Microsoft is warning organizations that use Exchange email servers to shore up their systems now after observing a massive spike in highly skillful attacks this April.
The company’s alert details how advanced cyber attackers are using freely available open-source software and a known, critical vulnerability to attack Exchange email servers – one of the most valuable sources of information in any organization.
Exchange has been under attack for months now by multiple government-backed hackers who quickly pounced on a particularly nasty Exchange security flaw (CVE-2020-0688) shortly after Microsoft offered patches in February.
The flaw meant all Exchange email servers released in the past decade used identical cryptographic keys for the control panel’s backend, which allowed remote attackers to run malware on it and take full control of the server to gain access to a target’s email store.
But many organizations ignored Microsoft’s warning to patch the Exchange bug, which it predicted would come under attack in the near future. By April, security researchers warned that over 350,000 Exchange servers with the vulnerability were exposed on the internet.
“Drop everything and patch this vulnerability immediately,” Jonathan Cran, head of research at Kenna Security, warned at the time.
Microsoft says the most common way Exchange servers are compromised is via phishing attacks or attacks on desktop flaws and from there moving within the organization to access an Exchange server – the main system housing a target’s email communications.
But in April it saw a rise in attacks exploiting a particular remote code execution vulnerability affecting Microsoft’s Internet Information Service (IIS) component of a target Exchange server.
“The first scenario is more common, but we’re seeing a rise in attacks of the second variety; specifically, attacks that exploit Exchange vulnerabilities like CVE-2020-0688,” said Hardik Suri of the Microsoft Defender ATP Research Team.
“The security update that fixes this vulnerability has been available for several months, but, notably, to this day, attackers find vulnerable servers to target.
“In many cases, after attackers gain access to an Exchange server, what follows is the deployment of web shell into one of the many web accessible paths on the server.”
Microsoft’s new warning comes a week after the Australian government raised an alarm over ongoing attacks against organizations in the country.
The Australian Cyber Security Centre’s (ACSC) lengthy advisory doesn’t highlight CVE-2020-0688 but it does detail similar techniques to the ones Microsoft describes for attacks on IIS and Exchange email servers.
In both cases, the attackers planted web shell backdoor code on internet-accessible parts of Exchange, such as the log-on page for Outlook on the web, formerly Outlook Web Access.
According to Microsoft, there were multiple concurrent campaigns behind the surge in Exchange attacks during April, with most employing web shells on internet-facing Exchange servers for initial access. The attackers used multiple web shells, but the most widely used was the China Chopper web shell.
“The telemetry showed attackers operating on on-premises Exchange servers using deployed web shells,” says Suri.
“Whenever attackers interacted with the web shell, the hijacked application pool ran the command on behalf of the attacker, generating an interesting process chain.
“Common services, for example, Outlook on the web (formerly known as Outlook Web App or OWA) or Exchange admin center (EAC, formerly known as the Exchange Control Panel or ECP), executing net.exe, cmd.exe, and other known living-off-the-land binaries (LOLBins) like mshta.exe are very suspicious and should be further investigated,” warned Suri.
After deploying a web shell, the attackers explored the target domain and, where a misconfigured server was found, they added new accounts to high-privilege groups like Administrators, Remote Desktop Users, and Enterprise Admins.
This gave attackers “unrestricted access to any users or group in the organization”. Afterwards, credentials to these accounts were targeted using native Windows tools to dump Local Security Authority Subsystem Service (LSASS) memory – a key service for handling authentication in Active Directory domains – and upload them to a remote server for cracking.
To gain persistence on a machine purely in memory, or without ever touching a disk, the attackers turned to open-source software. On systems configured to detect the open-source credential dumping tool, Mimikatz, the attackers used a modified version placed in a wrapper written in the Go programming language.
“The binary used the open-source MemoryModule library to load the binary using reflective DLL injection. Thus, the payload never touched the disk and was present only in memory, achieving a fileless persistence,” notes Suri.
The attackers also attempted to disable Microsoft Defender Antivirus and disable archive scanning to protect .zip files and compression tools like rar.exe, which was used to steal email .pst files and memory dumps.
Suri recommends that organizations apply available updates, enable multi-factor authentication, and ensure on Windows 10 machines that tamper protection is enabled to prevent attackers disabling antivirus.
He also suggested organizations review highly privileged groups like Administrators, Remote Desktop Users, and Enterprise Admins. Security teams should also practice the principle of least-privilege and prioritize alerts indicating suspicious activities on Exchange servers.
Organizations under these types of attacks could likely benefit from Microsoft Defender ATP capabilities such as behavioral monitoring of IIS and Exchange.