Microsoft is investigating whether a hacker got hold of confidential research on the recently-discovered Exchange Server vulnerabilities through at least one of its security partners.
The Wall Street Journal says Microsoft is trying to explain how an attack limited to one threat actor spread to others just before the tech giant sent out a software fix to customers on March 2. When Microsoft first disclosed the four vulnerabilities that enabled on-premise versions of Exchange to be compromised, the company said a China-based group called Hafnium was exploiting the holes. After Microsoft issued a patch, other groups were detected using the exploit to install web shells and back doors.
However, not long after the disclosure, ESET said it discovered four other threat actors had been using the exploit before Microsoft’s patch was released, suggesting those groups didn’t reverse engineer the Microsoft patch.
According to the Journal, Microsoft had shared some threat information about the vulnerabilities with security partners before March 2. Microsoft is reportedly considering the possibility of a partner inadvertently – or intentionally – leaking information because some of the tools used in the second wave of attacks at the end of February are similar to the “proof of concept” attack code Microsoft distributed in confidence.
Meanwhile security experts continue to parse the techniques used in what some are calling the ProxyLogon attack. Researchers at Trustwave’s SpiderLabs released a report this morning on Hafnium’s web shell after it compromises Exchange Severs.
Known as the Chinese Chopper web shell, it’s an Active Server Page Extended (ASPX) web shell typically planted on an Internet Information Services (IIS) server through an exploit to execute code such as downloading and uploading files, the report notes. Typically the shell is just one line and there are multiple versions for executing code in different languages such as ASP, ASPX, PHP, JSP, and CFM. It’s a web shell that’s been used for years.
“When examining servers for signs of compromise, in addition to ASPX scripts, be aware also of the corresponding DLLs generated by ASP.NET runtime,” says the report.
DearCry ransomware analysis
Separately, Sophos offered insight into the DearCry ransomware that a threat group is hitting ProxyLogon victims with. From an encryption-behaviour view, DearCry is a ‘Copy’ ransomware, noted Mark Loman, director of Sophos’ engineering technology office. It creates encrypted copies of the attacked files and deletes the originals. This causes the encrypted files to be stored on different logical sectors, allowing victims to potentially recover some data – depending on when Windows reuses the freed logical sectors. Human-operated ransomware like Ryuk, REvil, BitPaymer, Maze and Clop, are ‘In-Place’ ransomware. The attack causes the encrypted file to be stored on logically the same sectors, making data recovery via undelete tools impossible.
DearCry’s encryption is based on a public-key cryptosystem, says Sophos. The public encryption key is embedded in the ransomware binary, meaning it does not need to contact the attacker’s command-and-control server to encrypt your files. Microsoft Exchange servers that are set up to only allow internet access for the Exchange services will still become encrypted. Without the decryption key (which the attacker owns), decryption is impossible.
“WannaCry was also a Copy ransomware. DearCry not only shares a similar name but also has an eerily similar file header,” Loman wrote. “Defenders should take urgent steps to install Microsoft’s patches to prevent exploitation of their Microsoft Exchange patches. If this is not possible, the server should be disconnected from the internet or closely monitored by a threat response team.
While IT administrators are quickly installing Microsoft’s patches to cover supported and unsupported versions of Exchange it’s believed there are still thousands of unpatched installations.
According to Check Point Software, the number of attempted ProxyLogin attacks has increased tenfold from 700 on March 11 to over 7,200 as of this morning.
The country most attacked has been the United States (17 per cent of all exploit attempts), followed by Germany (six per cent), the United Kingdom (five per cent), The Netherlands (five per cent) and Russia (four per cent).
The most targeted industry sector has been government/military (23 per cent of all exploit attempts), followed by manufacturing (15 per cent), banking and financial services (14 per cent), software vendors (seven per cent) and healthcare (six per cent).