Microsoft Pushes Urgent Fixes Overnight As Threat Actors Compromise Exchange Servers Worldwide

WASHINGTON: Microsoft urgently updated its free Exchange server Indicators of Compromise tool and released emergency alternative mitigation measures overnight as the extent of damage globally from four recently disclosed zero-day vulnerabilities becomes clearer.

The IoC tool can be used to scan Exchange server log files to identify if they are compromised. The emergency alternative mitigations, which are only partial and not considered the best fix, can be taken temporarily by organizations unable to immediately patch the four Exchange vulnerabilities that are being actively exploited in the wild. The severity of the vulnerabilities, as well as the widespread use of Exchange servers globally, prompted Microsoft to release out-of-band patches on Mar. 2.

The quartet of zero-day vulnerabilities in Microsoft’s email server software is the initial threat vector in what is emerging as one of the largest known cyberespionage campaigns ever conducted. Microsoft is implicating China. The news comes on the heels of the large-scale SolarWinds cyberespionage campaign, first disclosed by security company FireEye in December and widely attributed to Russia. Initial forensic evidence suggests the two campaigns are not in any way connected.

On Friday, Brian Krebs of the security blog Krebs on Security reported that “at least 30,000” U.S. organizations and “hundreds of thousands” of organizations worldwide have been impacted by the Microsoft Exchange vulnerabilities, based on his sources familiar with the investigation. Reuters reported on Friday that its sources said “more than 20,000” organizations have been compromised in the campaign.

A cybersecurity expert and industry consultant told Breaking Defense this cyberespionage campaign is “especially bad because email services were affected.”

According to Microsoft, the servers being compromised are located on organizations’ own premises and operated by those organizations, using downloaded Microsoft Exchange software. The servers are not owned or operated by the Redmond, Wash.-based technology company. Cloud-based servers, such as Microsoft’s 360 Exchange and Exchange server deployments on Microsoft’s Azure platform, appear not to be affected. No specific victims of this campaign have been publicly named yet.
The cybersecurity consultant said that when he heard about on-premise servers being compromised, he thought, “Why does anyone even operate ‘on-premise’ email servers today? That’s so 2000s, and outside a few very specialized use cases, it’s almost incomprehensibly stupid.”

“Cyber is an ever-evolving game,” he added, “and exploits are always found. But some are better positioned to respond than others. We’re moving to a battlefield where we’ll have the ‘haves,’ who are using modern, more securable, cloud-based architectures and can rely on embedded security experts continuously monitoring that infrastructure, and ‘have nots’ who strain to patch aging ‘on-premise’ servers 9-5, M-F in addition to their other duties.”

Microsoft identified the primary threat actor as HAFNIUM, a previously undisclosed group the company says is based in China. However, Microsoft noted the group conducts operations, primarily against U.S.-based organizations, from leased virtual private servers located in the U.S. HAFNIUM’s primary motive appears to be cyberespionage. Microsoft said that, since it began tracking HAFNIUM, the company has observed the group operating against a range of targets, including “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”

The campaign’s potential severity began to get broader attention outside the cybersecurity community on Mar. 4, when National Security Advisor Jake Sullivan tweeted: “We are closely tracking Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reports of potential compromises of U.S. think tanks and defense industrial base entities. We encourage network owners to patch.”
Sullivan’s tweet prompted a reporter’s question to White House Press Security Jen Psaki at the Mar. 5 daily briefing. Psaki said the administration is aware that, “This is a significant vulnerability that could have far-reaching impacts. First and foremost, this is an active threat. We are concerned that there are [a] large number of victims and are working with our partners to understand the scope of this. It’s still developing. We urge network operators to take it very seriously.”

Later that afternoon, Krebs and Reuters first reported the estimated scale based on their sources.

How Researchers Discovered the Campaign

Reston, Va.-based security company Volexity first observed a threat actor exploiting the vulnerabilities on Jan. 6, when it detected “anomalous activity” on Exchange servers at two of its customers, according to a Mar. 2 blog post. While many were distracted by events at the U.S. Capitol that day, threat actors were busy purging email inboxes in what Volexity dubbed “Operation Exchange Marauder.”

In Volexity’s Mar. 2 blog post, published the same day Microsoft first publicly disclosed the four zero-day vulnerabilities, the company recounted how it found the cyberattacks. Volexity wrote that it “identified a large amount of data being sent to IP addresses it believed were not tied to legitimate users. A closer inspection of the IIS logs from the Exchange servers revealed rather alarming results.”

As Volexity researchers dug deeper, they uncovered the first zero-day vulnerability. The researchers became concerned because, the company wrote, “This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail.”

The researchers’ concern grew after it discovered a second zero-day vulnerability, directly linked to the first, that allowed remote code execution on any compromised server. This second vulnerability allowed threat actors to write web shells.

Web shells are malicious scripts uploaded to servers that give threat actors remote administrative control. Web shells can be used on Internet-facing servers to gain persistent access, remotely execute arbitrary commands, and add/delete/execute files, among other actions. Web shells can also be used on internal networks to enable threat actors to move laterally to other parts of the network.

In this case, Volexity observed threat actors using the web shells “to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT), and move laterally to other systems and environments.”

Anatomy of the Attack

According to security research and threat intelligence reviewed by Breaking Defense, the simplified kill chain appears to be as follows:

Threat actors scan the Internet looking for Exchange servers (versions 2010, 2013, 2016, and 2019) containing the zero-day vulnerabilities.
Threat actors exploit zero days to gain initial access to the Exchange server.
After getting initial access, threat actors write a web shell to enable persistent access to and remote control of the server.
Via persistent access and control provided by the web shell, threat actors can execute a variety of additional attacks and actions.

Importantly, remediating this breach could require multiple steps. Microsoft provides detailed detection and mitigation guidance here and here for both the zero-day vulnerabilities and web shells.

“Clearly,” the cybersecurity consultant observed, “the decades-long technical debt incurred by the Federal government of paying only lip service to cybersecurity is coming due, and the payments required will be enormous. This will not be pretty. I expect more to come.”