Mass-Hack Spiraling Out of Control
A critical vulnerability in Microsoft software has turned into a nightmare for organizations around the world. The flaw allows attackers to remotely access organizations’ reachable email Exchange servers, without any valid account credentials. If successfully exploited, the vulnerability would allow an unauthenticated attacker to write files, for example. They would also be able to execute code on the underlying Microsoft Windows operating system. Researchers at cybersecurity company ESET, who have been monitoring the incident closely, said they have detected webshells for these exploits on more than 5,000 email servers. A timeline of events shows that exploitation of the flaw started in early January. This is days before a security researcher, Orange Tsai, reported the vulnerability to Microsoft on 5 January 2021. “Our analysis is based on email servers on which we found webshells in Offline Address Book (OAB) configuration files, which is a specific technique used in the exploitation of the RCE vulnerability. […] Once the vulnerability had been exploited and the webshell was in place, we observed attempts to install additional malware through it. We also noticed in some cases that several threat actors were targeting the same organization.”
At least 10 APT Groups Exploiting Microsoft Flaw
Microsoft attributed the initial attacks to a state-sponsored hacking group operating out of China. They nicknamed the threat actor “Hafnium”. Later it became clear that multiple malicious actors were taking advantage of the Microsoft flaw. First, using the vulnerability itself. And later, by exploiting the many unpatched systems. ESET identified more than 10 different APT groups who are using the flaw to illegally gain access to email Exchange servers. Here’s an overview of the threat actors ESET researchers, Matthieu Faou, Mathieu Tartare and Thomas Dupuy, identified so far:
Tick, aka Bronze Butler, an APT group active since 2008. Mainly targets organizations in Japan, South Korea, Russia and Singapore to steal intellectual property and classified information. Exploited the Microsoft flaw on 28 February against an IT service company based in East Asia. Lucky Mouse, also known as APT27 or Emissary Panda. Uses various custom malware families to target government entities in Central Asia and the Middle East as well as international organizations. Attacked the email server of a government entity in the Middle East on 1 March. Calypso, a group with ties to XPath, targets governmental agencies in Asia, the Middle East and South America. Gained access to email servers of governmental agencies in the Middle East and South America, as well as private companies in Africa, Asia and Europe. Websiic, an apparent new cluster. ESET gave them the name Websiic, as they could not tie the group to any known threat actor. Websiic targeted seven email servers belonging to IT, telecommunications and engineering companies in Asia, and a governmental body in Eastern Europe. Winnti Group, active since 2012. They are responsible for several high-profile attacks against organizations in the healthcare, education and gaming industries. They illegally accessed the email servers of an oil company and construction company in East Asia on 2 March. Tonto Team, active since at least 2009. Focusses on organizations in Japan, Mongolia and Russia. Compromised the email servers of two Eastern European companies, a procurement company and a consulting company specialized in software development and cybersecurity. ShadowPad activity. This is not a group but a modular backdoor used by several APT groups. Starting on 3 March, ESET noticed that an unknown attacker had dropped ShadowPad on the email servers of an Asian software company and a Middle Eastern real estate firm. Opera Cobalt Strike, a series of malicious activities that started on 3 March and targeted around 650 servers, mostly in the US, the UK and several European countries. IIS backdoors. ESET observed webshells being used to install so-called IIS backdoors on email servers located in Asia and South America. They also identified two different malware families being used. Mikroceen, aka Vicious Panda, an APT group active since 2017. They mainly target government entities and telecommunication companies in Central Asia, Mongolia and Russia. Compromised the exchange server of a utility company in Central Asia on 4 March. DLTMiner. ESET detected the deployment of PowerShell downloaders on email servers that were previously targeted using the Microsoft Exchange vulnerabilities. There are similarities between this activity cluster and a previously reported cryptomining campaign.
Tens of Thousands of Organizations Affected
The number of companies affected is now rapidly running into the tens of thousands. In the US, Microsoft Exchange victims identified so far include banks, electricity providers, government entities, universities, retailers, engineering companies, senior citizen homes and an ice cream company. In Europe, the most high-profile attacks include the European Union’s banking regulator, the Norwegian parliament and two German government entities. The German Federal Office for Information Security (BSI) also said that hundreds of companies, ranging from small businesses to leading companies, contacted BSI to “seek guidance”, which is “well above the usual number”. The widespread exploitation of the vulnerability gives extra weight to the warnings authorities worldwide are issuing. Australia’s cybersecurity watchdog (ACSC), for example, urged Australian organizations to patch Microsoft Exchange software. They also confirmed that over 7,000 servers locally had been affected by the hack.