The disclosure of four critical zero-day vulnerabilities in Microsoft Exchange Server jolted the information security community last week, and a rapid increase in attack activity has only exacerbated concerns.
Attacks exploiting the flaws were first spotted in January. They initially were limited and targeted, seemingly for espionage: the adversaries primarily targeted specific email accounts. Microsoft attributed the activity to a group it calls Hafnium, believed to operate out of China.
Then during the last weekend of February, researchers noticed a significant uptick in remote code execution. Attackers were writing Web shells to disk and launching operations to dump credentials, add user accounts, steal copies of Active Directory databases, and move laterally to other systems. The surge in activity – curious for an advanced Chinese attack group – pushed up the timeline of patches.
Microsoft deployed its fixes only a few days later, and the activity has continued to escalate. Check Point research reports hundreds of exploit attempts against organizations around the world, with the number of exploitation attempts doubling every two to three hours in the 24 hours ending March 11. Turkey is the most attacked country, followed by the US and Italy.
Researchers have also found there is far more than one attack group exploiting these flaws. Security firms including FireEye and Red Canary are tracking the attack activity in clusters, and researchers with ESET report at least ten APT group are already using the vulnerabilities. Some, they say, began exploiting the flaws before Microsoft's patches were released. According to a Wall Street Journal report, Microsoft is investigating whether one of its partners leaked information about the vulns before they were revealed publicly.
New information about attackers scanning for, and exploiting, these vulnerabilities has emerged nearly every day since they were disclosed. Microsoft most recently reported a new ransomware threat is targeting Exchange servers that have already been compromised.
Here, we dig into the information defenders need to know about protecting their organizations from this rapidly evolving threat: why they should be concerned, the challenges with patching, and how to hunt for signs of compromise. Read on to learn more.
