The exploit attempts targeting the four zero days in Exchange disclosed yesterday have already become more widespread than originally reported, with small businesses being hit along with government agencies, financial institutions, and health care providers.
In its disclosure of the vulnerabilities, Microsoft said that the flaws were being used in “limited and targeted attacks” by an APT group based in China called Hafnium. The vulnerabilities are quite serious, with one of them allowing remote access to an Exchange server without any authentication or other special information. Microsoft said Hafnium had used the vulnerabilities to target on-premise Exchange servers, install a webshell as a persistence mechanism, and steal confidential information from victims’ inboxes. Since the disclosures Tuesday, researchers have been tracking exploit activity against a variety of organizations, not all of which fall into the bucket of typical APT targets.
Researchers at Huntress Labs, which works with managed service providers to find threats, has identified nearly 200 Exchange servers that have a webshell payload that is the telltale sign of the attacks on these vulnerabilities. In some cases, vulnerable servers have been found with multiple webshells installed, potentially indicating exploitation by more than one attacker. MIcrosoft researchers emphasized the seriousness of the flaws and urged customers to install the patches for the four bugs as soon as possible. But for organizations that aren’t usually targeted by high-level attackers, the warnings may not have been enough.
“Because the advisory said limited and targeted attacks, it seems like some people shrugged it off. We’re seeing it as a much bigger set of activity,” said John Hammond, senior security researcher at Huntress Labs.
“It’s evident now that it’s public knowledge and we’re all playing catch-up. We’re seeing activity across the board, from small businesses like ice cream shops, all the way up to government agencies and banking.”
The four Exchange vulnerabilities Microsoft disclosed have been chained together by the Hafnium group to gain initial access to vulnerable servers, maintain persistence, and then steal data, including the contents of individual inboxes. The most serious of the four is CVE-2021-26855, a server-side request forgery flaw that the attackers have used for initial access. Researchers at Volexity first detected exploitation of that flaw in January and then subsequently saw the same actor using other Exchange zero days in its operations.
“During the course of multiple incident response efforts, Volexity identified that the attacker had managed to chain the SSRF vulnerability with another that allows remote code execution (RCE) on the targeted Exchange servers (CVE-2021-27065). In all cases of RCE, Volexity has observed the attacker writing webshells (ASPX files) to disk and conducting further operations to dump credentials, add user accounts, steal copies of the Microsoft Entra ID database (NTDS.DIT), and move laterally to other systems and environments,” an analysis of the attacks by Volexity says.
Hammond said that not all of the webshells Huntress has seen are identical, and the naming conventions don’t all line up with the one used by Hafnium. Now that the details of the vulnerabilities are public, it’s likely that other actors outside of APT groups will begin targeting them, as well.
“I don’t think everyone is taking this as seriously as they should. I think we should be screaming this one from the rooftops,” Hammond said. “Every organization has to have email and Exchange is so widely deployed and you get command and control inherently when you exploit this.”