Application Security , Cyberwarfare / Nation-State Attacks , Digital Identity

Exchange Server Attacks Spread After Disclosure of Flaws

Forecast Calls for Backdoored Email as Well as Installing Ransomware, Cryptominers
Exchange Server Attacks Spread After Disclosure of Flaws

UPDATED: Just days after Microsoft disclosed four zero-day flaws in Microsoft Exchange email servers, attackers are going on a wide hunt for vulnerable machines, some security experts say.

See Also: Building Better Security Operations Centers With AI/ML

Steven Adair, CEO and founder of the firm Volexity, which first reported the vulnerabilities, says that over the past few days, the Chinese hacking group accused of initially exploiting the flaws has shifted into high gear, stepping up attacks on any vulnerable, unpatched Exchange servers worldwide.

At least 30,000 organizations across the United States are infected, and the attackers now have control over “hundreds of thousands” of Microsoft Exchange Servers worldwide, reports KrebsOnSecurity, citing unnamed U.S. national security advisers.

Infected machines are left with a “web shell,” password-protected hacking tool giving attackers access to a victim’s computer servers from any browser.

Reuters reports that on Friday, White House press secretary, Jen Psaki, told reporters that these vulnerabilities were “significant” and “could have far-reaching impacts.” (see also: Hackers Exploit Exchange Flaws to Target Local Governments)

If some U.S. federal agencies haven't been busy enough with the SolarWinds crisis, there's a new urgent immediate task at hand: looking for signs their Exchange servers may have been compromised.

The Cybersecurity and Infrastructure Security Agency issued an emergency directive on Wednesday ordering agencies to scour for forensics clues that servers may have been compromised (see: Microsoft Patches Four Zero-Day Flaws in Exchange).

Agencies should look in system memory, web and event logs and registry hives for signs of exploitation, CISA says. If there are no signs of exploitation, organizations should patch immediately. CISA has a guide to the latest list of attack indicators.

If there are signs of exploitation, it's going to be a heavy lift. CISA says on-premises Exchange servers should be disconnected immediately and not rejoined to the enterprise domain. Eventually, CISA will direct agencies to rebuild their Exchange Service operating system and reinstall the software package.

Microsoft issued patches on Tuesday, a week ahead of its normal patch for the vulnerabilities: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.

Attacks Increase

Beyond the U.S. federal government, the impact of the vulnerabilities continues to grow - and not just among the targeted sectors named by Microsoft. The company says those groups include infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and nongovernment organizations.

Volexity, which contributed research for the vulnerability findings, first noticed exploitation activity against its customers around Jan. 6. That activity has suddenly ticked up now that the vulnerabilities are public, says Adair.

"The exploit already looks like it has spread to multiple Chinese APT groups who have become rather aggressive and noisy - quite a marked change from how it started with what we were seeing," he says.

Threat detection company Huntress says it has seen compromises of unpatched Exchange servers in small hotels, one ice cream company, a kitchen appliance manufacturer and what it terms "multiple senior citizen communities."

"We have also witnessed many city and county government victims, healthcare providers, banks/financial institutions and several residential electricity providers," writes John Hammond, a senior threat researcher at Huntress.

The impact of more widespread attacks could lead to problems that go beyond backdoored email accounts. Kevin Beaumont, a senior threat intelligence analyst at Microsoft, tweets that the attacks could include ransomware campaigns. Adair says there's also a strong chance of cryptominers being installed.

Beaumont created a tool to scan networks for vulnerable Exchange servers.

Hammond writes in a blog post that Huntress has seen more than 300 web shells installed on 2,000 vulnerable Exchange servers, most of which have either antivirus or endpoint detection and response software installed that apparently did not detect the attack. "This shouldn't be a major surprise as perfect prevention is ridiculously hard and does not suggest these solutions aren't solid investments," he says.

U.S. Hit Most, But Attacks Are Global

Microsoft pinned the attacks on a China-based group it calls Hafnium, which had been exploiting the flaws. Microsoft described the attacks as "limited and targeted."

ESET's graph of targets that have been hit by attackers exploiting four Exchange server vulnerabilities (Source: ESET)

But shortly after the news of the vulnerabilities broke, security firms said other hacking groups were using at least some of the flaws.

ESET, for example, tweets that CVE-2021-26855 has been used by three groups: LuckyMouse, Tick and Calypso. ESET says most of the organizations it has detected as having been targeted are in the U.S., but there are attacks in other regions, including Europe, Asia and the Middle East.

Adair says Volexity has seen instances in which attackers used their foothold in Exchange for lateral movement. That means cleanup efforts for those organizations will have to go far deeper to ensure attackers still don't have backdoors into systems.

"We have worked multiple cases where the attackers moved to other systems on the network," he says. "They did this both for obtaining credentials/data and for placing additional backdoors (primarily web shells) on more systems."

Editor Tony Morbin updated this report.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.