Microsoft Exchange Flaw: Attacks Surge After Code PublishedStrikes Increase After ProxyLogon Proof-of-Concept Attack Code Released
There has been a spike in web shells being detected as ransomware gangs and other attackers increasingly target vulnerable on-premises Microsoft Exchange servers following publication of proof-of-concept attack code for ProxyLogon, which is one of four zero-day flaws patched by Microsoft in early March.
A new report by security firm F-Secure says that since proof-of-concept code for exploiting the ProxyLogon flaw was first released on March 13, it has been increasingly exploited globally by criminal gangs, state-backed threat actors and script kiddies.
Malicious activity tied to such attacks includes the "Downloader.Gen" Trojan web shell, F-Secure says, noting that detections of the tool surged following the release of the proof-of-concept exploit. F-Secure says it saw increases especially in Italy, Germany, France, the United Kingdom, the United States, Belgium, Kuwait, Sweden, the Netherlands and Taiwan.
"Although it peaked last Wednesday, F-Secure continues to detect significant amounts of activity, in the tens of thousands," the report notes.
Security experts have been warning that as more security researchers release proof-of-concept attack code, criminals and others would no doubt begin to put that code to use.
"The current situation is a crisis, and despite efforts to take down the emerging ProxyLogon PoCs, or neuter them by making them less than fully functional, you can bet they will be put to use by criminals," Pieter Arntz, a malware intelligence researcher at Malwarebytes, warned on Tuesday. "This while the owners of the remaining unpatched systems are scrambling to save what they can."
Organizations: Assume You Have Been Breached
Although Microsoft has released a patch for the flaw, F-Secure notes that half of in-use on-premises Exchange servers remain unpatched. As a result, thousands of Exchange servers are at risk of potential compromise. In addition, Antti Laatikainen, senior security consultant at F-Secure, notes that patching alone does not guarantee server security because attackers could have breached networks before any updates were installed.
"Because ProxyLogon allows access to the lower layers of the server - and from there to the rest of the organization’s network - this makes an extensive series of silent network intrusions possible," F-Secure says. "These breaches could be occurring in the background, completely unnoticed. Only after months or years will it become clear what was stolen. If an attacker knows what they are doing, the data has most likely already been stolen or is being stolen right now."
Therefore, Laatikainen says organizations should assume that their Exchange servers have been breached and take necessary security measures, such as deploying endpoint detection and effective network monitoring to mitigate the threat. Laatikainen recommends proceeding with urgency.
“We’re nearing the end of the period of time when we can influence how much data is stolen," he says. "There are a ton of things they [companies using Microsoft Exchange] can do manually to prevent a full disaster. I just encourage them to do them immediately. Never in the past 20 years that I’ve been in the industry has it been as justified to assume that there has been at least a digital knock at the door for every business with Exchange Outlook Web Access installed in the world. Because access is so easy, you can assume that majority of these environments have been breached."
Since the zero days were disclosed, security experts have been warning that ransomware gangs were sure to begin exploiting the flaws, including the ProxyLogon vulnerability.
If exploited, the ProxyLogon flaw, which has been designated as CVE-2021-26855, enables an attacker to bypass the authentication and impersonate an administrator. Earlier in March, Microsoft warned that attackers were exploiting the flaws in the wild (see: Microsoft Exchange: Server Attack Attempts Skyrocket).
On Friday, BleepingComputer reported that the REvil - aka Sodinokibi - ransomware-as-a-service operation had targeted Taiwanese PC-maker Acer, likely via the ProxyLogon flaw. The criminal group allegedly accessed the company's financial spreadsheets, bank balances and bank communications; leaked images of these documents; and then issued an opening ransom demand of $50 million, which is the largest sum ever known to be demanded by a ransomware group.
Earlier this month, Microsoft warned that attackers were wielding a new strain of ransomware called DearCry that's designed to exploit the ProxyLogon flaw in unpatched versions of Microsoft Exchange running on premises. It crypto-lock files and demands a ransom from victims in return for the promise of a decryption tool (see: DearCry Ransomware Targets Unpatched Exchange Servers).
When Microsoft first began releasing security updates on March 2, it warned that a Chinese APT group called Hafnium appeared to have been exploiting the flaws in recent months. But security firm ESET subsequently reported that at least 10 APT groups have been exploiting the flaws, including some before March 2.