According to cybersecurity firm ESET, at least 10 sophisticated hacking groups are leveraging the four Microsoft Exchange Server vulnerabilities exploited by alleged Chinese hackers to compromise email servers on their own.
This illustrates the importance to update and patch systems immediately, the Sovak company said in a Wednesday blog post.
The company conducted its own investigation and published its research on the vulnerabilities and hacking campaign allegedly carried out by a malicious Chinese group that exploits four soft points in on-premises versions of Microsoft Exchange Server, which facilitates access to email accounts and allowed installation of additional malware for long-term access.
The number of victims has yet to be disclosed, but reports suggest that at least 30,000 organizations have been compromised, with sectors including government, defense, corporate, health care and higher education.
The group, which Microsoft calls Hafnium, first gains access to an Exchange Server either with stolen passwords or by using the vulnerabilities to disguise itself as a legitimate user. Then, the group creates web shells to control the compromised server remotely. Lastly, it uses that remote access from U.S.-based private servers to steal data.
However, it’s not just Hafnium exploiting these vulnerabilities, according to ESET, which says it has identified more than 10 different threat actors “that likely leveraged the recent Microsoft Exchange RCE in order to install implants on victims’ email servers.”
Our analysis is based on email servers on which we found webshells in Offline Address Book (OAB) configuration files, which is a specific technique used in the exploitation of the RCE vulnerability and has already been detailed in a Unit 42 blogpost. Unfortunately, we cannot discount the possibility that some threat actors might have hijacked the webshells dropped by other groups rather than directly using the exploit.
Once the vulnerability had been exploited and the webshell was in place, we observed attempts to install additional malware through it. We also noticed in some cases that several threat actors were targeting the same organization.
According to ESET, victims of these 10 hacking groups include a range of government entities, private companies, software developers, cybersecurity firms and other email servers in in the U.S., Europe, Asia and the Middle East.
If vulnerable organizations haven’t yet applied Microsoft’s patch, they need to do so immediately, according to ESET.
It is now clearly beyond prime time to patch all Exchange servers as soon as possible (see Microsoft guidance and apply special care in following the steps in the “About installation of these updates” section). Even those not directly exposed to the internet should be patched because an attacker with low, or unprivileged, access to your LAN can trivially exploit these vulnerabilities to raise their privileges while compromising an internal (and probably more sensitive) Exchange server, and then move laterally from it.
In case of compromise, one should remove webshells, change credentials and investigate for any additional malicious activity.
Finally, this is a very good reminder that complex applications such as Microsoft Exchange or SharePoint should not be open to the internet since, in case of mass exploitation, it is very hard, if not impossible, to patch in time.
Some groups have even been using the vulnerabilities before they were made public when Microsoft disclosed the attacks and released the patch. What’s unclear, however, is how these different hacking groups were made aware of the vulnerabilities.
Some may be reverse engineering the patch, while others may be recipients of information from Hafnium or other groups.
Look for indicators of compromise and patch now.