Cyber Defence Report - March 2021

It’s hard to think what I was going to write in this month’s blog regarding the largest cyber-attack ever to happen, only to be superseded this week by one that is even more immense!

I will tell you all about the second biggest next month, but for now I need your attention on the latest threat…

Threat intelligence provider recorded future report…

There is an ongoing mass exploitation campaign targeting on-site Microsoft Exchange email servers, which has expanded in less than a week to include attacks from multiple nation-state hacking groups and cyber-crime operations alike.

The attacks were first disclosed last week by Microsoft and are related to four vulnerabilities that security researchers are calling ProxyLogon. The four bugs can be linked together to provide attackers with a way to authenticate on Exchange servers as an admin user, and then install malicious programs.

Microsoft initially planned to fix the two issues during March 2021 Patch Tuesday, but in parallel with the initial bug report, two security firms (Volexity and Dubex) began detecting attacks against their customers, using mysterious Exchange vulnerabilities, which they reported to Microsoft.

When the OS maker connected the reported attacks with the ProxyLogon bug reports, Microsoft responded last Tuesday by releasing emergency security patches for Exchange servers, urging companies across the world to patch their on-premise email servers.

At the time, Microsoft said that initial attacks exploiting these four vulnerabilities were being carried out by a new hacking group, the company was tracking as Hafnium, a group the company formally linked to the Chinese government, based on previously observed activity.

But as news of the attacks and the severity of the four vulnerabilities began to spread, so did the attacks.

By Friday 5 March, several security firms came out to confirm not only Hafnium attacks, but also a free-for-all against Exchange servers, with exploitation attempts originating from separate clusters of activity. For example, ESET reported attacks from the LuckyMouse, Tick, and Calypso APTs, but also “a few additional yet-unclassified clusters.” FireEye also reported seeing attacks from three different clusters, the company was tracking as UNC2639, UNC2640, and UNC2643.

Furthermore, security firm Red Canary also reported seeing activity originating from the cyber-crime sector, with one group using the Exchange flaws to install webshells on infected servers, and then install the DLTminer malware.

But while attacks at the start of last week were limited to one group, reports from Wired and KrebsOnSecurity on Friday confirmed that the ever-increasing number of attackers had moved into indiscriminate mass-exploitation against any Exchange servers left connected to the internet without a patch, with the number of hacked servers being estimated in the realm of “astronomical” and tens of thousands, per US government sources.

CyberGuard’s Incident Response team has responded to 49… yes 49 compromised Exchange servers since Friday.

If you run an on-site Exchange server and didn’t patch before Friday 5 March, then there is a possibility you have been compromised.

There are a number of security teams around the globe that are all coming together to identify and help victims, and CyberGuard is no different.

Compromise script – if you are not sure if you have been compromised, then there is a script available that will look through your Exchange servers’ logs and identify key events which have been deemed suspicious and potentially related to exploitation of the server, further investigation of these events is recommended.

Clean up script – there is a tool available which will look for possible artefacts and webshells which have been dropped onto an exploited server and try and remediate this for you. As a best course of action, if you have been exploited, then we would recommend restoring to a date prior to this event occurring.

Threat intel – we have collected from various sources, including our own threat intel, a list of malicious files and hashes associated with this attack.

Detection rules – if you are running Azure Sentinel, Defender ATP, Carbon Black or AlienVault, we have created customised detection rules for these products and pushed them out to your instances.

We are making all of the above available on our GitHub page

One good piece of news is that due to the volume of compromised servers we have seen, there has been very little post exploit activity, which has given customers time to address the threat. I think one thing we can be sure of is, if you don’t take action now you will be speaking to CyberGuard’s IR team shortly.

In other news…

VMware has released security updates to address a remote code execution vulnerability and a server side request forgery vulnerability, affecting VMWare vCenter Server and Client (CVE-2021-21972 and VE-2021-21973). In addition, a security update is available to address a heap overflow vulnerability affecting ESXi OpenSLP (CVE-2021-21974). This has a CVE score of 10.

And finally, ending on a positive note, a number of affiliates and supporters of the Egregor ransomware cyber-crime gang were arrested last week in a joint French-Ukrainian law enforcement sting, according to radio station France Inter, who first broke the story.

At the same time, much of the ransomware’s infrastructure also appears to have been taken offline, possibly as a result of hosting difficulties, according to Computer Weekly. Hopefully we will have some more news on this in next month’s report.

Stay safe