Multiple Cyberspy Groups Target Microsoft Exchange Servers via Zero-Day Flaws
Security researchers warn that multiple cyber-espionage groups are targeting the recently addressed zero-day vulnerabilities in Microsoft Exchange Server and say that more than 300 web shells have been identified on the compromised servers.
The issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065), which Microsoft addressed this week, were being abused as part of an attack chain that allowed for the execution of arbitrary code, remotely.
Microsoft said that state-sponsored Chinese hacking group HAFNIUM has been exploiting the vulnerabilities “in limited targeted attacks,” but new details shared by various security firms suggest broader targeting.
“ESET telemetry shows that (at least) CVE-2021-26855 is actively exploited in the wild by several cyber-espionage groups. Among them, we identified LuckyMouse, Tick, Calypso, and a few additional yet-unclassified clusters,” ESET said on Twitter.
The company also revealed that, while most of the targets are located in the United States, attacks against servers in Europe, Asia and the Middle East have been identified as well. The assaults were aimed at government organizations, law firms, medical facilities, and private companies.
Organizations can determine whether they might have been compromised by looking in C:\inetpub\wwwroot\aspnet_client\system_web\ for aspx files with names such as shell, supp0rt, aspnet, aspnet_client, and others, or for random filenames in the system_web subdirectory.
Managed detection and response (MDR) solutions provider Huntress says it has already observed more than 200 compromised Exchange Servers that received payloads within the “C:\inetpub\wwwroot\aspnet_client\system_web” directory, and claims to have identified more than 350 web shells to date.
An analysis of approximately 2,000 Exchange servers has revealed that roughly 400 of them were vulnerable, with an additional 100 potentially vulnerable, Huntress reveals.
The targeted organizations, the security firm says, include “small hotels, an ice cream company, a kitchen appliance manufacture, multiple senior citizen communities and other ‘less than sexy’ mid-market businesses. We’ve also witnessed many city and county government victims, healthcare providers, banks/financial institutions, and several residential electricity providers.”
The large number of identified web shells, Huntress points out, suggests that multiple uncoordinated actors might have been involved in exploitation, or that automated deployment tools were used. The attacks were also able to bypass installed antivirus and EDR solutions.
“These attacks are grave due to the fact that every organization simply has to have email, and Microsoft Exchange is so widely used. These servers are typically publicly accessible on the open internet and they can be exploited remotely. These vulnerabilities can be leveraged to gain remote code execution and fully compromise the target,” Huntress also notes.
Given the critical nature of these vulnerabilities, organizations are advised to apply the available patches as soon as possible.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert on these vulnerabilities, and the Department of Homeland Security (DHS) has issued an emergency directive requiring agencies to look for indicators of compromise (IOCs) and either perform forensic investigations where compromise has been identified or apply the available patches where no IOCs were found.
Someone Is Hacking Cybercrime Forums and Leaking User Data
Since the beginning of this year, an unknown threat actor has been hacking cybercrime forums and leaking user data publicly or offering it for sale.
At least four such forums have been breached to date, namely Verified in January, Crdclub in February, and Exploit and Maza in March. All are predominantly Russian-language forums and saw their breaches publicly disclosed elsewhere.
Intelligence firm Intel 471, which has been closely following the hacks, says that, while the identity of the actor behind the attacks is unknown, the public nature of the attacks eliminates the possibility of a law enforcement operation.
In January, a threat actor announced on underground forum Raid Forums that they breached Verified, an established Russian-language cybercrime forum. The adversary said they had Verified’s entire database, containing details on all registered users, including private messages, posts, threads, and hashed passwords.
The hacker, who apparently was able to transfer $150,000 worth of cryptocurrency out of Verified’s wallet, was offering the database for $100,000.
In February, the administrator account of the cybercrime forum Crdclub was hacked, which allowed the threat actor behind the compromise to lure forum customers into using a fraudulent money transfer service and divert an unknown amount of money from the forum.
This week, both the Exploit and Maza underground forums were hacked. The attacker apparently gained secure shell (SSH) access to an Exploit proxy server destined for distributed denial-of-service (DDoS) protection and also attempted to dump network traffic.
“Users on the Exploit forum are discussing moving away from using emails to register on forums as recent disruption efforts may have increased exposure of their online activities. Others are claiming that the database leaked by the attackers is either old or incomplete,” threat intelligence company Flashpoint notes.
Maza, an invite-only cybercrime forum active since 2003, was displaying a data breach notification on March 3, most likely the work of the hacker who managed to take over the forum.
A PDF file accompanying the announcement contained over 3,000 rows, including usernames, email addresses, various contact details, and partially obfuscated password hashes.
“Our initial analysis found that a portion of the leaked data correlated with our previous research findings, which confirms that at least some of Maza’s databases was breached,” Intel 471 said.
To date, no one appears to have claimed responsibility for the breaches, but the perpetrator’s actions could provide security researchers with increased visibility into who is using these cybercrime forums.
Several Cisco Products Exposed to DoS Attacks Due to Snort Vulnerability
Cisco informed customers on Wednesday that several of its products are exposed to denial-of-service (DoS) attacks due to a vulnerability in the Snort detection engine.
The flaw, tracked as CVE-2021-1285 and rated high severity, can be exploited by an unauthenticated, adjacent attacker — the attacker is on the same layer 2 domain as the victim — to cause a device to enter a DoS condition by sending it specially crafted Ethernet frames.
Cisco says the vulnerability is in the Ethernet Frame Decoder component of Snort. The issue impacts all versions of the popular open-source intrusion prevention and intrusion detection system (IPS/IDS) prior to 2.9.17, which contains a patch.
CVE-2021-1285 has been found to impact Integrated Service Router (ISR), Catalyst Edge software and platform, and 1000v series Cloud Services Router products. These devices are affected if they are running a vulnerable version of Cisco UTD Snort IPS engine software for IOS XE or Cisco UTD Engine for IOS XE SD-WAN, and they are configured to pass Ethernet frames to Snort.
Cisco says the vulnerability is related to a Firepower Threat Defense (FTD) issue patched in October 2020.
The vulnerability was found during the resolution of a support case and there is no evidence that it has been exploited in malicious attacks.
Cisco on Wednesday also published advisories for a dozen other vulnerabilities, which have been assigned a medium severity rating. These impact Webex, SD-WAN, ASR, Network Services Orchestrator, IP phones, and Email Security Appliance products, and they can lead to information disclosure, path traversal, authorization bypass, DoS attacks, privilege escalation, and SQL injection.