March 2. While patching for Exchange Server has ramped up, Microsoft reports, the updates won't protect victims that have already been compromised. 

This week the company released more information to warn of post-exploitation activity seen on Exchange Servers, which have been targeted by attackers ranging from cybercriminals to state-sponsored groups. While early attacks were attributed to a group Microsoft calls Hafnium, the weeks following its patch release have revealed "numerous other attackers" using the exploit. 

This new threat data and technical details are meant to help defenders investigate whether they were attacked prior to patching and, if so, how they can respond. 

Microsoft notes that many compromised systems have not yet seen secondary attacks such as ransomware or data exfiltration. This could indicate that attackers are perhaps laying low and remaining persistent for potential future attacks, the company says, or they could already by using credentials and other stolen data to compromise networks through other attack vectors. 

As of March 25, many of the unpatched systems Microsoft observed had Web shells on them. The Department of Homeland Security's Cybersecurity & Infrastructure Security Agency has specifically warned of the China Chopper Web shell and has added nine of them to its Exchange Server mitigation guidance.

Multiple ransomware families have been seen in the attacks. The first was a variant Microsoft calls DoejoCrypt; these attacks start with a variant of the Chopper Web shell being deployed to a compromised Exchange Server. The Web shell writes a batch file that does a backup of the Security Account Manager (SAM) database and System and Security registry hives, which allows attackers to access the passwords of local users.

In a blog post, the Microsoft 365 Defender Threat Intelligence Team emphasizes the importance of the principle of least privilege. Because of the configurations typically used on Exchange Servers, they say, many compromised systems are likely to have at least one service or task configured with a highly privileged account to complete tasks like backups. 

"As service account credentials are not frequently changed, this could provide a great advantage to an attacker even if they lose their initial Web shell access due to an antivirus detection," the team writes, as the account can later be used to elevate privileges. 

While DoejoCrypt was a new form of ransomware, Microsoft points out that the access attackers gain through these vulnerabilities will likely be used by other groups in the future. This has already been seen with Pydomer, the first existing ransomware family to exploit the Exchange Server flaws. Pydomer has previously been seen distributing ransomware through bugs in Pulse Secure VPN. 

In this attack, Pydomer operators scanned and compromised Exchange Servers en masse to drop a Web shell around March 18–20, 2021. The Web shells have been spotted on some 1,500 systems, Microsoft says, though not all were infected with ransomware. On the systems that were, attackers used a non-encryption extortion strategy similar to that of Maze and Egregor. 

"This option might have been semiautomated on their part or a side effect of a failure in their encryption process, as some of the systems they accessed were test systems that showed no data exfiltration," officials write, noting the ransom note should be taken seriously if received.

Microsoft notes that "the overall numbers of ransomware have remained extremely small to this point," but it warns defenders to remember these threats demonstrate how attackers can quickly pivot their operations to target unpatched systems. 

The team also detected multiple cryptocurrency miner campaigns among the first payloads seen stemming from post-exploit Web shells. Many of these campaigns had previously been targeting SharePoint servers and added Exchange Server to their targets. Specifically, they noticed Lemon Duck, a known cryptocurrency botnet, compromising "numerous" Exchange Sever targets and evolving to deploy malware in addition to mining cryptocurrency.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30481
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
CVE-2021-20020
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.