Multiple threat actors, including Hafnium, LuckyMouse, Calypso, Winnti, Bronze Butler, Websiic, Tonto, Mikroceen, and DLTMiner, are actively targeting four zero-day Microsoft Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) in their targeted malware attacks and hacking campaigns.
These threat actors managed to compromise nearly 30,000 Microsoft Exchange servers located within the United States. Approximately 7,000 organizations worldwide are impacted by the on-going cyber-attacks on these servers.
European Banking Authority (EBA) and the Norwegian Parliament are two high-profile victims among them. Threat actors behind the breaches in these two organizations managed to exfiltrate data onto the attacker-controlled virtual private servers (VPS).
Recently, DearCry (.CRYPT) ransomware operators also began taking advantage of these vulnerabilities to perform unauthorized data encryption on compromised Microsoft Exchange servers. This raises severe concerns about the risk of data loss and interruptions in business operations for many organizations worldwide.
1. Who is at risk?
These threat actors target organizations across sectors in the Americas, Europe, Middle East, and APAC. The victims could also include research organizations, law firms, higher education institutions, defence contractors, policy think tanks, and NGOs. The attackers’ goal could be to exfiltrate large amounts of sensitive data through their leased virtual private servers (VPS).
Considering the range of organizations attacked in a short period and the vast number of organizations using Microsoft Exchange Servers, the attackers have a wide variety of potential-targets across the globe.
2. How are the attacks carried out?
The threat actors use exploit codes that send well-crafted HTTP requests towards vulnerable Exchange Servers. These codes target server-side request forgery vulnerability (CVE-2021-26855) to trigger authentication and gain unauthorized initial-access into the servers.
After gaining initial-access, these threat actors proceed to exploit the insecure deserialization vulnerability (CVE-2021-26857) in the servers, allowing them to execute an arbitrary code in the context of the SYSTEM privilege account.
They exploit either of the two arbitrary file-write vulnerabilities, namely, CVE-2021-26858 or CVE-2021-27065. Then they deploy the China Chopper webshell onto the compromised Microsoft Exchange server.
Through the China Chopper webshell, threat actors can perform multiple unauthorized activities such as,
- Dumping the LSASS process memory using Procdump
- Compressing stolen data into a ZIP archive (using 7-zip) before exfiltration
- Adding and using Exchange PowerShell snap-ins to export mailbox data
- Invoke-PowerShellTcpOneLine reverse shell, using Nishang
- Open a connection to a remote server using PowerCat
- Downloading offline address books from compromised Microsoft Exchange servers containing information on an organization and its users
On February 18, 2021, Microsoft disclosed a data breach incident caused by the threat actors behind SolarWinds supply chain attack. During the SolarWinds breach, threat actors managed to exfiltrate a portion of the source codes related to Microsoft Exchange and Microsoft Azure products. These on-going malware attacks and hacking campaigns exploiting the Microsoft Exchange Server vulnerabilities could be the follow-up cyber-attacks connected to the SolarWinds breach.
3. Who are the threat actors, and why are they dangerous?
Multiple threat actors, including Hafnium, LuckyMouse, Calypso, Winnti, Bronze Butler, Websiic, Tonto, Mikroceen, and DLTMiner, are taking advantage of the Microsoft Exchange vulnerabilities in their targeted malware attacks and hacking campaigns.
These threat actors continue to target multiple federal, state, and local government organizations and private organizations in medical, legal, telecommunications, finance, energy, and other sectors.
Since the last three months, threat actors are more focused on the usage of webshell as a standard method to gain and retain initial footholds to distribute staged payloads. This increases the potential impact in the post-exploitation phase.
For instance, DearCry ransomware operators taking advantage of Microsoft Exchange vulnerabilities have also adopted webshell as a preferred method to distribute the ransomware attack further.
The future threat landscape for web application services is drastically affected due to the increasing usage of webshell and steganography, two extremely successful attack delivery methods. They have a low detection rate and can cause considerable damage to many organizations worldwide.
