Researchers have spotted multiple groups exploiting the zero-day Exchange server vulnerabilities.

Kelly Sheridan, Former Senior Editor, Dark Reading

March 10, 2021

5 Min Read

Multiple attack groups are exploiting the critical Microsoft Exchange Server vulnerabilities patched last week - and the growing wave of global activity began before Microsoft released emergency fixes on March 2.

Security firms including Red Canary and FireEye are now tracking the exploit activity in clusters and anticipate the number of clusters will grow over time. ESET researchers have detected at least ten APT groups using the critical flaws to target Exchange servers. 

When used in an attack chain, the exploits for these vulnerabilities could allow an attacker to authenticate as the Exchange server and deploy a Web shell so they can remotely control the target server. When Microsoft released patches for the four Exchange server zero-days, it attributed the activity with high confidence to a Chinese state-sponsored group called Hafnium.

Now, as researchers observe Web shells stemming from suspected Exchange exploitation, they believe far more groups are responsible for the growth in attack activity. In a blog post released March 9, Red Canary analysts report none of the clusters they observe significantly overlap with the group Microsoft calls Hafnium; as a result, they are now tracking these clusters separately.

"We don't know who is behind these clusters – we aren't sure if it's the same adversaries working together or different adversaries completely," the researchers write. "We're focusing narrowly on what we observe on victim servers for our clustering." They note that they want "significant overlaps" in multiple unique data points to classify attacker activity as a cluster.

Between Feb. 27 and March 3, Red Canary saw a cluster in which China Chopper Web shell was dropped onto Exchange servers. Researchers saw further activity between a few hours and days later; while the exact Web shell filename was different, commands were consistent across multiple victims. China Chopper was likely the start of another cluster dubbed Sapphire Pigeon.

In Sapphire Pigeon, detected March 5, attackers dropped multiple Web shells on some victims at different times, days before they conducted further activity. When they did, they showed a range of unique patterns as outlined in their blog.

Palo Alto Networks' Unit 42 also observed different patterns in China Chopper Web shells, a backdoor seen dropped in some of these attacks. Researchers report two distinct clusters of events on Feb. 28 and March 1, before Microsoft's patch was released. Their data shows rapid deployment of Web shells during day and night, indicating an automated approach to targeting.

It also reflects a range of victims, which supports the idea that attackers are using automated scanning rather than targeting specific organizations or industries. Unit 42 reports the targets include investment banking firms, water conservatories, industrial automation facilities, law firms, and the hospitality sector. FireEye has identified US-based retailers, local governments, a university, and an engineering firm among affected victims.

APT Groups Unleash Exploits on Exchange Servers

ESET researchers noticed on Feb. 28 the Exchange flaws weaponized by more than ten different APT actors including Tick, LuckyMouse, and Calypso, suggesting multiple attackers learned the details of these flaws before Microsoft released its patch – "which means we can discard the possibility that they built an exploit by reverse engineering Microsoft updates," they report. 

Microsoft's initial report on the Hafnium group says the Exchange exploit activity was "limited and targeted." And while it seems some threat groups began to target the flaws before a patch was released on March 2, the days following saw a flood of additional attackers driving the activity. Tonto Team, Mikroceen, and Winnti Group were among the groups scanning and compromising Exchange servers "en masse," researchers note in a writeup of their findings.

Most of these are APT groups interested in espionage, ESET reports, with the exception of one linked to a known cryptomining campaign. One group, dubbed LuckyMouse, compromised the email server of a governmental entity in the Middle East on March 1, before the patch release. At the same time, another group called Calypso used the Exchange exploit to compromise the email servers of governmental entities in the Middle East and South America; it also targeted servers of governmental entities and private companies in Africa, Asia, and Europe.

As of March 10, ESET researchers had seen more than 5,000 unique servers in more than 115 countries where Web shells were flagged. Once the flaw was exploited and Web shell in place, they saw attempts to install additional malware through it. In some cases, several attackers were attempting to target the same organization, they point out.

ESET, like most organizations tracking the threat, is still collecting data.

Threat Data Remains Incomplete

Security researchers are still observing the Exchange server attack activity and publishing new information as they learn it. The team with Praetorian successfully reverse-engineered one of the flaws dubbed ProxyLogon (CVE-2021-26855) and developed a functional end-to-end exploit. 

In this research, which they published with removal of critical proof-of-concept components, the team learned that this vulnerability can be "reliably and consistently exploited" and used in conjunction with another flaw to "achieve organization-wide compromise." 

They say this is due to a common Active Directory misconfiguration regarding Exchange permissions paths, which has been largely ignored by companies because the attack chain depends on a vulnerable Exchange server. "The new Exchange vulnerability removes that dependency and an attacker can daisy chain these two issues to expand the compromise from a company's email to the company itself," they write in an email to Dark Reading.

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights