APT Hackers Targeting Unpatched, On-Prem Microsoft Exchange Servers

March 15, 2021 - At least 10 advanced persistent threat (APT) hacking groups are targeting unpatched, on-prem Microsoft Exchange servers, in an effort to exploit the vulnerability and take control of the impacted device, according to recent ESET data.

Microsoft and RiskIQ telemetry data found that of the nearly 400,000 Exchange servers vulnerable to four zero-day exploits, just 82,000 are left to be patched.

The out-of-band security patches were issued at the beginning of the month. At the time, the Department of Homeland Security Cybersecurity and Infrastructure Security Agency warned that the flaws were already under active exploit in the wild.

The vulnerabilities are found in Exchange servers versions 2013, 2016, and 2019. The CVE-2021-26855, a side-server request forgery (SSRF) is at the core of these flaws. Hackers can remotely chain the flaw with one of the other vulnerabilities to increase the impact.

Overall, a successful exploit of one of the three remote code execution (RCE) flaws would allow the attacker to take over the impacted system, while the fourth vulnerability would give the hacker access to the victim’s data.

Researchers have observed attackers exploiting the flaws to write webshells to disk, dump credentials, add user accounts, and steal copies of the Active Directory, among other nefarious activities.

The latest insights from ESET and Microsoft show hackers have ramped up targeted efforts since the initial disclosure. ESET has detected webshells on more than 5,000 email servers, while media reports show the European Banking Authority has suffered an attack stemming from these flaws.

Microsoft previously attributed the initial exploits to Chinese nation-state hackers called HAFNIUM. ESET researchers have since found other threat actors targeting the flaws, including Tick, LuckyMouse, Calypso, and the Winnti Group.

“This suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse engineering Microsoft updates,” ESET researchers wrote.

“The day after the release of the patch, we started to see many more threat actors (including Tonto Team and Mikroceen) scanning and compromising Exchange servers en masse,” they added. “All of them are APT groups interested in espionage, except for one outlier (DLTMiner), which is linked to a known cryptomining campaign.”

ESET found webshells in Offline Address Book (OAB) configuration files, a technique used to exploit the RCE flaw. However, it’s unclear whether other threat actors have hijacked webshells installed by other hacking groups, rather than a direct exploit of their own.

After the webshell was deployed, ESET also observed attackers attempting to install additional malware and, in some instances, organizations were targeted more than once.

Microsoft is also aware of these hacking groups attempting to leverage the flaws to implant ransomware and other malware designed to disrupt business continuity.

Data found small- to medium-sized organizations are those most commonly using the servers targeted by these attacks. But some larger entities have also been targeted, as well. The exploits are being considered a broad attack, and patching must be prioritized.

The tech giant previously released a scanning tool to help entities find all indicators of compromise (IOC) associated with these exploits. The IOC tool can be used to  identify suspected malware and to determine whether an enterprise network has been compromised through an Exchange exploit.

Microsoft noted that the tool is updated in real-time, allowing for current threats to be detected.

In light of the current threat landscape and continued targeting of the healthcare sector, entities should prioritize patching these flaws and review previous ransomware guidance to ensure their networks are secured.

“Multiple APTs have access to the exploit and some even did so prior to the patch release,” ESET researchers wrote. “It’s still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later.”

“Even those not directly exposed to the internet should be patched because an attacker with low, or unprivileged, access to your LAN can trivially exploit these vulnerabilities to raise their privileges, while compromising an internal (and probably more sensitive) Exchange server, and then move laterally from it,” they concluded.