Globally, hundreds of thousands of organizations running Microsoft’s Exchange email servers have just been hacked en masse, including at least 30,000 victims in the United States. Each hacked server was adapted with a backdoor “web shell” that gives the bandits total remote control, the ability to read all emails and easy access to the victim’s other computers. Researchers are now rushing to identify, alert and help victims and, hopefully, avoid further chaos.
On March 5, KrebsOnSecurity broke the news that at least 30,000 organizations and hundreds of thousands around the world had been hacked. The same sources who shared those figures say the list of victims has grown considerably since then, with many victims compromised by various cybercrime groups.
Security experts are now trying to alert and assist these victims before malicious hackers launch what many call “Stage 2”, when the bad guys revisit all of these hacked servers and feed them with ransomware or other additional hackers tools to dig deeper even more so in the victims’ networks.
But that rescue effort was hampered by the sheer volume of attacks on these Exchange vulnerabilities and the number of seemingly distinct hacker groups vying for control of vulnerable systems.
A security expert who informed federal and military advisers about the threat says that many victims appear to have more than one type of back door installed. Some victims had three of these web capsules installed. One was hit by eight distinct rear doors. This initially caused a large over-count of potential victims and required a large amount of deduplication from various lists of victims.
The source, who spoke on condition of anonymity, said that many members of the cybersecurity community recently saw a huge increase in attacks on thousands of Exchange servers, which were later linked to a for-profit cybercriminal group.
“What we thought was Stage 2, in fact, was a criminal group kidnapping about 10,000 exchange servers,” said a source who informed US national security advisers about the outbreak.
On March 2, when Microsoft released updates to fix the four Exchange flaws that were being attacked, it attributed the hacking activity to a previously unidentified Chinese cyber espionage group, called “Hafnium”. Microsoft said Hafnium had been using the Exchange flaws to conduct a series of low and slow attacks against specific strategic targets, such as non-governmental organizations (NGOs) and think tanks.
But on February 26, this relatively stealthy activity was turning into the indiscriminate mass exploitation of all vulnerable Exchange servers. This means that even Exchange users who patched the same day that Microsoft released security updates can have their servers seeded with backdoors.
Many experts who spoke to KrebsOnSecurity said they believed that different cybercriminal groups somehow learned of Microsoft’s plans to release fixes for Exchange flaws a week earlier than they expected (Microsoft originally aimed today, Patch Tuesday, as the release date. ).
Vulnerability scanning activity also increased significantly after Microsoft released its updates on March 2. Security researchers love to sort out patches for clues to the underlying security flaws, and one of the main concerns is that several cybercriminal groups may have already figured out how to exploit the flaws independently.
AVERTING MASS-RANSOMWARE
Security experts are now desperately trying to reach tens of thousands of victim organizations with a single message: If you’ve already fixed or been hacked, back up all data stored on these servers immediately.
All the sources I spoke to about this incident say they expect profit-motivated cybercriminals to attack victims by deploying ransomware en masse. Given that so many groups now have backdoor web shells installed, it would be trivial to release ransomware on them all at once. In addition, compromised Exchange servers can be a virtual port for the rest of the victim’s network.
“With the number of different threat actors decreasing [web] on servers increasing, ransomware is inevitable, ”he said. Allison Nixon, director of research at Unit221B, a cyber research firm based in New York City.
So far, there are no signs that the victims of this mass hack are being rescued. But that could change if the exploit code used to hack these vulnerable Exchange servers becomes public. And no one I interviewed seems to think that the exploit code in operation will remain unpublished for much longer.
When this happens, exploits will be grouped into publicly available exploit test kits, making it easier for any attacker to find and compromise a decent number of victims who have not yet patched.
CHECK MY OWA
Nixon is part of a group of security industry leaders who are contributing data and time to a new online victim notification platform called Check My OWA (Outlook Web Access, the Internet-facing web component of Exchange Server machines) ).
Checkmyowa.unit221b.com checks whether your Exchange Server domain has appeared in known attack logs or lists of compromised domains.
It might be better to call it a self-service service operated on Unit221B’s own website. Enter an email address in Check My OWA, and if that address matches a domain name of a victim organization, that email address will receive a notice.
“Our goal is to motivate people who we would never have been able to contact otherwise,” said Nixon. “My hope is that if this website can be made public, then there is a chance that some victim companies will be notified and take action or manage to obtain
If the email’s domain name (anything to the right of the @ sign) is detected in its database, the site will send that user an email stating that it has looked at the email domain in a list of domains destination.
“Malicious actors were able to successfully commit, and some of this information suggested that they may have been able to install a webshell on an Exchange server associated with this domain,” says one of the messages to the victims. “It is highly recommended to save an offline backup of Exchange server emails immediately and consult the website for additional information on remediation and remediation.”
“We noticed that your email domain appears on our list of domains that malicious agents have successfully compromised, and some of this information has suggested that they may have been able to install a webshell on an Exchange server associated with this domain” , is another message that the site can return.
Nixon said that Exchange users can avoid a potentially scary scenario if they back up all affected systems now. And given the number of adversaries currently attacking unpatched Exchange systems, there is almost no way that this will not end in disaster for at least some victims.
“There are researchers working on honeypots to [attract] attacks by different groups, and these honeypots are being bombed left and right, ”she said. “The sooner they can perform a backup, the better. This can help prevent a lot of headaches. “
Oh, and one more important thing: you want to keep all backups disconnected from everything. Ransomware has a tendency to infect everything it can, so make sure that at least one backup is stored completely offline.
“Just disconnect them from a computer, put them in a safe place and pray that you don’t need them,” said Nixon.
Tags: Allison Nixon, Check My OWA, Unit221B
This entry was posted on Tuesday, March 9th, 2021 at 4:04 pm and is filed under The Coming Storm, Time to Patch. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.