More Details Emerge on the Microsoft Exchange Server Attacks

  /     /     /  
Publicated : 23/11/2024   Category : security


More Details Emerge on the Microsoft Exchange Server Attacks


The attacks seem more widespread than initially reported, researchers say, and a look at why the Microsoft Exchange Server zero-days patched this week are so dangerous.



Security researchers believe attacks exploiting four critical Microsoft Exchange Server vulnerabilities extend beyond the limited and targeted incidents reported by Microsoft this week when it issued patches for the zero-day flaws and urged enterprises to patch immediately.
Organizations first 
learned of the Exchange server zero-days
on Tuesday when Microsoft released the fixes. It attributes the activity to a group called Hafnium with high confidence. Hafnium is believed to operate out of China and primarily targets organizations based in the United States, Microsoft reports.
As more security researchers track the activity, new details emerge about these active exploits, how they were found, and factors that drove the release of yesterdays out-of-band patches. 
These attacks appear to have started as early as Jan. 6, 2021,
report Volexity researchers
who detected anomalous activity from two customers Microsoft Exchange servers that month. 
Volexity noticed a large amount of data sent to IP addresses it believed was not tied to actual users. Closer inspection revealed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access. They suspected the servers might be backdoored and began an investigation, which led to uncovering the zero-day exploit.
We did a lot of analysis on the system initially to make sure it wasnt a backdoor, says Volexity founder and president Steven Adair. By early February, the team had determined what was going on and recreated the exploit themselves. Over the course of incident response efforts, researchers found the attacker had chained a server-side request forgery (SSRF) vulnerability with another that enables remote code execution (RCE) on the targeted Exchange servers. 
Volexity reported their findings to Microsoft and began to work with them. But things escalated in late February, when researchers noticed multiple instances of RCE. The attackers were using an exploit that would allow them to write Web shells to disk. In all cases of RCE, Volexity saw the attacker writing Web shells to disk and conducting operations to dump credentials, add user accounts, steal copies of Active Directory databases, and move laterally to other systems.
We saw that happen very noisily in many different places over the weekend, says Adair, noting this pushed up the timeline of deploying a patch for the vulnerability. We didnt see a lot of RCE until just recently, and they went pretty wild. 
Up until this point, most of what the researchers saw was low and slow activity. Much of this involved subtle email theft; what seemed to be legitimate espionage operations, Adair says. Attackers targeted the emails of very specific people, though its unclear what they were after. Theres nothing about the activity that would have trigged an endpoint security tool, he adds.
Its unclear what caused the attackers to become more aggressive and change their tactics at this time. Microsoft has linked the activity to a single group; however, Adair isnt convinced this isnt the work of multiple threat actors. Its clearly multiple people with different strategies operating, he says. 
John Hammond, senior security researcher at Huntress Labs, has also noticed the noisy activity. The Huntress team has seen the attackers use Windows command-line tools, add and/or delete admins from the Exchange Organization administrators group, and capture credentials or hashes stored within process memory.
This attack has been a series of exploiting recent CVEs and using loud, overt tradecraft, which is surprising, he says. But considering they have sprayed this all over the Internet, they clearly dont care about being stealthy.
Who Is Vulnerable? Who Is Under Attack?
While Microsoft describes this activity as limited and targeted, Hammond reports indicators that this is now evolving into a larger-scale spray and pray campaign. Attackers seem to be scanning the Web to find vulnerable endpoints, he says. 
Huntress researchers have checked more than 2,000 Exchange servers and found roughly 400 vulnerable; another 100 are potentially vulnerable, he says.
They report nearly 200 organizations have been compromised and more than 350 Web shells. He notes some victims may have more than one Web shell, indicating automated deployment or uncoordinated actors.
Affected companies include small hotels, kitchen appliance manufacturer, ice cream company, senior citizen communities, and other mid-market businesses, Huntress Labs researchers write in
a Reddit thread
. Their data shows attackers targeted city and county governments, healthcare providers, banks and financial institutions, and residential electricity providers.
Meanwhile, the US Department of Homeland Securitys Cybersecurity and Infrastructure Security Agency (CISA) 
issued an emergency directive
 calling for civilian federal agencies with on-premises Microsoft Exchange Servers to either update their software with newly released Microsoft patches or take the products offline until they can patch them.
Why Exchange Server Is A Hot Target
The vulnerabilities patched this week should be a priority. Every organization has to have email, and Microsoft Exchange is broadly used. These servers are typically publicly accessible on the open Web, Hammond says, and they can be exploited remotely. Once they gain a foothold, the attackers can expand their access to cause more damage throughout the target environment. 
Theyre really critical components to an organization, Adair says of Exchange servers. An email server has to sit on the Internet, he says, which increases the risk of an attacker finding and targeting it. 
Even organizations with nothing else exposed to the Internet will still have an email server online - unless of course they use a cloud-based email service. For many, Exchange server is essential. It always has to be on, and it could give a successful attacker access to user passwords, domain accounts, and administrator accounts. A compromise, even if it only allowed an attacker to read email, could be devastatingly bad. 
Any vector is appealing to an attacker, but the Exchange server is a particularly critical one, and for some organizations may be the only avenue, Adair adds. 
How to know if youve been compromised? Unfamiliar activity in Web server logs connecting to the attackers implanted Web shells should raise a red flag, says Hammond. A change in user permissions or administrative users may also raise suspicion and prompt a closer look. 
The most effective means to track down this activity is by externally validating the vulnerability, looking for these indicators of compromise, and monitoring network activity on your servers, he adds. Hammond advises organizations to not only patch immediately, but to actively hunt for the presence of these webshells and other indicators of compromise.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
More Details Emerge on the Microsoft Exchange Server Attacks