Security researchers believe attacks exploiting four critical Microsoft Exchange Server vulnerabilities extend beyond the "limited and targeted" incidents reported by Microsoft this week when it issued patches for the zero-day flaws and urged enterprises to patch immediately.
Organizations first learned of the Exchange server zero-days on Tuesday when Microsoft released the fixes. It attributes the activity to a group called Hafnium "with high confidence." Hafnium is believed to operate out of China and primarily targets organizations based in the United States, Microsoft reports.
As more security researchers track the activity, new details emerge about these active exploits, how they were found, and factors that drove the release of yesterday's out-of-band patches.
These attacks appear to have started as early as Jan. 6, 2021, report Volexity researchers who detected anomalous activity from two customers' Microsoft Exchange servers that month.
"We did a lot of analysis on the system initially to make sure it wasn't a backdoor," says Volexity founder and president Steven Adair. By early February, the team had determined what was going on and recreated the exploit themselves. Over the course of incident response efforts, researchers found the attacker had chained a server-side request forgery (SSRF) vulnerability with another that enables remote code execution (RCE) on the targeted Exchange servers.
Volexity reported their findings to Microsoft and began to work with them. But things escalated in late February, when researchers noticed multiple instances of RCE. The attackers were using an exploit that would allow them to write Web shells to disk. In all cases of RCE, Volexity saw the attacker writing Web shells to disk and conducting operations to dump credentials, add user accounts, steal copies of Active Directory databases, and move laterally to other systems.
"We saw that happen very noisily in many different places over the weekend," says Adair, noting this pushed up the timeline of deploying a patch for the vulnerability. "We didn't see a lot of RCE until just recently, and they went pretty wild."
Up until this point, most of what the researchers saw was "low and slow" activity. Much of this involved subtle email theft; what seemed to be legitimate espionage operations, Adair says. Attackers targeted the emails of very specific people, though it's unclear what they were after. There's nothing about the activity that would have trigged an endpoint security tool, he adds.
It's unclear what caused the attackers to become more aggressive and change their tactics at this time. Microsoft has linked the activity to a single group; however, Adair isn't convinced this isn't the work of multiple threat actors. "It's clearly multiple people with different strategies operating," he says.
John Hammond, senior security researcher at Huntress Labs, has also noticed the noisy activity. The Huntress team has seen the attackers use Windows command-line tools, add and/or delete admins from the "Exchange Organization administrators" group, and capture credentials or hashes stored within process memory.
"This attack has been a series of exploiting recent CVEs and using loud, overt tradecraft, which is surprising," he says. "But considering they have sprayed this all over the Internet, they clearly don't care about being stealthy."
Who Is Vulnerable? Who Is Under Attack?
While Microsoft describes this activity as "limited and targeted," Hammond reports indicators that this is now evolving into a larger-scale "spray and pray" campaign. Attackers seem to be scanning the Web to find vulnerable endpoints, he says.
Huntress researchers have checked more than 2,000 Exchange servers and found roughly 400 vulnerable; another 100 are "potentially vulnerable," he says.
They report nearly 200 organizations have been compromised and more than 350 Web shells. He notes some victims may have more than one Web shell, indicating automated deployment or uncoordinated actors.
Affected companies include small hotels, kitchen appliance manufacturer, ice cream company, senior citizen communities, and other mid-market businesses, Huntress Labs researchers write in a Reddit thread. Their data shows attackers targeted city and county governments, healthcare providers, banks and financial institutions, and residential electricity providers.
Meanwhile, the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive calling for civilian federal agencies with on-premises Microsoft Exchange Servers to either update their software with newly released Microsoft patches or take the products offline until they can patch them.
Why Exchange Server Is A Hot Target
The vulnerabilities patched this week should be a priority. Every organization has to have email, and Microsoft Exchange is broadly used. These servers are typically publicly accessible on the open Web, Hammond says, and they can be exploited remotely. Once they gain a foothold, the attackers can expand their access to cause more damage throughout the target environment.
"They're really critical components to an organization," Adair says of Exchange servers. An email server has to sit on the Internet, he says, which increases the risk of an attacker finding and targeting it.
Even organizations with nothing else exposed to the Internet will still have an email server online - unless of course they use a cloud-based email service. For many, Exchange server is essential. It always has to be on, and it could give a successful attacker access to user passwords, domain accounts, and administrator accounts. A compromise, even if it only allowed an attacker to read email, could be "devastatingly bad."
"Any vector is appealing to an attacker, but the Exchange server is a particularly critical one, and for some organizations may be the only avenue," Adair adds.
How to know if you've been compromised? Unfamiliar activity in Web server logs connecting to the attackers' implanted Web shells should raise a red flag, says Hammond. A change in user permissions or administrative users may also raise suspicion and prompt a closer look.
"The most effective means to track down this activity is by externally validating the vulnerability, looking for these indicators of compromise, and monitoring network activity on your servers," he adds. Hammond advises organizations to not only patch immediately, but to actively hunt for the presence of these webshells and other indicators of compromise.