As attacks on Exchange servers escalate, Microsoft investigates potential PoC exploit leak
Microsoft Exchange servers around the world are still getting compromised via the ProxyLogon (CVE-2021-26855) and three other vulnerabilities patched by Microsoft in early March.
While the initial attacks were attributed by Microsoft to a threat actor dubbed Hafnium, believed to be a state-sponsored group that operates from China, the same exploits were subsequently used by at least 10 APT groups – mostly for data theft, espionage, and for covert crypto-mining.
Security researchers have warned that ransomware gangs will get on the band wagon and, sure-enough, a group leveraging a new ransomware called DearCry (aka DoejoCrypt) was spotted exploiting the vulnerabilities to install the human-operated malware.
Microsoft observed a new family of human operated ransomware attack customers – detected as Ransom:Win32/DoejoCrypt.A. Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers. #DearCry @MsftSecIntel
— Phillip Misner (@phillip_misner) March 12, 2021
The source of the Microsoft Exchange exploit still unknown
ESET researchers say that multiple APTs beside Hafnium had access to and used the same/similar exploit, some even before the patch was released, and that additional APTs began using it a day after the patch release (i.e., it’s unlikely that they built an exploit by reverse engineering the Microsoft updates).
How these various attack groups all started to use the same exploit for their attacks nearly the same time is still a mystery. Security researchers have offered several plausible theories: the exploit was for sale on underground markets, the group(s) that created the exploit shared it with others (for reasons known only to them), or the various groups are all organized by a common entity, which provided the exploit to all of them.
Microsoft is reportedly investigating whether those who created the exploit might have obtained a “proof of concept” attack code that the company distributed on February 23 to 80 or so security partners through its Microsoft Active Protections Program (MAPP).
According to The Wall Street Journal, investigators are trying to discover whether a Microsoft partner that received the info and the PoC might have leaked it to other groups, “either inadvertently or on purpose,” since some of the tools used in the second wave of the attack bear similarities to it.
Incident response, remediation and mitigation
Organizations that have been hit won’t care how the various groups got the initial or subsequent Microsoft Exchange exploit – they will just want to know what the attackers did with the access they gained through the vulnerabilities.
Microsoft says that the number of vulnerable servers out there is steadily dropping. According to the latest numbers by Kryptos Logic and Shadowserver, there are “59218 different potentially vulnerable Microsoft Exchange servers identified on 59142 unique IP addresses corresponding to 6501 different Autonomous System Numbers (ASNs), geo-locating to 211 different countries.”
Shadowserver has shared this list and previous ones with 120 national CSIRTs in 148 countries and over 5900 network owners, encouraging them to get in contact with the servers’ owners and help them remediate and patch/rebuild victim systems.
Microsoft and various government agencies advise organizations that are running Exchange servers on-premises to find all installations, apply all relevant security updates (or mitigations) to every found system, and then move to identify whether any of those have been compromised, and if so, remove them from the network.
“We have provided a recommended series of steps and tools to help — including scripts that will let you scan for signs of compromise, a new version of the Microsoft Safety Scanner to identify suspected malware, and a new set of indicators of compromise that is updated in real time and shared broadly. These tools are available now, and we encourage all customers to deploy them,” Microsoft Security Team shared on Friday.
The US CISA offers a constantly updated document with helpful information on the attackers’ TTPs, and advice on how to conduct forensic analysis to check for evidence of compromise.
Microsoft Security Team says that on-premises Exchange servers are most often used by small and medium-sized businesses, “although larger organizations with on-premises Exchange servers have also been affected.”
Cyber insurance company At-Bay has told Help Net Security that 1 in 190 businesses (0.5%) in its company portfolio is exposed to the Exchange vulnerability and that their security team has been reaching out to help them fix this issue. The majority of these exposed businesses are small to medium sized businesses, they noted.
“The Exchange vulnerability is a serious compromise to a critical business asset that has the potential to take a small company out of business. While we commend the fast response by Microsoft and the extensive guidance offered by multiple government agencies, we fear this is hardly enough,” said Rotem Iram, CEO of At-Bay.
“In similar previous cases, from EternalBlue to BlueKeep, many companies did not patch, despite guidance. As such, we believe the responsibility of the Government and Microsoft to ensure the safety of American businesses should go beyond guidance.”
Small and medium sized business are less likely than large organizations to have knowledgeable IT security staff to investigate whether the attackers compromised their Exchange servers and/or went beyond that. They will have to engage outside experts – if they have the means to do so. Alternatively, they could seek help from a regional or national Computer Security Incident Response Team (CSIRT).
UPDATE (March 16, 2021, 05:40 a.m. PT):
Microsoft has released Exchange On-Premises Mitigation Tool (EOMT), which quickly performs the initial steps for mitigating the ProxyLogon flaw (CVE-2021-26855) on any Exchange server and attempts to remediate found compromises.