Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/26/2021
03:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Microsoft Shares Exchange Server Post-Compromise Attack Activity

Microsoft shares the details of post-exploitation attack activity, including multiple ransomware payloads and a cryptocurrency botnet.

Microsoft has shared intelligence detailing post-compromise activity seen in ongoing Exchange Server attacks, which have infected vulnerable targets with ransomware and a botnet, among other activity.

Related Content:

Microsoft Exchange Server Attacks: 9 Lessons for Defenders

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: In Secure Silicon We Trust

Organizations around the world were urged to patch their systems when Microsoft released a fix for Exchange Server zero-days on March 2. While patching for Exchange Server has ramped up, Microsoft reports, the updates won't protect victims that have already been compromised. 

This week the company released more information to warn of post-exploitation activity seen on Exchange Servers, which have been targeted by attackers ranging from cybercriminals to state-sponsored groups. While early attacks were attributed to a group Microsoft calls Hafnium, the weeks following its patch release have revealed "numerous other attackers" using the exploit. 

This new threat data and technical details are meant to help defenders investigate whether they were attacked prior to patching and, if so, how they can respond. 

Microsoft notes that many compromised systems have not yet seen secondary attacks such as ransomware or data exfiltration. This could indicate that attackers are perhaps laying low and remaining persistent for potential future attacks, the company says, or they could already by using credentials and other stolen data to compromise networks through other attack vectors. 

As of March 25, many of the unpatched systems Microsoft observed had Web shells on them. The Department of Homeland Security's Cybersecurity & Infrastructure Security Agency has specifically warned of the China Chopper Web shell and has added nine of them to its Exchange Server mitigation guidance.

Multiple ransomware families have been seen in the attacks. The first was a variant Microsoft calls DoejoCrypt; these attacks start with a variant of the Chopper Web shell being deployed to a compromised Exchange Server. The Web shell writes a batch file that does a backup of the Security Account Manager (SAM) database and System and Security registry hives, which allows attackers to access the passwords of local users.

In a blog post, the Microsoft 365 Defender Threat Intelligence Team emphasizes the importance of the principle of least privilege. Because of the configurations typically used on Exchange Servers, they say, many compromised systems are likely to have at least one service or task configured with a highly privileged account to complete tasks like backups. 

"As service account credentials are not frequently changed, this could provide a great advantage to an attacker even if they lose their initial Web shell access due to an antivirus detection," the team writes, as the account can later be used to elevate privileges. 

While DoejoCrypt was a new form of ransomware, Microsoft points out that the access attackers gain through these vulnerabilities will likely be used by other groups in the future. This has already been seen with Pydomer, the first existing ransomware family to exploit the Exchange Server flaws. Pydomer has previously been seen distributing ransomware through bugs in Pulse Secure VPN. 

In this attack, Pydomer operators scanned and compromised Exchange Servers en masse to drop a Web shell around March 18–20, 2021. The Web shells have been spotted on some 1,500 systems, Microsoft says, though not all were infected with ransomware. On the systems that were, attackers used a non-encryption extortion strategy similar to that of Maze and Egregor. 

"This option might have been semiautomated on their part or a side effect of a failure in their encryption process, as some of the systems they accessed were test systems that showed no data exfiltration," officials write, noting the ransom note should be taken seriously if received.

Microsoft notes that "the overall numbers of ransomware have remained extremely small to this point," but it warns defenders to remember these threats demonstrate how attackers can quickly pivot their operations to target unpatched systems. 

The team also detected multiple cryptocurrency miner campaigns among the first payloads seen stemming from post-exploit Web shells. Many of these campaigns had previously been targeting SharePoint servers and added Exchange Server to their targets. Specifically, they noticed Lemon Duck, a known cryptocurrency botnet, compromising "numerous" Exchange Sever targets and evolving to deploy malware in addition to mining cryptocurrency.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24613
PUBLISHED: 2021-09-20
The Post Views Counter WordPress plugin before 1.3.5 does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfiltered_html capability is disallowed
CVE-2021-24618
PUBLISHED: 2021-09-20
The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated us...
CVE-2021-24635
PUBLISHED: 2021-09-20
The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user (such as subscriber) to call them and 1) Get and search through title and content of Draft post, ...
CVE-2021-24636
PUBLISHED: 2021-09-20
The Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce (CSRF) checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link
CVE-2021-24637
PUBLISHED: 2021-09-20
The Google Fonts Typography WordPress plugin before 3.0.3 does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gu...