How auto-scanning and scripting helped Exchange attackers rack up victims

Cyber Security News

The number of organizations breached via four zero-day bugs in Microsoft Exchange has reached 30,000 and climbing, thanks to automated scanning and scripting techniques used by attackers.

According to sources that spoke to SC Media, adversaries in late February leveraged automated scanning capabilities in order to identify Exchange users who were vulnerable to the exploit. The number of hacks at first were limited, but once Microsoft made the zero-days public last Tuesday and issued emergency patches, malicious actors implemented a script that enabled them to launch the massive automated hack.

The lesson here: malicious actors continue to leverage the combination of automated scanners and scripts to strategically rack up high victim counts, especially when they sense time to inflict damage before patching is running out.

“In 2021, it is safe to assume if a system is exposed directly to the internet, it is continuously being scanned and probed by both services like Shodan and Census.io and attackers looking for easy targets,” said Jerry Gamblin, director of security research at Kenna Security.

Using such tools, “you can find a ton of servers that are open to the world,” said Yossi Naar, chief visionary officer and co-founder at Cybereason. “You can… run your own scans if you want, but you’ll want a distributed network of scanners so that you don’t get noticed or blocked.”

And when there is a vulnerability to be found, threat actors can then either choose their targets individually and methodically, or they can go broad and attack a wide range.

“Different threat actors have different collection priorities and strategies,” said multiple Kaspersky researchers in a written interview with SC Media. “For instance, some might be interested in a very particular document, such as a COVID-19 vaccine formula, or perhaps the schematics of a jet prototype. Other actors might be interested in casting a large net to collect information such as e-mails, SMSes or network traffic. These priorities may also shift from time to time, depending on geopolitical contexts.”

Still, it’s curious: APTs often are very surgical and judicious in nature, preferring to stay under the radar to perform cyberespionage on carefully chosen targets. Indeed, the main actor blamed for the exploit, Hafnium or Emissary Panda, is known for specifically targeting infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and non-government organizations. Suddenly attacking 30,000 organizations sounds out of character.

Then again, at least two other groups – Tick and Calypso – were observed exploiting the Exchange flaws, and experts believe other actors acted after the public disclosure.

Whoever decided to scan and infect thousands of companies en masse, it’s quite possible they implemented this tactic once news of the zero-days became public knowledge.

In an interview with security expert Brian Krebs, Volexity President Steven Adair said his company’s team first observed attackers exploiting the bugs on Jan. 6, but that activity picked up considerably after the security updates.

“Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server,” Adair told Krebs. “The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”

“Exploiting the ‘patch gap’ is a common tactic we’ve seen many actors utilize when they realize their exploit has been burned. This is likely what we are seeing now,” explained Kaspersky.

Indeed, “If you think or know that your vulnerabilities are about to get patched – which is likely that the attackers had some insight there – it’s a nothing-to-lose kind of strategy. You’ll get shut down anyway – you might as well get whatever you can until that happens,” said Naar.

“At this point, the attackers know… if they’re able to successfully implant a web shell, they can at least maintain persistence, assuming the organization does nothing else besides applying the patches,” said Satnam Narag, staff research engineer at Tenable.

Of course, the attacks need an efficient way to implant said webshell across multiple organizations. And that’s where the exploit script comes into play.

“There’s two parts to it; the first step is reconnaissance by actively identifying publicly accessible systems online using tools like Shodan, BinaryEdge and ZoomEye,” said Narag. “Once that step is complete, the second step involves inputting the harvested list of systems through an exploit script that can check whether or not a system is vulnerable, and if so, exploit the flaw to implant the web shells.”

With that said, there may not be a need for such a rush on the attackers’ part. Many challenges fail to apply patches quickly, noted Narag – and there likely will still be plenty of potential victims out there in the weeks and months to come.

“The value of a zero-day is not diminished once it becomes an n-day vulnerability,” said Narag. “In 2020, CISA issued multiple advisories highlighting the use of… n-day vulnerabilities by nation-state groups, underscoring the message that unpatched vulnerabilities are just as, if not more, valuable than zero-days.

Aside from taking advantage of the patch gap, there are other reasons for attackers to go broad, mass-infecting thousands of organizations at a time.

In some cases, “It tells me that they are likely looking for supply-chain-type places to go after and not necessarily expecting to hit the target directly,” said Naar. “When you go wide like this it’s also easy to obfuscate the real target or targets and hide them among the noise. It’s a risky strategy but very effective. When you hit 30,000 organizations it’s very hard to tell which few were your real targets and they are likely to be lulled into a false sense of security.”

As attackers continue to use automated tools to scan and exploit for known vulnerabilities, Gamblin recommended that organizations take steps to get a better feel for their attack surface. “Open-source tools like intrigue.io help with this and immensely,” he said. “Once the attack surface is understood, organizations can work on minimizing those as much as possible.” Moreover, he said, “Organizations should also have an ‘emergency kill switch’ [implemented] where they can pull a system quickly off the internet when they know mass exploitations against systems they have not been able to patch are happening.”