Handling the Microsoft Exchange Server cyber attack — why it can be worse than WannaCry

In recent days we are observing massive cyber attacks, automated and on a global scale. These attacks exploit recent vulnerabilities in Microsoft Exchange Server mail systems. In Italy alone, vulnerable systems could number approximately 8 000, while globally an estimated 200 000 systems are affected.

An attack of this type puts at risk the know-how of targeted organisations and, in certain cases, could prove fatal for those companies already severely impacted by the Covid-19 pandemic.

Why this attack warrants concern

Cyber security events of this impact are rarely observed. The current situation is considerably worse than the WannaCry Ransomware case. In that instance, the immediate impacts of the attack at least enabled an immediate response from affected organisations.

The silent nature of this case, however, may result in failure to identify the compromise by numerous organisations, which will register impacts exclusively during the coming weeks and months.

To address attacks of this nature, in which threat actors exploit zero-day vulnerabilities or remote control software, technology alone is insufficient.
The competencies and defensive model we have developed enable effective management of security incidents at this level, from identification through malware analysis to removal of threat actors from the corporate network.

---

Account of an exploitation attempt

During delivery of our managed security services we have found evidence of what has been documented in recent cyber threat intelligence reports. Our team has identified and managed two distinct cyber attacks of this type.
The identification (detection) of this type of compromise is not straightforward. Several indicators of compromise (IOC) have been shared, but this information is closely tied to studied cases and not always applicable across all infrastructures.

Attack identification occurred exclusively through hunting activity by our team, which identified the upload of malicious code (China-Chopper-like WebShell) on several systems. The process that wrote the malicious file is as follows:

The event, though not apparently malicious, is the result of exploitation of the vulnerabilities leading to the writing of malicious “.aspx” files to disk for remote access.
Two different webshells detected during this period:

• supp0rt.aspx
• OutlookEN.aspx

First phase | Initial Access [T1190]

Exploiting Microsoft Exchange vulnerabilities (link), multiple threat actor groups are compromising vulnerable systems worldwide in a massive and non-targeted manner. The vulnerability enables them to perform upload of malicious files for remote system control (Web Shell).

Our analyst team has, at present, identified exclusively exploitation and upload activity of malicious files. No further malicious activity has been detected in recent days.

Second phase | Projections and analysis

Given the type of access obtained by threat actors during the first phase, we assess that threat actors will execute more complex compromise activities only at a later stage.
Projected tactics that may be observed in coming weeks on compromised systems:

• Exfiltration of information from corporate email [TA0010];
• Ransomware attack on the Exchange Server [TA0040];
• Sale of obtained access in black markets;
• Lateral movement toward other corporate systems such as “Domain Controller” [TA0008, TA0006];
• Escalation to obtain privileged credentials [TA0006];
• Launch of ransomware attack across multiple infrastructure systems [TA0040].

Protecting and defending systems

Microsoft has recently published a series of security updates to secure these systems (link).
List of vulnerabilities resolved by the update: CVE-2021-26855 CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

Particular attention must be paid to the fact that applying security updates or mitigations proposed by Microsoft renders the system protected against future attacks. To remove the threat from already compromised systems, specific Managed Detection and Response activity is required.

Attribution – Who is executing the cyber attacks

Information shared by Microsoft and other industry organisations references a cyber attack orchestrated by the HAFNIUM group, a known threat actor group that executes offensive activity against US organisations.
However, despite exploiting the same vulnerabilities, the attacks being observed on a global scale are not attributable to the HAFNIUM group but to activity by other threat actor groups replicating the same approach.

We have identified two distinct threat actor groups currently compromising Exchange systems on Italian territory during delivery of specialist cyber defence activities.

Organisations must verify system integrity through forensic analysis and implement continuous monitoring to detect post-exploitation activity that may manifest weeks after initial compromise.