Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

End of Bibblio RCM includes -->
3/26/2021
03:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail

Microsoft Shares Exchange Server Post-Compromise Attack Activity

Microsoft shares the details of post-exploitation attack activity, including multiple ransomware payloads and a cryptocurrency botnet.

Microsoft has shared intelligence detailing post-compromise activity seen in ongoing Exchange Server attacks, which have infected vulnerable targets with ransomware and a botnet, among other activity.

Related Content:

Microsoft Exchange Server Attacks: 9 Lessons for Defenders

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: In Secure Silicon We Trust

Organizations around the world were urged to patch their systems when Microsoft released a fix for Exchange Server zero-days on March 2. While patching for Exchange Server has ramped up, Microsoft reports, the updates won't protect victims that have already been compromised. 

This week the company released more information to warn of post-exploitation activity seen on Exchange Servers, which have been targeted by attackers ranging from cybercriminals to state-sponsored groups. While early attacks were attributed to a group Microsoft calls Hafnium, the weeks following its patch release have revealed "numerous other attackers" using the exploit. 

This new threat data and technical details are meant to help defenders investigate whether they were attacked prior to patching and, if so, how they can respond. 

Microsoft notes that many compromised systems have not yet seen secondary attacks such as ransomware or data exfiltration. This could indicate that attackers are perhaps laying low and remaining persistent for potential future attacks, the company says, or they could already by using credentials and other stolen data to compromise networks through other attack vectors. 

As of March 25, many of the unpatched systems Microsoft observed had Web shells on them. The Department of Homeland Security's Cybersecurity & Infrastructure Security Agency has specifically warned of the China Chopper Web shell and has added nine of them to its Exchange Server mitigation guidance.

Multiple ransomware families have been seen in the attacks. The first was a variant Microsoft calls DoejoCrypt; these attacks start with a variant of the Chopper Web shell being deployed to a compromised Exchange Server. The Web shell writes a batch file that does a backup of the Security Account Manager (SAM) database and System and Security registry hives, which allows attackers to access the passwords of local users.

In a blog post, the Microsoft 365 Defender Threat Intelligence Team emphasizes the importance of the principle of least privilege. Because of the configurations typically used on Exchange Servers, they say, many compromised systems are likely to have at least one service or task configured with a highly privileged account to complete tasks like backups. 

"As service account credentials are not frequently changed, this could provide a great advantage to an attacker even if they lose their initial Web shell access due to an antivirus detection," the team writes, as the account can later be used to elevate privileges. 

While DoejoCrypt was a new form of ransomware, Microsoft points out that the access attackers gain through these vulnerabilities will likely be used by other groups in the future. This has already been seen with Pydomer, the first existing ransomware family to exploit the Exchange Server flaws. Pydomer has previously been seen distributing ransomware through bugs in Pulse Secure VPN. 

In this attack, Pydomer operators scanned and compromised Exchange Servers en masse to drop a Web shell around March 18–20, 2021. The Web shells have been spotted on some 1,500 systems, Microsoft says, though not all were infected with ransomware. On the systems that were, attackers used a non-encryption extortion strategy similar to that of Maze and Egregor. 

"This option might have been semiautomated on their part or a side effect of a failure in their encryption process, as some of the systems they accessed were test systems that showed no data exfiltration," officials write, noting the ransom note should be taken seriously if received.

Microsoft notes that "the overall numbers of ransomware have remained extremely small to this point," but it warns defenders to remember these threats demonstrate how attackers can quickly pivot their operations to target unpatched systems. 

The team also detected multiple cryptocurrency miner campaigns among the first payloads seen stemming from post-exploit Web shells. Many of these campaigns had previously been targeting SharePoint servers and added Exchange Server to their targets. Specifically, they noticed Lemon Duck, a known cryptocurrency botnet, compromising "numerous" Exchange Sever targets and evolving to deploy malware in addition to mining cryptocurrency.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-25878
PUBLISHED: 2022-05-27
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption ...
CVE-2021-27780
PUBLISHED: 2022-05-27
The software may be vulnerable to both Un-Auth XML interaction and unauthenticated device enrollment.
CVE-2021-27781
PUBLISHED: 2022-05-27
The Master operator may be able to embed script tag in HTML with alert pop-up display cookie.
CVE-2022-1897
PUBLISHED: 2022-05-27
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
CVE-2022-20666
PUBLISHED: 2022-05-27
Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient va...