It has been over a month since the news first broke of a security vulnerability targeting MS Exchange circulating in the wild. It seems the severity of this situation has continued to worsen including the latest news of new vulnerabilities being discovered by the NSA and possible exploits occurring in the wild related to the distribution of a cryptominer.
Originally used by a nation-state group, the vulnerability was weaponized by threat actors to perpetuate ransomware and crypto mining related activities globally.
This blog discusses the complete timeline of the events that occurred since Microsoft publicly disclosed MS exchange vulnerabilities.
Day 1, March 2:
Microsoft released a security patch to counter the flaws in the exchange server. Microsoft alleges a Chinese state-sponsored threat actor known as Hafnium actively targeted the Exchange servers.
Day 2, March 3:
As mass scanning activities had started in the 3rd week of February, hackers had by now compromised thousands of MS exchange servers.
Day 4, March 5:
Microsoft issues Advisory for Mitigating Vulnerabilities. Blue Hexagon sees a spike in attacks related to crimeware and issues a threat advisory Threat Advisory: Microsoft Exchange Server including CVE-2021-24085, 26855, 26857, 26858, and 27065
Day 6, March 7:
MS exchange hack turns into an Epidemic, as the total number of hacked servers reached 60,000. The European Banking Authority (EBA) announced their server also compromised and they began the investigation.
Day 10, March 11:
Threat Advisory: New PoC exploit for Exchange
Blue hexagon issues a threat advisory for the new PoC exploit (Exchange SSRF CVE-2021-26855) and showcases the working of the POC.
Ransomware Threat Advisory:
Microsoft found a human operator installed DoejoCrypt ransomware after compromising the device using a malicious web shell.
Day 15, March 16:
Microsoft releases a guideline on how to install the patch and investigate if Exchange Servers have been compromised or not.
Day 18, March 19:
Notorious REvil group claims that they hacked Acer and post the image of the stolen document on the dark web.
Day 21, March 22:
Threat reacher MalwareTech tweeted that Black Kingdom gang is encrypting MS Exchange Servers by exploiting proxyloan vulnerability. Threat actor used powershell script to download the ransomware.
Day 28, March 31:
Microsoft cited telemetry from RiskIQ that shows 92% of vulnerable exchange servers now have been patched or mitigations have applied.The threat actor actively targets and tries to compromise the remaining unpatched servers.
Source: Microsoft Security Response Center https://twitter.com/msftsecresponse/status/1374075310195412992
Day 40, April 12:
Microsoft released a security update for the new vulnerabilities found in the Exchange Servers versions 2013-2019.
CVE-2021-28480 and CVE-2021-28481 have a CVSSv3 score of 9.8 which is higher than previously exploited vulnerabilities. Both are pre-authentication vulnerabilities which means threat actors can exploit these vulnerabilities without user authentication.
CVE-2021-28482 and CVE-2021-28483 are post-authentication vulnerabilities and threat actors exploit these vulnerabilities only after they are authenticated with MS exchange servers
Microsoft said they are not aware of active exploits in the wild. Microsoft credits NSA for the above vulnerabilities though two vulnerabilities are also credited to the Microsoft security team
Source: National Security Agency https://twitter.com/NSACyber/status/1382020839118344199
Day 42, April 14:
FBI launches operation to remove the web shell backdoor from the already compromised exchange server across the United States.
How The Attack Works:
Let’s take a closer look at how the attack is actually carried out from the reconnaissance stage to the actual exploitation.
Firstly, threat actors send a crafted HTTP command on port 443 and authenticate as the Microsoft Exchange server. After gaining entry, the next step is to exploit a second vulnerability in Unified Messaging Service, which allows them to run arbitrary code with system privileges. As the last stage in the threat kill chain, a web-shell is deployed, which allows them to perform reconnaissance to move other parts of the network.
While news of mass scanning (recon) started emerging on the 26-27th February, Blue Hexagon had observed reconnaissance-related activities originating from Eastern Europe as early as 18th February.
In the screenshot above, we can see the typical activities associated with an organization under attack. Searching for the term “OWA’ gives you real-time visibility into the network.
Following up on the trail, e can see an OWA server actively communicating with an IP address that has no previous history of communications with.
Reviewing the threat intel, we can see that these IP addresses have previously been associated with crimeware related activities; performing reconnaissance, exploitation, and serving as command-and-control servers.
You may like to also read related threat advisories and research:
Questions? How to Contact Blue Hexagon Threat Experts
If you have any questions or need assistance to determine whether your current security controls can surface the attack described above and how to bolster your security stack, please contact Blue Hexagon Security Experts by email at email@example.com or online at https://bluehexagon.ai/contact/ and let us know how we can help and get in touch with you.
PS: You may like to bookmark this blog post for future reference as we continue to add further research on this attack.