More than ten groups of hackers attack Microsoft Exchange security holes. ESET has already identified more than 5.000 infected email servers, mainly in Germany.
The recently publicized vulnerabilities in Microsoft Exchange are making waves. The researchers at the IT security manufacturer ESET discovered more than ten different APT (Advanced Persistent Threats) groups that are currently increasingly exploiting the vulnerabilities to compromise e-mail servers and gain access to company data. So the threat is not limited to the Chinese hafnium group, as previously suspected. ESET identified around 5.000 corporate and government email servers around the world that were compromised. Most of the targets of the hacker groups are in Germany. The telemetry of the security experts showed the existence of so-called webshells. These malicious programs or scripts allow remote control of a server through a web browser. The IT experts publish a detailed analysis on the ESET security blog welivesecurity.de.
Updates already rolled out
ESET reacted immediately and rolled out its analyzes of the attack vectors and malicious functions used in its security solutions for companies via updates. Even before the exploit became known, the execution of malicious code, such as ransomware, would have been detected by the multilayer technology of ESET B2B solutions. In this way, ESET B2B solutions also detect malware attacks such as webshells and backdoors based on the exploits that have become known. The installation of the security updates provided by Microsoft is still mandatory.
Use of early warning systems is recommended
The use of so-called endpoint detection and response solutions (EDR solutions) could have limited or prevented the theft of company data in many cases. “With the help of EDR solutions such as ESET Enterprise Inspector, administrators would have been made aware of suspicious activities at an early stage. In this way, the outflow of company data could have been registered at an early stage, despite the exploitation of the security gap, in order to prevent it through appropriate measures, ”explains Michael Schröder, Security Business Strategy Manager at ESET Germany.
To assess the security status, Exchange servers should be checked for the following detections:
- JS / Exploit.CVE-2021-26855.Webshell.A
- JS / Exploit.CVE-2021-26855.Webshell.B
- ASP / Webshell
- ASP / ReGeorg
ESET analyzes reveal cyber espionage groups
“Since the day Microsoft released the Exchange patches, we've seen more and more hackers scanning and compromising Exchange servers en masse. Interestingly, these are all APT groups, notorious for espionage activities. We are sure that other groups, such as ransomware operators, will take advantage of these exploits for their own purposes and will jump on the bandwagon, ”says Matthieu Faou, who leads ESET's research on this topic. The ESET researchers also found that some APT groups were exploiting the vulnerabilities before the patches were made available. “We can therefore rule out that these groups created an exploit by reverse engineering Microsoft updates,” adds Faou.
Three quick Exchange tips for administrators
- Exchange servers should be patched as soon as possible. This also applies if you are not directly connected to the internet.
- Administrators are advised to look for webshells and other malicious activity and remove them immediately.
- Login data should be changed immediately.
"The incident is a very good reminder that complex applications such as Microsoft Exchange or SharePoint should not be open to the Internet," advises Matthieu Faou.
APT groups and their behavioral patterns
- Tick - compromised the web server of a company based in East Asia that provides IT services. As in the case of LuckyMouse and Calypso, the group likely had access to an exploit before the patches were released.
- LuckyMouse - infected a government agency's email server in the Middle East. This APT group likely had an exploit at least one day before the patches were released, when it was still a zero-day.
- Calypso - Attacked government email servers in the Middle East and South America. The group likely had zero-day access to the exploit. In the days that followed, the Calypso operators attacked other government and corporate servers in Africa, Asia and Europe.
- websiic - Targeted seven email servers owned by companies (IT, telecommunications and engineering) in Asia and a government agency in Eastern Europe.
- Winnti Group - compromised the email servers of an oil company and a construction machinery company in Asia. The group likely had access to an exploit before the patches were released.
- Tonto team - Attacked the email servers of a procurement company and a consultancy specializing in software development and cybersecurity, both based in Eastern Europe.
- ShadowPad activity - infected the email servers of a software development company based in Asia and a real estate company based in the Middle East. ESET discovered a variant of the ShadowPad backdoor that was introduced by an unknown group.
- "Operation" Cobalt Strike - Targeted around 650 servers, mostly in the US, Germany, UK and other European countries, just hours after the patches were released.
- IIS backdoors - ESET observed IIS backdoors installed on four email servers in Asia and South America through the webshells used in these compromises. One of the backdoors is publicly known as Owlproxy.
- Microceen - Compromised the Exchange server of a utility company in Central Asia, a region typically targeted by this group.
- DLTMiner - ESET discovered the use of PowerShell downloaders on several email servers that had previously been attacked via the Exchange vulnerabilities. The network infrastructure used in this attack is linked to a previously reported coin mining campaign.
background objects
In early March, Microsoft released patches for Exchange Server 2013, 2016 and 2019 that fix a number of vulnerabilities for remote code execution (RCE) before authentication. The vulnerabilities allow an attacker to take over any accessible Exchange server without having to know valid access data, which makes Exchange servers connected to the Internet particularly vulnerable.
Find out more on WeLiveSecurity at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.