Writing a research paper on protection against hackers

Ten groups of hackers launch cyberattacks on Microsoft Exchange Server

The attack on Microsoft Exchange is one of the most serious cyberattacks in the recent past. Microsoft reacted quickly and issued patches, but the vulnerabilities lure imitators and tens of thousands of servers still have no patches installed.

“Since the day Microsoft released the patches, we've seen more and more hackers scanning and compromising Exchange servers en masse. Interestingly, these are all Advanced Persistent Threats (APT) groups, which are notorious for espionage activities. We are sure that other groups, such as ransomware operators, will take advantage of these exploits for their own purposes and will jump on the bandwagon, ”says Matthieu Faou, who leads ESET's research on this topic.

The ESET researchers also found that some APT groups were exploiting the vulnerabilities before the patches were made available. “We can therefore rule out that these groups created an exploit by reverse engineering Microsoft updates,” adds Faou.

Palo Alto Networks comes to similar conclusions. The number of unpatched Exchange servers fell sharply this week as Microsoft customers quickly installed security updates, according to new data collected from the Palo Alto Networks Expanse platform. Rapid patching follows warnings that hackers are exploiting four zero-day vulnerabilities in widely used email software.

The number of vulnerable servers running old versions of Exchange that cannot directly apply the recently released security patches is up over 30% from an estimated 125,000 to 80,000, according to Expanse Internet scans of March 8th and 11th sunk.

"I've never seen security patch rates so high for a system, let alone a system as widely used as Microsoft Exchange," said Matt Kraning, Cortex chief technology officer at Palo Alto Networks. “We urge organizations running all versions of Exchange to assume that they have been compromised before patching their systems, as we know that attackers were exploiting these zero-day vulnerabilities in the wild for at least two months before Microsoft released the patches on March 2nd. ”

Palo Alto Networks used the Expanse platform to identify exposed servers on the Internet that are running old versions of Exchange that cannot directly apply the recently released security patch for the zero-day vulnerabilities.

Both the vulnerabilities themselves and the access that can be achieved by exploiting them are considerable. Unsurprisingly, multiple attackers attempted and continue to attempt to compromise vulnerable systems before network administrators patch them. These attacks happened on an unprecedented scale.

Based on the reconstructed timeline, it is now clear that there were at least 58 days between the first known exploitation of this vulnerability on January 3rd and the release of the patch by Microsoft on March 2nd. Applying the patch is a necessary first step, but not enough considering how long the vulnerability has been in the wild. Applying the patch does not remove access that attackers may have already gained to vulnerable systems. Organizations can refer to Unit 42's Guide to Corrective Action for steps to take to ensure that they have properly secured their Exchange servers.

In the second week after the vulnerabilities became known, there are initial estimates that the number of companies affected is in the tens of thousands. This dwarfs the impact of the recent SolarStorm attack on the supply chain in terms of the number of victims and the estimated cost of removing the vulnerabilities worldwide. Given the importance of this event, Unit 42 published a timeline of the attack based on extensive research into currently available information and direct experience in defending against such attacks. As the situation evolves, Unit 42 is also asking other research teams to share their findings so that the cybersecurity community can get the full picture as soon as possible.

Ongoing research shows that these vulnerabilities are being exploited by several threat groups. It is not new for highly skilled attackers to exploit new vulnerabilities in various product ecosystems. The way in which these attacks are carried out in order to bypass authentication and thereby gain unauthorized access to e-mails and enable Remote Code Execution (RCE) is particularly perfidious.

Unit 42 believes that the attacks that exploit these vulnerabilities will not only continue but will also increase in scope. This is likely to translate into more diverse attacks with different motives, such as the infection and / or distribution of ransomware. Due to the fact that active attacks from various threat groups that exploit these vulnerabilities continue, it is imperative not only to patch the affected systems, but also to follow the instructions that Unit 42 described in a previous remediation blog.

The researchers at the IT security manufacturer ESET have more than ten different APT (Advanced Persistent Threats) groups that are currently increasingly exploiting the vulnerabilities to compromise e-mail servers and gain access to company data. So the threat is not limited to the Chinese hafnium group, as previously suspected. ESET identified around 5,000 corporate and government email servers that were compromised around the world. Most of the targets of the hacker groups are in Germany. The telemetry of the security experts showed the existence of so-called webshells. These malicious programs or scripts allow remote control of a server through a web browser. The installation of the security updates provided by Microsoft is still mandatory.

The use of so-called endpoint detection and response solutions (EDR solutions) could have limited or prevented the theft of company data in many cases. “With the help of EDR solutions such as ESET Enterprise Inspector, administrators would have been made aware of suspicious activities at an early stage. In this way, the outflow of company data could have been registered at an early stage, despite the exploitation of the security gap, in order to prevent it through appropriate measures, ”explains Michael Schröder, Security Business Strategy Manager at ESET Germany.

To assess the security status, Exchange servers should be checked for the following detections:

JS / Exploit.CVE-2021-26855.Webshell.A

JS / Exploit.CVE-2021-26855.Webshell.B

ASP / Webshell

ASP / ReGeorg

Administrators are advised to look for webshells and other malicious activity and remove them immediately. Login data should be changed immediately.

"The incident is a very good reminder that complex applications such as Microsoft Exchange or SharePoint should not be open to the Internet," advises Matthieu Faou.

APT groups and their behavioral patterns

Tick ​​- compromised the web server of a company based in East Asia that provides IT services. As in the case of LuckyMouse and Calypso, the group likely had access to an exploit before the patches were released.

LuckyMouse - infected a government agency's email server in the Middle East. This APT group likely had an exploit at least one day before the patches were released, when it was still a zero-day.

Calypso - attacked government email servers in the Middle East and South America. The group likely had zero-day access to the exploit. In the days that followed, the Calypso operators attacked other government and corporate servers in Africa, Asia and Europe.

Websiic - targeted seven email servers owned by companies (IT, telecommunications, and tech) in Asia and a government agency in Eastern Europe.

Winnti Group - compromised the email servers of an oil company and a construction machinery company in Asia. The group likely had access to an exploit before the patches were released.

Tonto Team - attacked the email servers of a procurement company and a consulting firm specializing in software development and cybersecurity, both based in Eastern Europe.

ShadowPad activity - infected the email servers of a software development company based in Asia and a real estate company based in the Middle East. ESET discovered a variant of the ShadowPad backdoor that was introduced by an unknown group.

Operation “Cobalt Strike - targeted around 650 servers, mostly in the US, Germany, UK and other European countries, just hours after the patches were released.

IIS backdoors - ESET observed IIS backdoors installed on four email servers in Asia and South America through the webshells used in these compromises. One of the backdoors is publicly known as Owlproxy.

Microceen - compromised a utility exchange server in Central Asia, a region typically targeted by this group.

DLTMiner - ESET discovered the use of PowerShell downloaders on several email servers that had previously been attacked via the Exchange vulnerabilities. The network infrastructure used in this attack is linked to a previously reported coin mining campaign.