At least 10 nation-state-backed groups are using the ProxyLogon exploit chain to compromise email servers, as compromises mount.
Recently patched Microsoft Exchange vulnerabilities are under fire from at least 10 different advanced persistent threat (APT) groups, all bent on compromising email servers around the world. Overall exploitation activity is snowballing, according to researchers.
Microsoft said in early March that it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. Four flaws can be chained together to create a pre-authentication remote code execution (RCE) exploit – meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a webshell for further exploitation within the environment.
And indeed, adversaries from the Chinese APT known as Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.
Microsoft was spurred to release out-of-band patches for the exploited bugs, known collectively as ProxyLogon, which are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.
Rapidly Spreading Email Server Attacks
Microsoft said last week that the attacks were “limited and targeted.” But that’s certainly no longer the case. Other security companies have continued to say they have seen much broader, escalating activity with mass numbers of servers being scanned and attacked.
ESET researchers had confirmed this as well, and on Wednesday announced that it had pinpointed at least 10 APTs going after the bugs, including Calypso, LuckyMouse, Tick and Winnti Group.
“On Feb. 28, we noticed that the vulnerabilities were used by other threat actors, starting with Tick and quickly joined by LuckyMouse, Calypso and the Winnti Group,” according to the writeup. “This suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse-engineering Microsoft updates.”
The @DIVDnl scanned over 250K Exchange servers. Sent over 46k emails to the owners. The amount of vulnerable servers is going down. The number of compromised systems is going up. More organizations start investigating their systems for #Hafnium exploits.https://t.co/XmQhHd7OA9
— Victor Gevers (@0xDUDE) March 9, 2021
This activity was quickly followed by a raft of other groups, including CactusPete and Mikroceen “scanning and compromising Exchange servers en masse,” according to ESET.
“We have already detected webshells on more than 5,000 email servers [in more than 115 countries] as of the time of writing, and according to public sources, several important organizations, such as the European Banking Authority, suffered from this attack,” according to the ESET report.
It also appears that threat groups are piggybacking on each other’s work. For instance, in some cases the webshells were dropped into Offline Address Book (OAB) configuration files, and they appeared to be accessed by more than one group.
“We cannot discount the possibility that some threat actors might have hijacked the webshells dropped by other groups rather than directly using the exploit,” said ESET researchers. “Once the vulnerability had been exploited and the webshell was in place, we observed attempts to install additional malware through it. We also noticed in some cases that several threat actors were targeting the same organization.”
Zero-Day Activity Targeting Microsoft Exchange Bugs
ESET has documented a raft of activity targeting the four vulnerabilities, including multiple zero-day compromises before Microsoft rolled patches out.
For instance, Tick, which has been infiltrating organizations primarily in Japan and South Korea since 2008, was seen compromising the webserver of an IT company based in East Asia two days before Microsoft released its patches for the Exchange flaws.
“We then observed a Delphi backdoor, highly similar to previous Delphi implants used by the group,” ESET researchers said. “Its main objective seems to be intellectual property and classified information theft.”
A timeline of ProxyLogon activity. Source: ESET.
One day before the patches were released, LuckyMouse (a.k.a. APT27 or Emissary Panda) compromised the email server of a governmental entity in the Middle East, ESET observed. The group is cyberespionage-focused and is known for breaching multiple government networks in Central Asia and the Middle East, along with transnational organizations like the International Civil Aviation Organization (ICAO) in 2016.
“LuckyMouse operators started by dropping the Nbtscan tool in C:programdata, then installed a variant of the ReGeorg webshell and issued a GET request to http://34.90.207[.]23/ip using curl,” according to ESET’s report. “Finally, they attempted to install their SysUpdate (a.k.a. Soldier) modular backdoor.”
That same day, still in the zero-day period, the Calypso spy group compromised the email servers of governmental entities in the Middle East and in South America. And in the following days, it targeted additional servers at governmental entities and private companies in Africa, Asia and Europe using the exploit.
“As part of these attacks, two different backdoors were observed: a variant of PlugX specific to the group (Win32/Korplug.ED) and a custom backdoor that we detect as Win32/Agent.UFX (known as Whitebird in a Dr.Web report),” according to ESET. “These tools are loaded using DLL search-order hijacking against legitimate executables (also dropped by the attackers).”
ESET also observed the Winnti Group exploiting the bugs, a few hours before Microsoft released the patches. Winnti (a.k.a. APT41 or Barium, known for high-profile supply-chain attacks against the video game and software industries) compromised the email servers of an oil company and a construction equipment company, both based in East Asia.
“The attackers started by dropping webshells,” according to ESET. “At one of the compromised victims we observed a PlugX RAT sample (also known as Korplug)…at the second victim, we observed a loader that is highly similar to previous Winnti v.4 malware loaders…used to decrypt an encrypted payload from disk and execute it. Additionally, we observed various Mimikatz and password dumping tools.”
After the patches rolled out and the vulnerabilities were publicly disclosed, CactusPete (a.k.a. Tonto Team) compromised the email servers of an Eastern Europe-based procurement company and a cybersecurity consulting company, ESET noted. The attacks resulted in the ShadowPad loader being implanted, along with a variant of the Bisonal remote-access trojan (RAT).
And, the Mikroceen APT group (a.k.a. Vicious Panda) compromised the Exchange server of a utility company in Central Asia, which is the region it mainly targets, a day after the patches were released.
Unattributed Exploitation Activity
A cluster of pre-patch activity that ESET dubbed Websiic was also seen targeting seven email servers belonging to private companies (in the domains of IT, telecommunications and engineering) in Asia and a governmental body in Eastern Europe.
ESET also said it has seen a spate of unattributed ShadowPad activity resulting in the compromise of email servers at a software development company based in East Asia and a real estate company based in the Middle East. ShadowPad is a cyber-attack platform that criminals deploy in networks to gain remote control capabilities, keylogging functionality and data exfiltration.
And, it saw another cluster of activity targeting around 650 servers, mostly in the Germany and other European countries, the U.K. and the United States. All of the latter attacks featured a first-stage webshell called RedirSuiteServerProxy, researchers said.
And finally, on four email servers located in Asia and South America, webshells were used to install IIS backdoors after the patches came out, researchers said.
The groundswell of activity, particularly on the zero-day front, brings up the question of how knowledge of the vulnerabilities was spread between threat groups.
“Our ongoing research shows that not only Hafnium has been using the recent RCE vulnerability in Exchange, but that multiple APTs have access to the exploit, and some even did so prior to the patch release,” ESET concluded. “It is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later.”
Organizations with on-premise Microsoft Exchange servers should patch as soon as possible, researchers noted – if it’s not already too late.
“The best mitigation advice for network defenders is to apply the relevant patches,” said Joe Slowick, senior security researcher with DomainTools, in a Wednesday post. “However, given the speed in which adversaries weaponized these vulnerabilities and the extensive period of time pre-disclosure when these were actively exploited, many organizations will likely need to shift into response and remediation activities — including attack surface reduction and active threat hunting — to counter existing intrusions.”
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- March 24: Economics of 0-Day Disclosures: The Good, Bad and Ugly (Learn more and register!)
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)