Hackers Exploit Exchange Flaws to Target Local GovernmentsFireEye, Other Security Firms Detect Activity
Hackers have targeted units of local government in the U.S. by attempting to exploit unpatched vulnerabilities in Microsoft Exchange email servers, according to a new report by the security firm FireEye.
See Also: Threat Horizons Report
While Microsoft has said that a Chinese-linked hacking group that has been exploiting the vulnerabilities in Exchange is known to target infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and nongovernment organizations, FireEye analysts note that other groups appear to have set their sights on local government networks.
"Based on our telemetry, we have identified an array of affected victims, including U.S.-based retailers, local governments, a university and an engineering firm. Related activity may also include a Southeast Asian government and Central Asian telecom," according to the FireEye report.
Earlier this week, Microsoft issued a security update about patching four vulnerabilities in Exchange servers that the company says have been under attack by a Chinese hacking group it calls Hafnium. Microsoft called the attacks related to the flaws "limited and targeted," but other security researchers have seen upticks in hacking activity (see: Microsoft Patches Four Zero-Day Flaws in Exchange).
The Microsoft alert prompted the Cybersecurity and Infrastructure Security Agency to issue an emergency directive on Wednesday ordering federal agencies to investigate compromises and immediately apply patches.
On Thursday, national security adviser Jake Sullivan noted on social media that the White House was monitoring the progress made by federal agencies to patch and mitigate the flaws in Exchange servers.
We are closely tracking Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reports of potential compromises of U.S. think tanks and defense industrial base entities. We encourage network owners to patch ASAP: https://t.co/Q2K4DYWQud— Jake Sullivan (@JakeSullivan46) March 5, 2021
On Friday, Reuters reported that a U.S. investigation has found that some 20,000 organizations may have been compromised by these Exchange vulnerabilities. In addition, Microsoft released an updated script for Exchange customers that can scan log files for indicators of compromise related to this malicious activity.
Since Microsoft sent out its alert Tuesday, security researchers at FireEye and other firms have noticed an uptick in activity, including scanning for vulnerable Exchange email servers. Steven Adair, CEO and founder of security firm Volexity, notes that multiple Chinese advanced persistent threat groups have picked up on these bugs.
Security firm ESET also found that three hacking groups were attempting to exploit the vulnerabilities. Its researchers have detected activity in the U.S. as well as Europe, Asia and the Middle East.
In its report, FireEye notes that the company's Mandiant Managed Defense group first noticed malicious activity in January when a hacker attempted to plant web shells in one Microsoft Exchange server file system within a network belonging to one of the company's customers, according to the report.
This web shell was written to a process associated with Microsoft Exchange Server's Unified Messaging service and appeared to exploit a vulnerability that Microsoft identified this week as CVE-2021-26858, which is listed as a post-authentication arbitrary file write bug, FireEye notes.
Later, the same attacker tried to plant a second web shell that could run arbitrary commands as well as upload, delete and view the contents of files, the report notes.
"While the use of web shells is common among threat actors, the parent processes, timing and victim(s) of these files clearly indicate activity commenced with the abuse of Microsoft Exchange," the FireEye analysts say.
In March, FireEye noted similar activity in another network, with hackers attempting to exploit several of the Exchange vulnerabilities to plant web shells that would give the attackers persistence within the infrastructure and allow for secondary access. One of the files used in this attack contained a similar signature to the "China Chopper" web shell, which has been previously associated with Chinese threat groups.
Smaller local government agencies are more vulnerable to these types of attacks because many don't upgrade to newer systems or software as fast as larger organizations, says Mike Hamilton, a former vice chair of the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council.
"Small local governments have more difficulty in prioritizing vulnerability management and taking rapid action, because of understaffing in information technology support, a persistent attitude that they are too insignificant to be targeted and the prevailing narrative that this is nation-state espionage and not criminal activity," says Hamilton, now the CISO of CI Security. "As criminal groups are moving quickly to take advantage of unpatched systems, what was espionage will quickly turn to extortion - no matter how small the target."
On Thursday, CISA updated its warning about the four vulnerabilities in Exchange servers, noting that scanning activity had picked up over the last several days. It stressed that federal agencies and private firms should apply patches or disconnect internet-facing systems until the bugs are fixed.
"CISA is aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers," the Thursday alert notes. "This particular type of attack is scriptable, allowing attackers to easily exploit vulnerabilities through automated mechanisms. CISA advises all entities to patch as soon as possible to avoid being compromised."
Microsoft and CISA have identified the following versions of Exchange as vulnerable:
- Exchange Server 2010: Update requires SP 3 or any SP 3 RU;
- Exchange Server 2013: Update requires CU 23;
- Exchange Server 2016: Update requires CU 19 or CU 18;
- Exchange Server 2019: Update requires CU 8 or CU 7.
Attackers Seek Out Unpatched Servers
Kevin Beaumont, a senior threat intelligence analyst at Microsoft, has noted that honeypots have picked up additional scanning activity over the past several days, with attackers looking for unpatched or vulnerable Exchange servers.
MailPot is now picking up new activity - not exploitation, but somebody scanning for already exploited Exchange servers with backdoor webshells installed. pic.twitter.com/J0bjPqrAOw— Kevin Beaumont (@GossiTheDog) March 3, 2021
Security researchers, including those at Kaspersky, warn that attackers could exploit Exchange vulnerabilities to plant malware, such as ransomware, as well as exfiltrate data.
Editor's Note: This article was updated to include details about the number of organizations impacted and additional tools released by Microsoft for customers.