4. What can you do to mitigate or prevent such attacks?
Cyber-attacks can be detected, contained, and prevented at the earliest, only when organizations act timely and responsibly. Following the best cybersecurity practices is instrumental in preventing such attacks.
Below are a few critical remediations to reduce or eliminate the risk posed by the threat actors leveraging Microsoft Exchange vulnerabilities:
- Apply security patches for Microsoft Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
- Ensure that Microsoft Exchange servers follow best security practices and that they are timely reviewed to eliminate any risk caused by access control or misconfiguration issues
- Block IPS signatures related to vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
- Enable File Integrity Monitoring (FIM) for files and directories on Microsoft Exchange servers
- Block malicious IP addresses, hashes, user-agents, and non-standard user-agents
- Create SIEM use-cases to monitor network traffics and endpoint security reports for a potential match against IOCs
- Run Microsoft Safety Scanner on Microsoft Exchange, Microsoft Azure, and Microsoft Windows servers
- Run Microsoft one-click EOMT tool on Microsoft Exchange
- Ensure data backup is done periodically via the out-of-band network onto the server with limited or no internet access
Follow these recommendations for additional protection:
- Strictly ensure that TCP Port 135, TCP Port 445, and TCP Port 3389 are not left open on the Internet or DMZ facing side
- Ensure TCP Port 135 (RPC), TCP Port 445 (SMB), and TCP Port 3389 (RDP) are only accessible through VPN tunnel between VPN clients’ and organization’s resources
- Ensure that proper network segmentation is done and that the communication through TCP Port 135, TCP Port 445, and TCP Port 3389 is explicitly allowed on-demand only for particular network segments when needed
- Network segments that allow communication over TCP Port 135, TCP Port 445, and TCP Port 3389 should be strictly monitored for any anomalies or suspicious patterns like lateral movement, excessive network traffic, an unusual amount of data transmission, etc.
- VNC (5900), SOCKS (1080), and SMTP (587) ports should be closely monitored
- Monitor network traffic towards malware C2 ports 4701, 4313, and 4315
- Enable deep inspection for outbound FTP and HTTP traffic passing through Web Application Firewall (WAF)
- Enforce Two-Factor authentication for VPN clients prior to connecting to the organization’s resources through the VPN tunnel
- VPN client software and VPN servers should be patched with the latest security updates released by the vendor
- Monitor for excessive LDAP queries from particular systems via SIEM solution
- Domain Accounts should follow the least privilege principle, and Two-Factor authentication should be enabled on all business email accounts
- New DearCry Ransomware Targets Microsoft Exchange Server Vulnerabilities
- Norway parliament data stolen in Microsoft Exchange attack
- Exchange servers under siege from at least 10 APT groups
- Hafnium Update: Continued Microsoft Exchange Server Exploitation
- SophosLabs Offensive Security releases post-exploitation tool for Exchange
- Remediation Steps for the Microsoft Exchange Server Vulnerabilities
- Australian email servers vulnerable to China-backed spying group Hafnium’s Microsoft Exchange hack
- Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells
- CISA Offers IT Admins Guidelines to Mitigate Recent MS Exchange Vulnerabilities
- European Banking Authority discloses Exchange server hack
- Microsoft Exchange Server Exploits Hit Retail, Government, Education
- Microsoft’s MSERT tool now finds web shells from Exchange Server attacks
- Threat Assessment: Active Exploitation of Four Zero-Day Vulnerabilities in Microsoft Exchange Server
- Threat Advisory: HAFNIUM and Microsoft Exchange zero-day
- Microsoft: SolarWinds hackers downloaded some Azure, Exchange source code
Indicators of Compromise (IOCs):
|Targeted IIS Path:||C:\inetpub\wwwroot\aspnet_client\|
|Targeted IIS Path:||C:\inetpub\wwwroot\aspnet_client\system_web\|
|Targeted Exchange Path:||%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\|
|Targeted Exchange Path:||C:\Exchange\FrontEnd\HttpProxy\owa\auth\|