Microsoft has shared intelligence detailing post-compromise activity seen in ongoing Exchange Server attacks, which have infected vulnerable targets with ransomware and a botnet, among other activity.

Organizations around the world were urged to patch their systems when Microsoft released a fix for Exchange Server zero-days on March 2. While patching for Exchange Server has ramped up, Microsoft reports, the updates won't protect victims that have already been compromised. 

This week the company released more information to warn of post-exploitation activity seen on Exchange Servers, which have been targeted by attackers ranging from cybercriminals to state-sponsored groups. While early attacks were attributed to a group Microsoft calls Hafnium, the weeks following its patch release have revealed "numerous other attackers" using the exploit. 

This new threat data and technical details are meant to help defenders investigate whether they were attacked prior to patching and, if so, how they can respond. 

Microsoft notes that many compromised systems have not yet seen secondary attacks such as ransomware or data exfiltration. This could indicate that attackers are perhaps laying low and remaining persistent for potential future attacks, the company says, or they could already by using credentials and other stolen data to compromise networks through other attack vectors. 

As of March 25, many of the unpatched systems Microsoft observed had Web shells on them. The Department of Homeland Security's Cybersecurity & Infrastructure Security Agency has specifically warned of the China Chopper Web shell and has added nine of them to its Exchange Server mitigation guidance.

Multiple ransomware families have been seen in the attacks. The first was a variant Microsoft calls DoejoCrypt; these attacks start with a variant of the Chopper Web shell being deployed to a compromised Exchange Server. The Web shell writes a batch file that does a backup of the Security Account Manager (SAM) database and System and Security registry hives, which allows attackers to access the passwords of local users.

In a blog post, the Microsoft 365 Defender Threat Intelligence Team emphasizes the importance of the principle of least privilege. Because of the configurations typically used on Exchange Servers, they say, many compromised systems are likely to have at least one service or task configured with a highly privileged account to complete tasks like backups. 

"As service account credentials are not frequently changed, this could provide a great advantage to an attacker even if they lose their initial Web shell access due to an antivirus detection," the team writes, as the account can later be used to elevate privileges. 

While DoejoCrypt was a new form of ransomware, Microsoft points out that the access attackers gain through these vulnerabilities will likely be used by other groups in the future. This has already been seen with Pydomer, the first existing ransomware family to exploit the Exchange Server flaws. Pydomer has previously been seen distributing ransomware through bugs in Pulse Secure VPN. 

In this attack, Pydomer operators scanned and compromised Exchange Servers en masse to drop a Web shell around March 18–20, 2021. The Web shells have been spotted on some 1,500 systems, Microsoft says, though not all were infected with ransomware. On the systems that were, attackers used a non-encryption extortion strategy similar to that of Maze and Egregor. 

"This option might have been semiautomated on their part or a side effect of a failure in their encryption process, as some of the systems they accessed were test systems that showed no data exfiltration," officials write, noting the ransom note should be taken seriously if received.

Microsoft notes that "the overall numbers of ransomware have remained extremely small to this point," but it warns defenders to remember these threats demonstrate how attackers can quickly pivot their operations to target unpatched systems. 

The team also detected multiple cryptocurrency miner campaigns among the first payloads seen stemming from post-exploit Web shells. Many of these campaigns had previously been targeting SharePoint servers and added Exchange Server to their targets. Specifically, they noticed Lemon Duck, a known cryptocurrency botnet, compromising "numerous" Exchange Sever targets and evolving to deploy malware in addition to mining cryptocurrency.