ESET researchers have reported more than ten different Advanced Persistent Threat (APT) groups that exploit vulnerabilities in the latest Microsoft Exchange to attack mail servers. More than 5,000 mail servers have been identified as involved in this malicious activity. The attacks affect corporate and government servers worldwide – including several big-name organizations such as the European Banking Authority. It follows that the threat is not limited to the Hafnium group previously reported by Microsoft.
In early March, Microsoft released security patches for Exchange Server 2013, 2016, and 2019 to address a number of pre-existing authentication and remote code execution (RCE) vulnerability. These vulnerabilities could allow an attacker to take over control of available Exchange servers without valid account credentials, making Internet servers connected to the Internet particularly vulnerable.
“Security vulnerabilities The day after the fixes were released, we noticed a lot more threats that attacked Exchange servers on a massive scale than before, and interestingly, all of them are APT groups that specialize in espionage, except for one that appears to be related to a known cryptographic mining activity. later, even more threats, including groups attacking the extortionist virus, will have access to these exploits that exploit the vulnerability, ”explained Matthieu Faou, head of ESET research on the Exchange vulnerability chain. ESET researchers observed that some APT teams began exploiting the vulnerabilities before the patches were released. “Based on this, we can rule out the possibility that these groups created an exploit by decrypting Microsoft update codes,” Faou added.
ESET telemetry has detected webshell code on more than 5,000 unique servers in more than 115 countries. , that is, malicious programs or scripts that allow remote control of the server through a browser.
The ESET Hourly Detection of Webshell Codes Added via Exchange Vulnerability CVE-2021-26855
Distribution of webshell code observations by country (between 28.02.2021 and 09.03.2021)
More than ten different cybercrime groups identified , which are thought to exploit recently released vulnerabilities in Microsoft Exchange RCE by installing malicious programs such as webshell codes and backdoors on victims’ mail servers. In some cases, several groups attacked the same organization at the same time.
Here are the identified cybercrime groups and their patterns of behavior:
- LuckyMouse – compromised the mail server of a Middle Eastern government agency. The APT team probably used an expo on day zero, at least one day before the fixes were published.
- Calypso – Compromised government mail servers in the Middle East and South America. The group probably had access to the explo on day zero. In the days that followed, Calypso operators targeted servers from other government organizations and private companies in Africa, Asia and Europe.
- Websiic – attacked the mail servers of seven private companies in Asia (IT, telecommunications and engineering) and a government agency in Eastern Europe. ESET Websiic renamed the new activity group
- Tonto Team – compromised the mail servers of a sourcing company and a software development and cybersecurity consulting firm in Eastern Europe
- ShadowPad activity – compromised the mail servers of an Asian-based software development company and a Middle Eastern-based real estate company. ESET detected a variant of the ShadowPad rear doors created by an unknown group.
- The “Opera” Cobalt Strike – attacked about 650 servers, mostly in the United States, Germany, the United Kingdom and other European countries, just hours after the fixes were released.
- IIS backdoors – IIS backdoors installed via ESET web shells detected four in Asia and South America located on a mail server. One of the back doors is known as Owlproxy.
- DLTMiner – ESET has detected the installation of PowerShell downloads on several mail servers that were previously exploited by Exchange vulnerabilities. The network infrastructure used in the attack is related to a previously reported cryptographic mining activity.
- Tick – compromised the web server of an East Asian-based company providing IT services. As with LuckyMouse and Calypso, the group may have had access to an explo before the security patches were released.
Winnti Group – compromised the mail servers of an oil company and a construction machinery company in Asia. The group may have accessed an explo before the fixes were published.
- Microcene – compromised the mail system of a utility company in Central Asia, the region most targeted by the group.
“It has become clear that you need to start repairing all Exchange servers immediately. This is true even for servers that are not directly connected to the Internet. In the event of a compromise, it is up to administrators to remove webshell code, “modifying credentials and a full scan to detect any further malicious activity. This case is a very good reminder that complex applications like Microsoft Exchange or SharePoint should not be vulnerable to the Internet,” Faou said.
Hardware, software, tests, curiosities and colorful news from the IT world by clicking here