Microsoft says ransomware actions against Exchange have been ‘limited’

Microsoft issued a note stating that ransomware activity against compromised Exchange on premises servers remains limited, but warns organizations that the danger is still far from off the radar.

The software giant is advising companies that have fixed the four flaws in Exchange to also take remedial actions to ensure that webshells (malicious web-based interfaces that allow remote access or control of the web server) or other backdoors (back doors ) are not left behind in an update.

Attackers are collecting credentials for possible later use, so even if the company has patched its servers, the risks of long-term compromise remain, the company adds. These risks include ransomware attacks, cryptominer infiltrations or intruders moving sideways into organizations’ networks.

“Many of the compromised systems have not yet received a secondary action, but as human-operated ransomware attacks or data exfiltration continue, attackers may be establishing and maintaining access for possible subsequent actions,” writes the 365 Defender Threat Intelligence team at Microsoft on a blog. This means that organizations need to ensure that all back doors are removed.

Last week, the U.S. Cyber ​​Security and Infrastructure Agency released two new malware analysis reports describing variations of the China Chopper webshell seen on compromised Exchange servers.

Microsoft predicts that systems that still have backdoors “will become part of the cybercriminal’s complex economy, where additional ransomware operators and affiliates will take advantage of it.”

While some of the deployed ransomware observed so far have been small-scale or buggy, more skilled groups can take advantage of stolen credentials for new attacks, says Microsoft. “If the server is not running in a minimal privilege configuration, credential theft can provide a significant return on investment for an attacker, in addition to their initial access to email and data,” says Microsoft.

On the radar: the Pydomer Ransomware

The Pydomer family of ransomware, which targeted Pulse Secure VPN vulnerabilities, had a late start in targeting Exchange servers, says Microsoft. Its activity started for real between March 18th and 20th, and the group launched webshells on at least 1,500 systems. But not all of these systems have been rescued.

Pydomer dumps the contents of the Local Security Authority Subsystem Service (LSASS) memory, which is a Windows process that contains local usernames and passwords. As noted by security firm Deep Instinct, LSASS dumps were a regular technique used by the Trickbot botnet.

“The highly privileged credentials obtained from an Exchange system are likely to contain domain administrator accounts and service accounts with backup privileges, which means that these attackers can perform ransomware and exfiltration actions against networks that have compromised long after the Exchange server be corrected and even enter through others, ”writes Microsoft.

Microsoft also describes an ongoing struggle between attack groups to control compromised Exchange servers. He highlights the example of Lemon Duck, a botnet that uses compromised machines to mine cryptocurrencies. Lemon Duck does not dump a webshell after compromising a system. Instead, it uses fileless and shellless methods, employing direct PowerShell commands.

In one case, Lemon Duck hit a system that had a webshell placed by another group, says Microsoft. Lemon Duck then removed that operator’s access from the threat and mitigated CVE-2021-26855, the server-side request spoofing failure, with a legitimate cleaning script so no one else could exploit it.

“This action prevents further exploitation of the server and removes shells from the web, giving Lemon Duck exclusive access to the compromised server,” writes Microsoft. “This emphasizes the need to thoroughly investigate the systems that have been exposed, even if they have been fully corrected and mitigated, in accordance with the traditional incident response process.”

Microsoft fixed the four vulnerabilities in the on-premises version of Exchange Server on March 2. At that time, RiskIQ estimated that about 400,000 Exchange servers were vulnerable. As of Thursday, 25, Microsoft says more than 92%, or about 368,000, had been corrected or mitigated.

Exchange servers have been attacked aggressively since February 26. Microsoft attributed the initial activity to a suspicious group based in China, nicknamed Hafnium, but other security companies noticed up to half a dozen hacker groups attacking Exchange servers before the patch.

Before Microsoft released patches, the Shadowserver Foundation said it detected that 68,000 different IPs of Exchange servers had been compromised. This suggests that information about the vulnerabilities, which was discovered by Taiwanese penetration testing company Devcore, may have been leaked. Another possibility is that the vulnerabilities may have been discovered in parallel by other groups. However, Microsoft is investigating whether a leak could have occurred through a partner in its Active Protection Program.