Skip to main content

Microsoft: Patch your Exchange servers, they're under attack


Microsoft is warning organizations that use Exchange email servers to shore up their systems now after observing a massive spike in highly skillful attacks this April.
The company’s alert details how advanced cyber attackers are using freely available open-source software and a known, critical vulnerability to attack Exchange email servers — one of the most valuable sources of information in any organization.
Exchange has been under attack for months now by multiple government-backed hackers who quickly pounced on a particularly nasty Exchange security flaw (CVE-2020–0688) shortly after Microsoft offered patches in February.
The flaw meant all Exchange email servers released in the past decade used identical cryptographic keys for the control panel’s backend, which allowed remote attackers to run malware on it and take full control of the server to gain access to a target’s email store.
But many organizations ignored Microsoft’s warning to patch the Exchange bug, which it predicted would come under attack in the near future. By April, security researchers warned that over 350,000 Exchange servers with the vulnerability were exposed on the internet.
“Drop everything and patch this vulnerability immediately,” Jonathan Cran, head of research at Kenna Security, warned at the time.
Microsoft says the most common way Exchange servers are compromised is via phishing attacks or attacks on desktop flaws and from there moving within the organization to access an Exchange server — the main system housing a target’s email communications.
But in April it saw a rise in attacks exploiting a particular remote code execution vulnerability affecting Microsoft’s Internet Information Service (IIS) component of a target Exchange server.
“The first scenario is more common, but we’re seeing a rise in attacks of the second variety; specifically, attacks that exploit Exchange vulnerabilities like CVE-2020–0688,” said Hardik Suri of the Microsoft Defender ATP Research Team.
“The security update that fixes this vulnerability has been available for several months, but, notably, to this day, attackers find vulnerable servers to target.
“In many cases, after attackers gain access to an Exchange server, what follows is the deployment of web shell into one of the many web accessible paths on the server.”
Microsoft’s new warning comes a week after the Australian government raised an alarm over ongoing attacks against organizations in the country.
The Australian Cyber Security Centre’s (ACSC) lengthy advisory doesn’t highlight CVE-2020–0688 but it does detail similar techniques to the ones Microsoft describes for attacks on IIS and Exchange email servers.
In both cases, the attackers planted web shell backdoor code on internet-accessible parts of Exchange, such as the log-on page for Outlook on the web, formerly Outlook Web Access.
According to Microsoft, there were multiple concurrent campaigns behind the surge in Exchange attacks during April, with most employing web shells on internet-facing Exchange servers for initial access. The attackers used multiple web shells, but the most widely used was the China Chopper web shell.
“The telemetry showed attackers operating on on-premises Exchange servers using deployed web shells,” says Suri.
“Whenever attackers interacted with the web shell, the hijacked application pool ran the command on behalf of the attacker, generating an interesting process chain.
“Common services, for example, Outlook on the web (formerly known as Outlook Web App or OWA) or Exchange admin center (EAC, formerly known as the Exchange Control Panel or ECP), executing net.exe, cmd.exe, and other known living-off-the-land binaries ( LOLBins) like mshta.exe are very suspicious and should be further investigated,” warned Suri.
After deploying a web shell, the attackers explored the target domain and, where a misconfigured server was found, they added new accounts to high-privilege groups like Administrators, Remote Desktop Users, and Enterprise Admins.
This gave attackers “unrestricted access to any users or group in the organization”. Afterwards, credentials to these accounts were targeted using native Windows tools to dump Local Security Authority Subsystem Service (LSASS) memory — a key service for handling authentication in Active Directory domains — and upload them to a remote server for cracking.
To gain persistence on a machine purely in memory, or without ever touching a disk, the attackers turned to open-source software. On systems configured to detect the open-source credential dumping tool, Mimikatz, the attackers used a modified version placed in a wrapper written in the Go programming language.
“The binary used the open-source MemoryModule library to load the binary using reflective DLL injection. Thus, the payload never touched the disk and was present only in memory, achieving a fileless persistence,” notes Suri.
The attackers also attempted to disable Microsoft Defender Antivirus and disable archive scanning to protect .zip files and compression tools like rar.exe, which was used to steal email .pst files and memory dumps.
Suri recommends that organizations apply available updates, enable multi-factor authentication, and ensure on Windows 10 machines that tamper protection is enabled to prevent attackers disabling antivirus.
He also suggested organizations review highly privileged groups like Administrators, Remote Desktop Users, and Enterprise Admins. Security teams should also practice the principle of least-privilege and prioritize alerts indicating suspicious activities on Exchange servers.
Organizations under these types of attacks could likely benefit from Microsoft Defender ATP capabilities such as behavioral monitoring of IIS and Exchange.

Originally published at https://www.zdnet.com on June 25, 2020.

Comments

Popular posts from this blog

Ransomware's Dangerous New Trick Is Double-Encrypting Your Data

  Ransomware groups have always taken a more-is-more approach . If a victim pays a ransom and then goes back to business as usual-hit them again. Or don’t just encrypt a target’s systems; steal their data first, so you can threaten to leak it if they don’t pay up. The latest escalation? Ransomware hackers who encrypt a victim’s data twice at the same time. Double-encryption attacks have happened before, usually stemming from two separate ransomware gangs compromising the same victim at the same time. But antivirus company Emsisoft says it is aware of dozens of incidents in which the same actor or group intentionally layers two types of ransomware on top of each other. “The groups are constantly trying to work out which strategies are best , which net them the most money for the least amount of effort,” says Emsisoft threat analyst Brett Callow. “So in this approach you have a single actor deploying two types of ransomware. The victim decrypts their data and discovers it’s not act...

Babuk ransomware is back, uses new version on corporate networks

  After announcing their exit from the ransomware business in favor of data theft extortion, the Babuk gang appears to have slipped back into their old habit of encrypting corporate networks. The criminals are currently using a new version of their file-encrypting malware and have moved the operation to a new leak site that lists a handful of victims. Gang’s still in the game The Babuk ransomware group became known at the beginning of the year but the gang says that their attacks had started in mid-October 2020, targeting companies across the world and demanding ransoms typically between $60,000 and $85,000 in bitcoin cryptocurrency. In some cases, victims were asked hundreds of thousands for data decryption. One of their most publicized victims is the Washinton DC’s Metropolitan Police Department (MPD). This attack likely pushed the threat actor into announcing its retirement from the ransomware business only to adopt another extortion model that did not include encryption....

Microsoft Teams Phishing Attack Targets Office 365 Users

  Up to 50,000 Office 365 users are being targeted by a phishing campaign that purports to notify them of a “missed chat” from Microsoft Teams. Researchers are warning of a phishing campaign that pretends to be an automated message from Microsoft Teams. In reality, the attack aims to steal Office 365 recipients’ login credentials. Teams is Microsoft’s popular collaboration tool, which has particularly risen in popularity among remote workforces during the pandemic  — making it an attractive brand for attackers to impersonate. This particular campaign was sent to between 15,000 to 50,000 Office 365 users, according to researchers with Abnormal Security on Thursday. “Because Microsoft Teams is an instant-messaging service, recipients of this notification might be more apt to click on it so that they can respond quickly to whatever message they think they may have missed based on the notification,” said researchers in a Thursday analysis . The initial phishing email displays the name ...