In early March of this year, CISA filed an alert that disclosed zero-day vulnerabilities affecting Microsoft Exchange. To make matters worse, it was reported that the vulnerabilities were being actively exploited in the wild by Hafnium, which is believed to be a Chinese nation-state threat actor. The cyber espionage unit breached as many victims as it could find across the global internet, leaving behind backdoors to return to later. Since reporting the vulnerabilities, it’s expected that at least 30,000 organizations across the United States, including a significant number of small businesses, towns, cities, and local governments, fell victim to the attacks.
Hafnium’s approach was a three step process. First, they would gain access to an Exchange server by using the zero-day vulnerabilities to disguise themselves as someone who should have access. From there, they would create a web shell to control the compromised server remotely. Finally, the hackers would capitalize on their remote access to steal data from the organization’s network.
While Microsoft worked quickly to deploy an update, the attacks didn’t stop there. Shortly after the initial exploit broke, it was adopted for a range of cybercrime activities including a ransomware called DearCry, which, not coincidentally, adds an encryption header to the attacked files that looks eerily similar to the header used by the notorious WannaCry ransomware – which, if you remember, shook the cyber-realm back in May 2017.
Following the DearCry ransomware, another ransomware gang also started to target vulnerable Exchange servers with another ransomware, called Black Kingdom. While the Black Kingdom ransomware is far from a sophisticated payload, it can still cause a great deal of damage and may be related to a ransomware of the same name that appeared last year on machines that, at the time, were running a vulnerable version of the Pulse Secure VPN concentrator software.
The latest activity found cybercriminals using a compromised Exchange server to host a malicious Monero cryptominer payload, while leveraging the exploit to target other vulnerable servers.
How can Partners Help?
While patching is a good first step for any organizations running on-premises Exchange Servers, this only protects them from being exploited by the vulnerabilities going forward. It does not ensure that an adversary has not already exploited the vulnerability. As such, partners must help their customers search their networks for indicators of an attack. A few recommendations from Sophos include:
- Determine possible exposure - Download and run the Test-ProxyLogon.ps1 script provided by the Microsoft Customer Support Services team
- Look for web shells or other suspicious .aspx files
- Identify potential web shells to investigate, check patch level of your servers, and look for suspicious commands
- Establish impact - Review process activity and command executions from the time the web shell was created, onwards
Threat Hunting is Key
Threats such as Hafnium are a great example of how having an elite team of threat hunters and response experts to back your customers’ organizations can offer peace of mind. When the Hafnium news first broke, the Sophos Managed Threat Response (MTR) team immediately began to hunt and investigate in customer environments to determine if there was any activity related to the attack. It also looked to uncover any new artifacts related to the attack that could provide further protection for all Sophos customers, and has been tracking all additional and new threats closely since. The 24/7 nature of Sophos MTR meant that not a single second went to waste before the team got to work, ensuring protection.
To learn more about Sophos MTR and how it can identify and neutralize potential adversarial activity in your or your customers’ organization, click here.