There’s a vexing mystery surrounding the 0-day attacks on Exchange servers

The phrase Zero Day can be spotted on a monochrome computer screen clogged with ones and zeros.reader comments

26 with 24 posters participating

The Microsoft Exchange vulnerabilities that allow hackers to take over Microsoft Exchange servers are under attack by no fewer than 10 advanced hacking groups, six of which began exploiting them before Microsoft released a patch, researchers reported Wednesday. That raises a vexing mystery: how did so many separate threat actors have working exploits before the security flaws became publicly known?

Researchers say that as many as 100,000 mail servers around the world have been compromised, with those for the European Banking Authority and Norwegian Parliament being disclosed in the past few days. Once attackers gain the ability to execute code on the servers, they install web shells, which are browser-based windows that provide a means for remotely issuing commands and executing code.

When Microsoft issued emergency patches on March 2, the company said the vulnerabilities were being exploited in limited and targeted attacks by a state-backed hacking group in China known as Hafnium. On Wednesday, ESET provided a starkly different assessment. Of the 10 groups ESET products have recorded exploiting vulnerable servers, six of those APTs—short for advanced persistent threat actors—began hijacking servers while the critical vulnerabilities were still unknown to Microsoft.

It’s not often a so-called zero-day vulnerability is exploited by two groups in unison, but it happens. A zero-day under attack by six APTs simultaneously, on the other hand, is highly unusual, if not unprecedented.

“Our ongoing research shows that not only Hafnium has been using the recent RCE vulnerability in Exchange, but that multiple APTs have access to the exploit, and some even did so prior to the patch release,” ESET researchers Matthieu Faou, Mathieu Tartare, and Thomas Dupuy wrote in a Wednesday post. “It is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later.”

Beyond unlikely

The mystery is compounded by this: within a day of Microsoft issuing the patches, at least three more APTs joined the fray. A day later, another one was added to the mix. While it’s possible those four groups reverse engineered the fixes, developed weaponized exploits, and deployed them at scale, those types of activities usually take time. A 24-hour window is on the short side.

Xpath): On March 1, this group compromised the email servers of governmental entities in the Middle East and South America. In the following days, it went on to target organizations in Africa, Asia, and Europe. Calypso targets governmental organizations in these regions.

  • Websiic: On March 1, this APT, which ESET had never seen before, targeted mail servers belonging to seven Asian companies in the IT, telecommunications, and engineering sectors and one governmental body in Eastern Europe.
  • Winnti (aka APT 41 and Barium): Just hours before Microsoft released the emergency patches on March 2, ESET data shows this group compromising the email servers of an oil company and a construction equipment company, both based in East Asia.
  • own analysis on Wednesday and noted that three of the APTs ESET saw exploiting the vulnerabilities ahead of the patches—Tick, Calypso, and Winnti—have previously been linked to hacking sponsored by the People’s Republic of China. Two other APTs ESET saw exploiting the vulnerabilities a day after the patches—Tonto and Mikroceen—also have ties to the PRC, the researcher said.

    Slowik produced the following timeline:


    The timeline includes three exploitation clusters that security firm FireEye has said were exploiting the Exchange vulnerabilities since January. FireEye referred to the groups as UNC2639, UNC2640, and UNC2643 and didn’t tie the clusters to any known APTs or say where they were located.

    Because different security firms use different names for the same threat actors, it’s not clear if the groups identified by FireEye overlap with those seen by ESET. If they were distinct, the number of threat actors exploiting the Exchange vulnerabilities prior to a patch would be even higher.

    A range of organizations under siege

    The tracking of the APTs came as the FBI and the Cybersecurity and Infrastructure Security Agency issued an advisory on Wednesday that said threat groups are exploiting organizations including local governments, academic institutions, non-governmental organizations, and business entities in a range of industries, including agriculture, biotechnology, aerospace, defense, legal services, power utilities, and pharmaceutical.

    “This targeting is consistent with previous targeting activity by Chinese cyber actors,” the advisory stated. With security firm Palo Alto Networks reporting on Tuesday that an estimated 125,000 Exchange servers worldwide were vulnerable, CISA and FBI officials’ call for organizations to patch took on an extra measure of urgency.

    Both ESET and security firm Red Canary have seen exploited Exchange servers that were infected with DLTMiner, a piece of malware that allows attackers to mine cryptocurrency using the computing power and electricity of infected machines. ESET, however, said it wasn’t clear if the actors behind those infections had actually exploited the vulnerabilities or simply taken over servers that had already been hacked by someone else.

    With so many of the pre-patch exploits coming from groups tied to the Chinese government, the hypothesis from SentinalOne’s Guerrero-Saade—that a PRC entity provided the exploits to multiple hacking groups ahead of the patches—seems to be the simplest explanation. That theory is further supported by two other PRC-related groups—Tonto and Mikroceen—being among the first to exploit the vulnerabilities following Microsoft’s emergency release.

    Of course, it’s possible that the half-dozen APTs that exploited the vulnerabilities while they were still zero-days independently discovered the vulnerabilities and developed weaponized exploits. If that’s the case, it’s likely a first, and hopefully a last.

    Article Tags:
    Article Categories: