The exploitation of vulnerabilities in the Microsoft Exchange Server disclosed in March does not cease despite authorities’ calls for updates. As the corporation’s vice president warned in the early days, threat actors are screening the environment for any unpatched systems.
The gap was in the admin management interface, Exchange Control Panel. After fake authentication and being granted unauthorised access hackers can execute malicious code with system privileges. The next step is usually the installation of a web shell or backdoor.
The first reported actor to exploit four zero-days in on-premises Exchange was the Chinese Hafnium group. However, brute-force attempts to compromise Exchange servers intensified after the disclosure of the CVEs’ technical details.
From Espionage to Crypto-Mining
Thanks to forensic indicators, researchers identified that a great deal of ATPs made restrained administrators paid the price. Some names on the list point to already notorious villains. More advanced groups were likely exploiting the bugs even before releasing the fixes by Microsoft.
In the lead of the peloton is Tick, also named Bronze Butler. The Chinese – probably state-sponsored – cyberespionage group is active for almost a decade and generally uses customized attack tools. Throughout the years, it has been taking financial advantage of Japan’s digitalized businesses.
Another Chinese actor, known as APT27, LuckyMouse, Emissary Panda, or Bronze Union, stroke an undisclosed government institution in the Middle East. Public sector assets have been in their sights for a long time. Previously, the hackers hit a national data center of a Central-Asian country.
Nonetheless, public institutions have been a luring target for numerous crafted data thieves. Calypso APT intruded email servers of Middle Eastern and South American governmental bodies and targeted African, Asian, and European agencies as well.
Countless private companies did not defend either. Besides oil, construction equipment, real estate, or procurement companies, even cybersecurity and software development businesses were compromised.
Interestingly, researchers also fund links between a crypto-mining campaign and a set of scripted PowerShell downloaders deployed on Exchange servers. To get access to systems, DLTMiner, reported in 2019, previously exploited the Eternal Blue vulnerability or used brute force.
Investigate and Mitigate
Overall, web shells on at least five thousand unique servers across more than a hundred countries were detected. Known vulnerabilities in service with such a global use as Microsoft Exchange provides a ground for a broad spectrum of actors with different objectives.
Due to poor cybersecurity resources, small and medium-sized subjects are believed to be the most attractive targets for non-advanced attackers. Conglomerates and governmental institutions are luring for long-established or state sponsored APTs.
In case of possible compromise, the administrators should not hesitate to screen their systems and remove any detected web shells. Indicators of compromise can be found in ServerException, Windows Event or IIS logs as well as web directories.
The application of updates remains the most effective way to mitigate the risks. Yet, there is a need to consider the implementation of other available security measures. Two-factor authentication in combination with regular password resets may prevent your service from unauthorised visitors.
Whether you find yourself in a situation of breach or need of advice, reach out to LIFARS. We provide 24/7 cyber incident response, security forensics as well as expert cyber advisory.
Resources
Symantec: Tick cyberespionage group zeros in on Japan
Kaspersky: LuckyMouse hits national data center to organize country-level waterholing campaign
Carbon Black: CB TAU Technical Analysis: DLTMiner Campaign Targeting Corporations in Asia
ESET: Exchange servers under siege from at least 10 APT groups
