Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/26/2021
03:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Microsoft Shares Exchange Server Post-Compromise Attack Activity

Microsoft shares the details of post-exploitation attack activity, including multiple ransomware payloads and a cryptocurrency botnet.

Microsoft has shared intelligence detailing post-compromise activity seen in ongoing Exchange Server attacks, which have infected vulnerable targets with ransomware and a botnet, among other activity.

Related Content:

Microsoft Exchange Server Attacks: 9 Lessons for Defenders

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: In Secure Silicon We Trust

Organizations around the world were urged to patch their systems when Microsoft released a fix for Exchange Server zero-days on March 2. While patching for Exchange Server has ramped up, Microsoft reports, the updates won't protect victims that have already been compromised. 

This week the company released more information to warn of post-exploitation activity seen on Exchange Servers, which have been targeted by attackers ranging from cybercriminals to state-sponsored groups. While early attacks were attributed to a group Microsoft calls Hafnium, the weeks following its patch release have revealed "numerous other attackers" using the exploit. 

This new threat data and technical details are meant to help defenders investigate whether they were attacked prior to patching and, if so, how they can respond. 

Microsoft notes that many compromised systems have not yet seen secondary attacks such as ransomware or data exfiltration. This could indicate that attackers are perhaps laying low and remaining persistent for potential future attacks, the company says, or they could already by using credentials and other stolen data to compromise networks through other attack vectors. 

As of March 25, many of the unpatched systems Microsoft observed had Web shells on them. The Department of Homeland Security's Cybersecurity & Infrastructure Security Agency has specifically warned of the China Chopper Web shell and has added nine of them to its Exchange Server mitigation guidance.

Multiple ransomware families have been seen in the attacks. The first was a variant Microsoft calls DoejoCrypt; these attacks start with a variant of the Chopper Web shell being deployed to a compromised Exchange Server. The Web shell writes a batch file that does a backup of the Security Account Manager (SAM) database and System and Security registry hives, which allows attackers to access the passwords of local users.

In a blog post, the Microsoft 365 Defender Threat Intelligence Team emphasizes the importance of the principle of least privilege. Because of the configurations typically used on Exchange Servers, they say, many compromised systems are likely to have at least one service or task configured with a highly privileged account to complete tasks like backups. 

"As service account credentials are not frequently changed, this could provide a great advantage to an attacker even if they lose their initial Web shell access due to an antivirus detection," the team writes, as the account can later be used to elevate privileges. 

While DoejoCrypt was a new form of ransomware, Microsoft points out that the access attackers gain through these vulnerabilities will likely be used by other groups in the future. This has already been seen with Pydomer, the first existing ransomware family to exploit the Exchange Server flaws. Pydomer has previously been seen distributing ransomware through bugs in Pulse Secure VPN. 

In this attack, Pydomer operators scanned and compromised Exchange Servers en masse to drop a Web shell around March 18–20, 2021. The Web shells have been spotted on some 1,500 systems, Microsoft says, though not all were infected with ransomware. On the systems that were, attackers used a non-encryption extortion strategy similar to that of Maze and Egregor. 

"This option might have been semiautomated on their part or a side effect of a failure in their encryption process, as some of the systems they accessed were test systems that showed no data exfiltration," officials write, noting the ransom note should be taken seriously if received.

Microsoft notes that "the overall numbers of ransomware have remained extremely small to this point," but it warns defenders to remember these threats demonstrate how attackers can quickly pivot their operations to target unpatched systems. 

The team also detected multiple cryptocurrency miner campaigns among the first payloads seen stemming from post-exploit Web shells. Many of these campaigns had previously been targeting SharePoint servers and added Exchange Server to their targets. Specifically, they noticed Lemon Duck, a known cryptocurrency botnet, compromising "numerous" Exchange Sever targets and evolving to deploy malware in addition to mining cryptocurrency.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34390
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
CVE-2021-34391
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
CVE-2021-34392
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
CVE-2021-34393
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
CVE-2021-34394
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.