With companies and organizations under siege on so many fronts over the past year, the last thing internal IT departments needed was another daunting challenge to grapple with. Yet for those enterprises that host their own Microsoft Exchange environments, a collection of four recently discovered exploits involving the Exchange Server software has added another layer of stress to what has undoubtedly been a tough twelve months.
The Biggest Ransomware Demand in History
The latest episode in the story is Acer Computer, who fell victim to a ransomware attack. While ransomware attacks have become a ubiquitous event these days, what makes this attack distinctive is the ransom demand itself.
According to LeMagIT [article in French], the hackers behind the REvil ransomware strain announced they had breached Acer’s network and were demanding a record $50 million, the highest known ransom to darte.
REvil uses the Ransomware 2.0 approach in that the attackers copy and exfiltrate a company’s data just prior to encrypting it. Should the victimized organization manage to restore its data without purchasing the decryption key, the criminals then use the threat of exposing or selling the compromised data as an added extortion threat.
The ransomware group, also known as Sodinokib, has posted screenshots of some of the stolen data as proof of their raid. They have also given Acer a window of nine days to pay up, at which point the ransom will be doubled. Although not confirmed as of time of writing, it is believed that the group took full advantage of the aforementioned Microsoft Exchange exploit.
The Good News
Before discussing the details of how all of this came about, let’s start with the good news. While Microsoft released a series of security updates on March 2, in order to address the discovered vulnerabilities, they felt the need to simplify the mitigation process for their customers in order to attain herd immunity across the world. The result is a one-click mitigation tool that allows even non-IT personnel the ability to download and run the tool.
It is important to note that the simplified tool is not a replacement for the security updates. Even after running the tool, existing and future updates should still be applied.
Specifically, the tool targets the CVE-2021-26855 vulnerability. This vulnerability allows an attacker to make an untrusted connection to Exchange server port 443, allowing them to send arbitrary HTTP requests and authenticate as the Exchange server. It is this vulnerability that allows the attacker to then take advantage of the other vulnerabilities.
While the tool offers no defense for Exchange Servers that attackers already have access to, it is a sensible first step to diminishing the risk of an attack. Microsoft reports that the tool has been tested for Exchange Server 2013, 2016 and 2019.
The other Vulnerability Culprits
Once an attacker has access to your Exchange Server, they can then take advantage of the other three involved vulnerabilities.
- Microsoft CVE-2021-26857 – This is a remote code execution vulnerability that allows an attacker the ability to run any code they want as the System account.
- CVE-2021-26858 – This is a post-authentication arbitrary file vulnerability that once authenticated, allows an attacker to write a file to any path on the Exchange server.
- CVE-2021-27065 – This is another post authentication arbitrary file exploit that allots an attacker to write files to the server once the legitimate admin’s credentials have been compromised.
These vulnerabilities collectively serve as an attack chain. Microsoft recommends customers investigate their networks for exploitation or indicators of persistence once the updates for the entire attack chain have been applied.
For instance, many attackers have used this attack chain to install web shells on the compromised servers. Web shells are used by hackers on internet-facing servers. Simply applying the prescribed updates will not mitigate these already established threats. Microsoft provides more detail about these threats on their website.
Thousands Remain Vulnerable or Exposed
The threats don’t just involve a single ransomware strain. According to Krebs on Security, as of March 5, at least 30,000 organizations across the United States had been hacked by a Chinese espionage unit. The group has been stealing email from the targeted victims by exploiting the discussed zero-day flaws. Still, the primary threat remains ransomware as Redmond reported that new ransomware strains have been discovered that take explicit advantage of the Exchange vulnerabilities.
Checkpoint Research reports seeing thousands of such exploit attempts worldwide, culminating in a tenfold increase between March 11 and March 15. According to their data, the U.S. remains the most targeted country for these attacks (17%) followed by Germany and the United Kingdom. A disturbing 23% of all attacks have been levied on Government and Military organizations, followed by Manufacturing (15%) and Financial Services (14%).
What makes this attack so easy is that attackers can scan the Internet for unprotected Exchange Servers. Using this technique, Krebs tweeted on March 12 that an estimated 82,000 servers were still vulnerable to these attack exploits. For those wanting to know if their own Exchange servers have been compromised, Microsoft has released a script on Github that will scan for indicators of compromise linked to the Exchange Vulnerabilities.
The speed at which cybercriminals have created exploits to take advantage of these zero-day flaws has been breathtaking and humbling. This devastating array of attacks may in fact be the last straw that compels organizations to abandon their on-prem Exchange environments and head to the cloud.