Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/10/2021
02:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Multiple Attack Groups Exploited Microsoft Exchange Flaws Prior to the Patches

Researchers have spotted multiple groups exploiting the zero-day Exchange server vulnerabilities.

Multiple attack groups are exploiting the critical Microsoft Exchange Server vulnerabilities patched last week - and the growing wave of global activity began before Microsoft released emergency fixes on March 2.

Related Content:

More Details Emerge on the Microsoft Exchange Server Attacks

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: How to Protect Vulnerable Seniors From Cybercrime

Security firms including Red Canary and FireEye are now tracking the exploit activity in clusters and anticipate the number of clusters will grow over time. ESET researchers have detected at least ten APT groups using the critical flaws to target Exchange servers. 

When used in an attack chain, the exploits for these vulnerabilities could allow an attacker to authenticate as the Exchange server and deploy a Web shell so they can remotely control the target server. When Microsoft released patches for the four Exchange server zero-days, it attributed the activity with high confidence to a Chinese state-sponsored group called Hafnium.

Now, as researchers observe Web shells stemming from suspected Exchange exploitation, they believe far more groups are responsible for the growth in attack activity. In a blog post released March 9, Red Canary analysts report none of the clusters they observe significantly overlap with the group Microsoft calls Hafnium; as a result, they are now tracking these clusters separately.

"We don't know who is behind these clusters – we aren't sure if it's the same adversaries working together or different adversaries completely," the researchers write. "We're focusing narrowly on what we observe on victim servers for our clustering." They note that they want "significant overlaps" in multiple unique data points to classify attacker activity as a cluster.

Between Feb. 27 and March 3, Red Canary saw a cluster in which China Chopper Web shell was dropped onto Exchange servers. Researchers saw further activity between a few hours and days later; while the exact Web shell filename was different, commands were consistent across multiple victims. China Chopper was likely the start of another cluster dubbed Sapphire Pigeon.

In Sapphire Pigeon, detected March 5, attackers dropped multiple Web shells on some victims at different times, days before they conducted further activity. When they did, they showed a range of unique patterns as outlined in their blog.

Palo Alto Networks' Unit 42 also observed different patterns in China Chopper Web shells, a backdoor seen dropped in some of these attacks. Researchers report two distinct clusters of events on Feb. 28 and March 1, before Microsoft's patch was released. Their data shows rapid deployment of Web shells during day and night, indicating an automated approach to targeting.

It also reflects a range of victims, which supports the idea that attackers are using automated scanning rather than targeting specific organizations or industries. Unit 42 reports the targets include investment banking firms, water conservatories, industrial automation facilities, law firms, and the hospitality sector. FireEye has identified US-based retailers, local governments, a university, and an engineering firm among affected victims.

APT Groups Unleash Exploits on Exchange Servers

ESET researchers noticed on Feb. 28 the Exchange flaws weaponized by more than ten different APT actors including Tick, LuckyMouse, and Calypso, suggesting multiple attackers learned the details of these flaws before Microsoft released its patch – "which means we can discard the possibility that they built an exploit by reverse engineering Microsoft updates," they report. 

Microsoft's initial report on the Hafnium group says the Exchange exploit activity was "limited and targeted." And while it seems some threat groups began to target the flaws before a patch was released on March 2, the days following saw a flood of additional attackers driving the activity. Tonto Team, Mikroceen, and Winnti Group were among the groups scanning and compromising Exchange servers "en masse," researchers note in a writeup of their findings.

Most of these are APT groups interested in espionage, ESET reports, with the exception of one linked to a known cryptomining campaign. One group, dubbed LuckyMouse, compromised the email server of a governmental entity in the Middle East on March 1, before the patch release. At the same time, another group called Calypso used the Exchange exploit to compromise the email servers of governmental entities in the Middle East and South America; it also targeted servers of governmental entities and private companies in Africa, Asia, and Europe.

As of March 10, ESET researchers had seen more than 5,000 unique servers in more than 115 countries where Web shells were flagged. Once the flaw was exploited and Web shell in place, they saw attempts to install additional malware through it. In some cases, several attackers were attempting to target the same organization, they point out.

ESET, like most organizations tracking the threat, is still collecting data.

Threat Data Remains Incomplete

Security researchers are still observing the Exchange server attack activity and publishing new information as they learn it. The team with Praetorian successfully reverse-engineered one of the flaws dubbed ProxyLogon (CVE-2021-26855) and developed a functional end-to-end exploit. 

In this research, which they published with removal of critical proof-of-concept components, the team learned that this vulnerability can be "reliably and consistently exploited" and used in conjunction with another flaw to "achieve organization-wide compromise." 

They say this is due to a common Active Directory misconfiguration regarding Exchange permissions paths, which has been largely ignored by companies because the attack chain depends on a vulnerable Exchange server. "The new Exchange vulnerability removes that dependency and an attacker can daisy chain these two issues to expand the compromise from a company's email to the company itself," they write in an email to Dark Reading.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
btozer
100%
0%
btozer,
User Rank: Apprentice
3/11/2021 | 12:26:12 PM
10 Different APTs?
I think an interesting question is: How did so many APT groups develop working exploits for this vulnerability before it was publicly known?
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31618
PUBLISHED: 2021-06-15
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why...
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...