APT hackers rush to exploit unpatched Microsoft Exchange servers

Multiple state-sponsored hacking groups are actively exploiting critical Exchange bugs Microsoft patched Tuesday via emergency out-of-band security updates.

Microsoft addressed four zero-days (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) exploited in the wild and three other vulnerabilities (CVE-2021-27078, CVE-2021-26854, and CVE-2021-26412).

At least four hacking groups exploiting just-patched Exchange flaws

Advanced persistent threat (APT) groups are currently using “at least” the CVE-2021-26855 Microsoft Exchange Server vulnerability as part of ongoing attacks to achieve remote code execution without authentication on unpatched on-premises Exchange servers.

Three of them, the Chinese-backed APT27, Bronze Butler (aka Tick), and Calypso, were identified by Slovak internet security firm ESET who says that it detected several other state-sponsored groups it couldn’t identify.

“ESET telemetry shows that (at least) CVE-2021-26855 is actively exploited in the wild by several cyber-espionage groups,” ESET said. “Among them, we identified LuckyMouse, Tick, Calypso, and a few additional yet-unclassified clusters.”

“Most targets are located in the US but we’ve seen attacks against servers in Europe, Asia and the Middle East. Targeted verticals include governments, law firms, private companies and medical facilities.”

Microsoft identified a fourth Chinese state-backed hacking group named Hafnium that was observed while attacking US organizations to steal data.

While the identities of Hafnium’s targets have not yet been disclosed, Microsoft shared a list of previously attacked industry sectors.

“Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs,” Microsoft VP Tom Burt said.

Web shells dropping since at least January

Cybersecurity firm Huntress found web shells being deployed on compromised Exchange servers while responding to these ongoing attacks, web shells that would provide the threat actors with access after the servers are patched.

“Based on our analysis of 209 exploited servers, the earliest sign of compromise we’ve observed was on Feb 27th at 1643 UTC, and the most recently dropped web shell was created two hours ago,” Huntress said.

“Thus far, we have not seen any significantly different payloads delivered, but expect this will happen in a matter of time (re-emphasizing that your 30 days delayed patching/configuration management policy is going to hurt more than help in this situation).

“It’s also notable that multiple hosts have received 2-4 web shells (suggesting automated deployment without a mutex or multiple uncoordinated actors).”

One of the web shells dropped during these attacks is China Chopper (a sample is available here).

Once deployed, it allows attackers to execute Microsoft .NET code using HTTP POST commands to upload and download files, execute programs, list directory contents, and access Active Directory.

Incident response firm Volexity said that active exploitation of these Microsoft Exchange zero-days began “as early as January 6, 2021.”

At this time we can’t say with certainty what the threat actor’s goals are. The use of a web shell/backdoor does indicate that they will continue to use this access for command-and-control, but we have not yet uncovered what they might do with it next. This could run the gamut of exfiltrate data, drop ransomware, use in a botnet, mine cryptocurrency, etc. Researchers have highlighted the use of ProcDump to capture credentials/hashes stored within LSASS process memory and potentially use those to gain more and more access. — Huntress

Admins urged to patch ASAP

Microsoft urges administrators to “install these updates immediatelyto protect vulnerable on-premises Exchange servers from these ongoing attacks.

To detect if your Exchange server has been already breached, Microsoft provides PowerShell and console commands to scan Event Logs/Exchange Server logs for traces of the attack.

Microsoft Senior Threat Intelligence Analyst Kevin Beaumont also created a Nmap script to scan networks for potentially vulnerable Microsoft Exchange servers.

Before updating your Exchange servers, you will need to make sure you’ve deployed a supported Cumulative Update (CU) and Update Rollup (RU) beforehand.

You can find more info on how to install the patches in this article published by the Microsoft Exchange Team.