Exchange Server Post-Compromise Attack Activity Shared by Microsoft
The Tech Giant Shared Intelligence on Post-Exploitation Attack Activity, Including Ransomware Payloads and a Cryptocurrency Botnet.
In the context of ongoing Exchange Server attacks, Microsoft has shared information detailing post-compromise activity which has infected vulnerable targets with ransomware and a botnet.
When Microsoft released a fix for Exchange Server zero-days on March 2nd, organizations around the world were urged to patch their systems as soon as possible. While the Microsoft Security Response Center noticed that 92% of worldwide Exchange IPs are now patched or mitigated, these updates won’t protect victims that have already been compromised.
According to Heimdal™ ‘s internal data, 85% of organizations have already applied the readily available patches that address the Microsoft Exchange vulnerabilities, through the use of automated vulnerability management and deployment.
We continue to urge Exchange users who have not done so already to apply the patches immediately, as the vulnerabilities could allow various malicious actors to exploit any system that has remained unpatched.
Aiming to warn of post-exploitation activity seen on Exchange Servers, Microsoft recently released more information meant to help forensic specialists investigate whether they were attacked prior to patching and, if so, how they can respond. While early hacks were attributed to Hafnium, the weeks following its patch release have also revealed other attackers using the exploit, from cybercriminals to state-sponsored groups.
Microsoft’s 365 Defender Threat Intelligence Team notes that many compromised systems have not yet seen secondary attacks such as ransomware or data exfiltration. This could indicate that attackers are perhaps laying low and remaining persistent for potential future attacks, the company says, or they could already by using credentials and other stolen data to compromise networks through other attack vectors.
As service account credentials are not frequently changed, this could provide a great advantage to an attacker even if they lose their initial web shell access due to an antivirus detection, as the account can be used to elevate privileges later, which is why we strongly recommend operating under the principle of least privileged access.
Although DearCry was a new form of ransomware, Microsoft confirms that the access attackers gain through these flaws will most likely be used by other groups in the future. Pydomer, the first ransomware family to exploit the Exchange Server vulnerabilities, has previously been seen delivering ransomware through bugs in Pulse Secure VPN.
Pydomer post-exploitation activities
Around March 18th – 20th, 2021, Pydomer operators scanned and compromised Exchange Servers to drop a Web shell. According to Microsoft, the Web shells have been spotted on approximately 1,500 systems, though not all were infected with ransomware. On the affected systems, threat actors used a non-encryption extortion tactic similar to that of Maze and Egregor.
The Microsoft 365 Defender Threat Intelligence Team also detected several cryptocurrency mining campaigns from post-exploit Web shells. Lemon Duck, a known cryptocurrency botnet, is now compromising numerous Exchange Sever targets and is evolving to deploy malware in addition to mining cryptocurrency.
Lemon Duck post-exploitation activities
In light of these events, Microsoft has published several compromise indicators that network defenders can use to investigate the presence of these threats and signs of credential theft.