Microsoft: Exchange Ransomware Activity 'Limited' So FarBut Further Remediation Actions Essential to Guard Against Long-Term Risks
Microsoft says ransomware activity against compromised on-premises Exchange servers remains limited, but it warns that organizations are far from out of the woods.
Organizations that have patched the four flaws in Exchange must also undertake remediation actions to ensure that webshells or other backdoors haven't been left behind, Microsoft advised in a Thursday update.
Attackers are harvesting credentials for possible use later, so even if organizations have patched their servers, long-term risks of compromise remain, the company adds. Those risks include ransomware attacks, cryptominer infiltrations or attackers moving laterally into organizations' networks.
"Many of the compromised systems have not yet received a secondary action, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions," Microsoft's 365 Defender Threat Intelligence Team writes in a blog post. That means organizations need to ensure all backdoors are removed.
Microsoft predicts that the systems that still have backdoors will "become part of the complex cybercriminal economy where additional ransomware operators and affiliates take advantage of it."
While some of the observed deployed ransomware so far has been small-scale or buggy, more skillful groups may leverage already-stolen credentials for further attacks, Microsoft says (see: 'Black Kingdom' Ransomware Hits Unpatched Exchange Servers).
"If a server is not running in a least-privilege configuration, credential theft could provide a significant return on investment for an attacker beyond their initial access to email and data," Microsoft says.
On the Radar: Pydomer Ransomware
The ransomware family Pydomer, which had targeted Pulse Secure VPN vulnerabilities, had a late start in targeting Exchange servers, Microsoft says (see: CISA Warns Patched Pulse Secure VPNs Still Vulnerable). Its activity kicked off in earnest between March 18 and March 20, and the group dropped webshells on at least 1,500 systems. But not all of those systems were ransomed.
Pydomer dumps the memory contents of Local Security Authority Subsystem Service, or LSASS, which is a Windows process that contains local usernames and passwords. As noted by the security company Deep Instinct, LSASS dumps were a regular technique used by Trickbot (see: Is Trickbot Botnet Making a Comeback?).
"The highly privileged credentials gained from an Exchange system are likely to contain domain administrator accounts and service accounts with backup privileges, meaning these attackers could perform ransomware and exfiltration actions against the networks they compromised long after the Exchange server is patched and even enter via different means," Microsoft writes.
Attackers Displacing Attackers
Microsoft also describes an ongoing tussle among attack groups for control of compromised Exchange servers. It singles out the example of Lemon Duck, a botnet that uses compromised machines to mine cryptocurrency.
Lemon Duck doesn't drop a webshell after compromising a system. Instead, it uses fileless and shell-less methods employing direct PowerShell commands.
In one case, Lemon Duck hit a system that had a webshell placed by another group, Microsoft says. Lemon Duck then removed the access of that threat actor and then mitigated CVE-2021-26855, the server-side request forgery flaw, with a legitimate cleanup script so no one else could exploit it.
"This action prevents further exploitation of the server and removes web shells, giving Lemon Duck exclusive access to the compromised server," Microsoft writes. "This stresses the need to fully investigate systems that were exposed, even if they have been fully patched and mitigated, per traditional incident response process."
Patch, Mitigation Levels at More Than 92%
Microsoft patched the four vulnerabilities in the on-premises version of Exchange Server on March 2. Around that time, RiskIQ estimated that about 400,000 on-premises Exchange servers were vulnerable. As of Thursday, Microsoft says, more than 92%, or around 368,000, have been patched or mitigated.
Exchange servers were aggressively targeted starting around Feb. 26. Microsoft attributed the initial activity to a suspected China-based group dubbed Hafnium, but other security companies noticed as many as a half-dozen groups attacking Exchange servers prior to the patching.
Before Microsoft issued patches, The Shadowserver Foundation said it detected 68,000 distinct IPs of Exchange servers had been compromised.
That suggests that information about the vulnerabilities, which were discovered by Taiwanese penetration testing company Devcore, may have leaked. Another possibility is that the vulnerabilities may have been discovered in parallel by other groups.
Nonetheless, Microsoft is investigating whether a leak may have occurred through a partner within its Microsoft Active Protections Program (see: How Did the Exchange Server Exploit Leak?).