The Microsoft Exchange vulnerabilities that allow hackers to take over Microsoft Exchange servers are under attack by no fewer than 10 sophisticated hacking groups, six of which began exploiting them before Microsoft released a patch, researchers reported Wednesday. That raises a tricky question: How could so many separate threat actors have working exploits before the security flaws became public knowledge?
Investigators say as many as 100,000 mail servers around the world have been compromised, and those for the European Banking Authority and the Norwegian Parliament have been disclosed in recent days. Once attackers are given the ability to execute code on the servers, they install web shells, which are browser-based windows that provide a means of issuing commands and executing code remotely.
When Microsoft released emergency patches on March 2, the company said the vulnerabilities were exploited in limited and targeted attacks by a state-backed hacking group in China known as Hafnium. On Wednesday, ESET gave a markedly different assessment. Of the 10 groups that registered ESET products exploiting vulnerable servers, six of those APTs – short for Advanced Persistent Threat Actors – started hijacking servers while the critical vulnerabilities were still unknown to Microsoft.
It’s not often that a so-called zero-day vulnerability is exploited by two groups at once, but it does happen. In contrast, a zero-day attack by six APTs at once is highly unusual, if not unprecedented.
“Our ongoing investigation shows that not only has Hafnium exploited the recent RCE vulnerability in Exchange, but multiple APTs have access to the exploit, and some did so even before the patch was released,” ESET researchers Matthieu Faou, Mathieu Tartare and Thomas Dupuy wrote in a post from Wednesday. “It is still unclear how the exploit was spread, but it is inevitable that more and more threat actors, including ransomware operators, will gain access to it sooner or later.”
More than unlikely
The mystery is compounded by this: Within a day of Microsoft releasing the patches, at least three more APTs joined the fray. A day later, another was added to the mix. While it’s possible that those four groups reverse engineered the fixes, developed weaponized exploits and deployed them on a large scale, this type of activity usually takes time. A 24 hour window is on the short side.
There is no clear explanation for the mass exploitation by so many different groups, leaving researchers with few alternatives but to speculate.
“It appears that while the exploits were originally used by Hafnium, something caused them to share the exploit with other groups around the time the associated vulnerabilities were patched by Microsoft,” Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, told me. “This could indicate a degree of collaboration between these groups, or it could also indicate that the exploits were for sale in certain markets and the potential for them to be patched resulted in a price drop, allowing others to do it as well. acquire.”
Juan Andres Guerrero-Saade, principal threat researcher at security firm SentinelOne, came to much the same conclusion.
“The idea that six groups from the same region would independently discover the same set of vulnerabilities and develop the same exploit is beyond improbable,” he wrote in a direct message. “The simpler explanation is that there is (a) a common exploit vendor, (b) an unknown resource (such as a forum) available to all of these, or (c) a common entity that organizes these various hacking groups and exploits them to facilitate their activities (say, the Chinese Ministry of State Security).”
The six groups that ESET identified that exploited the vulnerabilities when they were still zero-days are:
- Hafnium: The group, which Microsoft said is state-sponsored and based in China, exploited the vulnerabilities in early January.
- Finch (aka Bronze Butler and RedBaldKnight): On February 28, two days before Microsoft released patches, this group used the vulnerabilities to compromise the web server of an East Asian IT services company. Tick has been active since 2018 and mainly focuses on organizations in Japan, but also in South Korea, Russia and Singapore.
- LuckyMouse (APT27 and Emissary Panda): On March 1, this cyber-espionage group known to have hacked into multiple government networks in Central Asia and the Middle East compromised the email server of a government agency in the Middle East.
- Calypso (with ties to Xpath): On March 1, this group compromised the email servers of government agencies in the Middle East and South America. In the days that followed, it focused on organizations in Africa, Asia and Europe. Calypso focuses on government organizations in these regions.
- website: On March 1, this APT, which ESET had never seen before, targeted mail servers of seven Asian companies in the IT, telecommunications and engineering sectors and one government agency in Eastern Europe.
- Winnti (aka APT 41 and Barium): Hours before Microsoft released the emergency patches on March 2, ESET data shows that this group compromised the email servers of an oil company and a construction equipment company, both based in East Asia.
ESET said it saw four other groups exploiting the vulnerabilities in the days immediately following Microsoft’s release of the patch on March 2. Two unknown groups started the next day. Two other groups, known as Tonto and Mikrocene, started on March 3 and 4, respectively.
China and beyond
Joe Slowik, senior security researcher at security firm DomainTools, released his own analysis on Wednesday, noting that three of the APTs ESET saw exploiting the vulnerabilities prior to the patches — Tick, Calypso, and Winnti — have previously been linked to hacking sponsored by the People’s Republic of China . Two other APTs that ESET saw misused a day after the patches — Tonto and Mikrocene — also have ties to the People’s Republic of China, the researcher said.
Slowik produced the following timeline:
The timeline includes three exploitation clusters that, according to security firm FireEye, have been exploiting the Exchange vulnerabilities since January. FireEye referred to the groups as UNC2639, UNC2640, and UNC2643 and did not associate the clusters with any known APTs or say where they were.
Because different security companies use different names for the same threat actors, it is not clear whether the groups identified by FireEye overlap with those seen by ESET. If they were different, the number of threat actors who exploited the Exchange vulnerabilities before a patch would be even greater.
A range of organizations under fire
The follow-up to the APTs came as the FBI and the Cybersecurity and Infrastructure Security Agency issued an advisory on Wednesday that said threat groups are exploiting organizations, including local governments, academic institutions, non-governmental organizations and business entities in a range of industries, including agriculture, biotechnology, aerospace, defense, legal services, energy companies and pharmaceuticals.
“This targeting is consistent with previous targeting activities by Chinese cyber actors,” the consultancy said. With security firm Palo Alto Networks reporting Tuesday that an estimated 125,000 Exchange servers worldwide were vulnerable, CISA and FBI officials’ call for organizations to patch has gained an extra degree of urgency.
Both ESET and security firm Red Canary have seen Exchange servers infected with DLTMiner, a piece of malware that allows attackers to mine cryptocurrency using the computing power and electricity of infected machines. However, ESET said it was not clear whether the actors behind those infections had actually exploited the vulnerabilities or simply took over servers that had already been hacked by someone else.
With so many of the pre-patch exploits coming from groups affiliated with the Chinese government, SentinalOne’s Guerrero-Saade hypothesis – that a PRC entity supplied the exploits to multiple hacking groups prior to the patches – seems like the simplest explanation. . That theory is further supported by two other PRC-related groups – Tonto and Mikrocene – who were among the first to exploit the vulnerabilities after Microsoft’s emergency release.
It is, of course, possible that the six dozen APTs that exploited the vulnerabilities while still zero-days independently discovered the vulnerabilities and developed weaponized exploits. If so, it’s probably a first and hopefully a last.