Microsoft Exchange vulnerabilities that allow hackers to take over Microsoft Exchange servers are under attack by no less than 10 advanced hacker groups, six of which started exploiting them before Microsoft released a patch, researchers reported Wednesday. -market. This raises a disturbing mystery: how did so many different threat agents make exploits before security breaches became publicly known?
The researchers say that about 100,000 mail servers worldwide have been compromised, with those from the European Banking Authority and the Norwegian Parliament being released in the past few days. After attackers gain the ability to execute code on servers, they install web shells, which are browser-based windows that provide a means of issuing commands and executing code remotely.
When Microsoft released emergency patches on March 2, the company said the vulnerabilities were being exploited in limited attacks and targeted by a group of state-backed hackers in China known as Hafnium. On Wednesday, ESET provided an entirely different assessment. Of the 10 ESET product groups that recorded exploitation of vulnerable servers, six of these APTs – short for advanced persistent threat agents – began hijacking servers while critical vulnerabilities were still unknown to Microsoft.
It is not always that a so-called zero-day vulnerability is exploited by two groups in unison, but it does happen. A zero day under attack by six APTs simultaneously, on the other hand, is highly unusual, if not unprecedented.
“Our ongoing research shows that not only has Hafnium been using the recent RCE vulnerability in Exchange, but that several APTs have access to the exploit, and some even before the patch was released,” ESET researchers Matthieu Faou, Mathieu Tartare and Thomas Dupuy wrote in a post on Wednesday. “It is not yet clear how the exploit was distributed, but it is inevitable that more and more threat agents, including ransomware operators, will have access to it sooner or later.”
ESET
Besides unlikely
The mystery is compounded by this: the day after Microsoft released the patches, at least three more APTs joined the fray. A day later, another was added to the mixture. While it is possible that these four groups have reverse engineered the patches, developed exploits as a weapon and deployed them at scale, these types of activities often take time. A 24-hour window is on the short side.
There is no clear explanation for the mass exploitation by so many different groups, leaving researchers with little choice but to speculate.
“It seems that although the exploits were originally used by Hafnium, something made them share the exploitation with other groups at the time when the associated vulnerabilities were being destroyed by Microsoft,” Costin Raiu, director of Kaspersky’s Global Research and Analysis Team Lab, told me. “This may suggest a degree of cooperation between these groups, or it may also suggest that exploits were available for sale in certain markets and the potential for them to be fixed resulted in a price drop, allowing others to acquire them as well.”
Juan Andres Guerrero-Saade, principal threat researcher at security firm SentinelOne, came to basically the same assessment.
“The idea that six groups from the same region would independently discover the same chain of vulnerabilities and develop the same exploitation is very unlikely,” he wrote in a direct message. “The simplest explanation is that there is (a) a common exploit vendor, (b) an unknown source (such as a forum) available to all of them, or (c) a common entity that organizes these different groups of hackers and provides them to exploit it to facilitate their activities (say, the Ministry of Security of the State of China). “
Name names
The six groups that ESET identified exploiting vulnerabilities when they were still zero days are:
- Hafnium: The group, which Microsoft said was state-sponsored and based in China, was exploiting the vulnerabilities in early January.
- Tick (also known as Bronze Butler and RedBaldKnight): On February 28, two days before Microsoft released patches, this group used the vulnerabilities to compromise an East Asian IT services company’s Web server. Tick has been active since 2018 and targets organizations mainly in Japan, but also in South Korea, Russia and Singapore.
- LuckyMouse (APT27 and Emissary Panda): On March 1, this cyber espionage group known to have breached several government networks in Central Asia and the Middle East, compromised a government entity’s email server in the Middle East.
- Calypso (with links to Xpath): On March 1, this group compromised the e-mail servers of government entities in the Middle East and South America. In the following days, it started targeting organizations in Africa, Asia and Europe. Calypso targets government organizations in these regions.
- Web: On March 1, this APT, which ESET had never seen before, targeted mail servers belonging to seven Asian companies in the IT, telecommunications and engineering sectors and a government agency in Eastern Europe.
- Winnti (also known as APT 41 and Barium): Just hours before Microsoft released the emergency patches on March 2, data from ESET shows this group compromising the email servers of an oil company and a construction equipment company, both based in East Asia.
ESET said it saw four other groups exploiting the vulnerabilities in the days immediately following the patch’s release by Microsoft on March 2. Two unknown groups started the next day. Two other groups, known as Tonto and Mikroceen, started on March 3 and 4, respectively.
China and beyond
Joe Slowik, senior security researcher at security firm DomainTools, published his own analysis on Wednesday and noted that three of ESET’s APTs exploited the vulnerabilities before the patches – Tick, Calypso and Winnti – were previously linked to Republic-sponsored hackers People’s Republic of China. Two other ESET APTs exploited the vulnerabilities the day after the patches – Tonto and Mikroceen – also have links to the PRC, the researcher said.
Slowik produced the following timeline:
DomainTools
The timeline includes three exploitation clusters that security firm FireEye said has been exploiting Exchange vulnerabilities since January. FireEye referred to the groups as UNC2639, UNC2640 and UNC2643 and did not link the clusters to any known APT or report where they were located.
As different security companies use different names for the same threat agents, it is not clear whether the groups identified by FireEye overlap with ESET visas. If they were different, the number of threat agents that exploited Exchange vulnerabilities before a patch would be even greater.
A number of organizations under siege
APT tracking came when the FBI and the Infrastructure and Cybersecurity Security Agency issued a statement on Wednesday that said threat groups are exploiting organizations, including local governments, academic institutions, non-governmental organizations and commercial entities in a variety of sectors, including agriculture, biotechnology, aerospace, defense, legal services, energy and pharmaceutical utilities.
“This segmentation is consistent with the previous activity of targeting by Chinese cyber attackers,” said the consultant. With security firm Palo Alto Networks reporting on Tuesday that some 125,000 Exchange servers worldwide were vulnerable, the call for CISA and FBI officials for organizations to remedy took an extra step of urgency.
Both ESET and security company Red Canary saw exploited Exchange servers that were infected with DLTMiner, a piece of malware that allows attackers to exploit cryptocurrencies using the computing power and electricity of the infected machines. ESET, however, said it is not clear whether the actors behind these infections really exploited the vulnerabilities or simply took over servers that have already been hacked by someone else.
With so many pre-patch exploits coming from groups linked to the Chinese government, SentinalOne’s Guerrero-Saade hypothesis – that a PRC entity provided the exploits to several hacker groups before the patches – seems to be the simplest explanation. This theory is further supported by two other PRC-related groups – Tonto and Mikroceen – being among the first to exploit the vulnerabilities after Microsoft’s emergency release.
Of course, it is possible that the half dozen APTs that exploited the vulnerabilities while they were still zero-day have independently discovered the vulnerabilities and developed exploits as a weapon. If so, it is probably the first and, hopefully, the last.