alswart - stock.adobe.com
Microsoft Exchange Server attacks: What we know so far
More details continue to emerge since last week's disclosure of zero-day vulnerabilities and attacks on Microsoft Exchange Server, including the broad range of potential victims.
While the attacks on Microsoft Exchange Servers continue to unfold and questions remain about the number of affected organizations, the scope and severity of the threat has increased significantly.
Microsoft last week disclosed multiple zero-day vulnerabilities being exploited by a Chinese nation-state threat group to attack on-premises versions of Microsoft Exchange email servers. The tech giant released updates for the four vulnerabilities and recommended that customers apply the updates to affected systems immediately because of the ongoing attacks.
Now, what Microsoft initially referred to as "limited and targeted attacks" may not be so limited.
As more details emerged, the number of victims and attackers increased. The situation alarmed both private security vendors and government agencies; the Cybersecurity Infrastructure and Security Agency (CISA) released an emergency directive one day after Microsoft disclosed the attack.
"CISA has determined this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of those vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise," the statement said.
On Saturday, CISA issued another statement that Microsoft had released a threat detection tool for scanning Exchange log files for indicators of compromise (IOCs); Microsoft released an additional tool that scans for web shells that attackers may have created inside victims' environments. The White House National Security Council said Saturday that despite the patches and mitigation tools, enterprises still need to be careful.
"Patching and mitigation is not remediation if the servers have already been compromised. It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted," the National Security Council wrote on Twitter.
Here's a summary of what we know so far.
The vulnerabilities
There are four vulnerabilities related to the Exchange Server attacks, the most serious of which is CVE-2021-26855. Also known as "ProxyLogon," this zero-day is a server-side request forgery (SSRF) vulnerability. ProxyLogon was discovered in December 2020 by an anonymous threat researcher at Devcore, an infosec consulting firm in Taiwan.
Later in December, Devcore discovered a second Exchange Server vulnerability, CVE-2021-27065, which is a post-authentication arbitrary file write bug. Devcore found that chaining this vulnerability with ProxyLogon produced a remote code execution (RCE) exploit, and they reported both bugs to Microsoft on Jan. 5. Microsoft confirmed receipt of the report the following day and informed Devcore on Jan. 8 that it had replicated the behavior of the vulnerabilities and the chained exploit.
During the course of the investigation into ProxyLogon, Microsoft received reports of threat activity from Volexity, an incident response vendor headquartered in Washington, D.C., and Dubex, an infosec consultancy based in Denmark. The threats involved anomalous network activity from customers' Microsoft Exchange servers that included exploitation of ProxyLogon. As a result, researchers at the Microsoft Threat Intelligence Center discovered two additional vulnerabilities in Exchange Server that were being exploited by attackers: CVE-2021-26857, an insecure deserialization vulnerability in the software's Unified Messaging service; and CVE-2021-26858, a second post-authentication arbitrary file write vulnerability.
Microsoft has originally planned to patch these Exchange Server vulnerabilities on March 9 for the company's regular Patch Tuesday updates. However, the company moved up the patches and disclosure to March 2. In the wake of the disclosure, exploitation of the flaws increased significantly, according to various reports.
The attackers
Microsoft attributed the initial ProxyLogon attacks to the Chinese state-sponsored threat group known as Hafnium. According to Microsoft's blog post, Hafnium operators exploited the vulnerabilities to gain initial access then deployed web shells on the compromised server. "Web shells potentially allow attackers to steal data and perform additional malicious actions that to further compromise," the blog post said.
In an update Friday, Microsoft said it "continues to see increased use of vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM." It's unclear who the additional threat actors are, and what their motivations may be. However, threat detection vendor Red Canary reported exploitation activity that involved the installation of a cryptomining program called Dltminer.
Volexity provided an update to a blog post from March 2 where it dated the first attacks to January of this year. The update revealed an even earlier timeline than initially reported.
"Since the original publication of this blog, Volexity has no observed that cyber espionage operations using the SSRF vulnerability CVE-2021-26855 started occurring on January 3, 2021, three days earlier than initially posted," the statement said.
The victims
Several news outlets reported the Exchange Server attacks have impacted 20,000 to 30,000 organizations in the U.S. alone. However, several infosec experts, including former CISA director Christopher Krebs, believe the number is much higher. CISA meanwhile said on Saturday it was aware of "widespread domestic and international exploitation" of the vulnerabilities.
While the number of potential victims has reportedly increased since last week, the list of data breach disclosures has not. So far, the European Banking Authority appears to be the only company that has confirmed a breach. In a statement Sunday, it attributed a cyber attack to its Microsoft Exchange Servers.
"The European Banking Authority (EBA) has been the subject of a cyber-attack against its Microsoft Exchange Servers, which is affecting many organizations worldwide. The Agency has swiftly launched a full investigation, in close cooperation with its ICT provider, a team of forensic experts and other relevant entities," the statement said.
In an update Monday, EBA said they do not believe any data was extracted, and they have no indication that the breach has gone beyond the email servers. However, the bank did take email systems offline as a precautionary measure.
As it turns out, those precautionary measures were successful. In a third update Tuesday, EBA said email services had been restored.
"The European Banking Authority has established the scope of the event caused by the recently widely notified vulnerabilities was limited and that the confidentiality of the EBA systems and data has not been compromised. Thanks to the precautionary measures taken, the EBA has managed to remove the existing threat and its email communication services have, therefore, been restored."
Reports by cybersecurity firms FireEye and Huntress Labs say the range of victims is wide.
"We've also witnessed many city and county government victims, healthcare providers, banks/financial institutions, and several residential electricity providers," the blog post said.
Additionally, Huntress has been tracking the number of unpatched systems on Exchange servers. As of Friday, around 800 remained unpatched and "without the hotfix for an up-to-date CU version number."
According to a FireEye Mandiant blog, victims include U.S.-based retailers, local governments, a university and an engineering firm. "Related activity may also include a Southeast Asian government and Central Asian telecom," the blog post said.