Exchange Server Attacks Spread After Disclosure of Flaws

Application Security , Cyberwarfare / Nation-State Attacks , Digital Identity

Forecast Calls for Backdoored Email and Possibly Ransomware, Cryptominers

Exchange Server Attacks Spread After Disclosure of Flaws

One day after Microsoft disclosed four zero-day flaws in Microsoft Exchange email servers, attackers are going on a wide hunt for vulnerable machines, experts say.

See Also: Case Study: Live Oak Bank Tackles Cloud Security with Orca Security

And if some U.S. federal agencies haven’t been busy enough with the SolarWinds crisis, there’s a new urgent immediate task at hand: looking for signs their Exchange servers may have been compromised.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on Wednesday ordering agencies to scour for forensics clues that may have been compromised (see Microsoft Patches Four Zero-Day Flaws in Exchange).

Agencies should look in system memory, web and event logs and registry hives for signs of exploitation, CISA says. If there are no signs of exploitation, organizations should patch immediately. CISA has a guide to the latest list of attack indicators.

If there are signs of exploitation, it’s going to be a heavy lift. CISA says on-premise Exchange servers should be disconnected immediately and not re-joined to the enterprise domain. Eventually, CISA will direct agencies to rebuilt their Exchange Service operating system and reinstall the software package.

Microsoft issued patches on Tuesday a week ahead of its normal patch for the vulnerabilities, which are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.

Attacks Increase

Beyond the U.S. federal government, the impact of the vulnerabilities continues to grow and not just among the target sectors named by Microsoft. The company says those groups include infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and nongovernment organizations.

Volexity, which Microsoft called out for contributing research for the vulnerability findings, first noticed exploitation activity against its customers around Jan. 6. That activity has suddenly ticked up now that the vulnerabilities are public, says Steven Adair, CEO and founder of Volexity.

“The exploit already looks like it has spread to multiple Chinese APT groups who have become rather aggressive and noisy — quite a marked change from how it started with what we were seeing,” he tells ISMG.

Threat-detection company Huntress says it has seen compromises of Exchange servers in small hotels, one ice cream company, a kitchen appliance manufacturer and what it terms “multiple senior citizen communities.”

“We have also witnessed many city and county government victims, healthcare providers, banks/financial institutions, and several residential electricity providers,” writes John Hammond, a senior threat researcher at Huntress.

The impact of more widespread attacks could mean other problems than just backdoored email accounts. Kevin Beaumont, a senior threat intelligence analyst at Microsoft, tweets that this could mean ransomware; Adair says there’s a also a strong chance of cryptominers being installed.

Beaumont also created a tool to scan networks for vulnerable Exchange servers.

As far as numbers, Holland writes in a blog post that Huntress has seen more than 300 web shells installed on 2,000 vulnerable servers, most of which have either antivirus or endpoint detection and response software installed but missed the attack.

However, Holland says that shouldn’t be taken as counsel that those tools shouldn’t be used. “This shouldn’t be a major surprise as perfect prevention is ridiculously hard and does not suggest these solutions aren’t solid investments,” Holland writes.

US Hit Most, But Attacks Are Global

The vulnerabilities are particularly alarming, as Microsoft pinned the attacks on a China-based group it calls Hafnium had been exploiting the flaws. Microsoft described the attacks as “limited and targeted.”

ESET’s graph of targets that have been hit by attackers using four Exchange server vulnerabilities (Source: ESET)

But shortly after the news broken, security firms said other hacking groups were using at least some of the flaws.

ESET, for example, tweets that CVE-2021-26855 has been used by three groups: LuckyMouse, Tick and Calypso.

ESET says most of the organizations it has seen affected are in the U.S., but there are attacks in other regions, including Europe, Asia and the Middle East.

Adair says Volexity has seen instances where attackers used their foothold in Exchange for lateral movement. That means cleanup efforts for those organizations will have to go far deeper to ensure attackers still don’t have backdoors into systems.

“We have worked multiple cases where the attackers moved to other systems on the network,” he says. “They did this both for obtaining credentials/data and for placing additional backdoors (primarily webshells) on more systems.”