Malicious actors were abusing four vulnerabilities disclosed this week in on-premise instances of Microsoft Exchange Server as far back as January 2021, according to a new report produced by FireEye Mandiant researchers Matt Bromiley, Chris DiGiamo, Andrew Thompson, and Robert Wallace. Disclosed this week alongside an out-of-sequence patch, exploitation of the four vulnerabilities, one rated critical, and Microsoft linked three mediums to a Chinese advanced persistent threat (APT) group known as Hafnium. However, there is already bountiful evidence to suggest exploitation of the CVEs goes far beyond one group.
In Mandiant’s report, the researchers said that they had observed multiple instances of abuse within at least one client environment, with observed activity including the creation of web shells to gain continued access, remote code execution (RCE), and surveillance for endpoint security solutions from FireEye, Carbon Black, and CrowdStrike. “The activity reported by Microsoft aligns with our observations. FireEye currently tracks this activity in three clusters, UNC2639, UNC2640, and UNC2643,” said Bromiley, DiGiamo, Thompson, and Wallace in a disclosure blog.
“We anticipate additional clusters as we respond to intrusions. We recommend following Microsoft’s guidance and patching Exchange Server immediately to mitigate this activity.” Like other researchers tracking exploitation, the team said the number of victims was likely much higher than Microsoft said–it described them as targeted and limited, but this is now hotly disputed. “Based on our telemetry, we have identified an array of affected victims, including US-based retailers, local governments, a university, and an engineering firm. Related activity may also include a Southeast Asian government and Central Asian telecom,” they said.
The team corroborated Microsoft’s assessment of multiple post-exploitation activities, including credential theft, data compression for exfiltration, Exchange PowerShell snap-ins to steal mailbox data, and other offensive cyber tools such as Covenant, Nishang, and PowerCat for remote access. “The activity we have observed and others in the information security industry indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments. This activity is followed quickly by other access and persistent mechanisms. We have multiple ongoing cases and will continue to provide insight as we respond to intrusions,” they said.
Meanwhile, more groups have been piling in in Hafnium’s wake, many leveraging the China Chopper web shell. This backdoor allows malicious actors to control the compromised system remotely and conduct further post-exploitation activities. Notably, China Chopper contains a GUI interface that enables users to manage and control the web shell attack commands. According to Cynet’s Max Malyutin, those using it include Leviathan, closely associated with APT40; Threat Group-3390, aka Emissary Panda, Bronze Union or Iron Tiger; Soft Cell (not the synth-pop duo); and APT41. All of these groups are thought to have some association with activity originating in China.
Gurucul CEO Saryu Nayyar said the ongoing attacks were a reminder that despite stratospheric growth in cloud services, on-premise equipment remains vulnerable and is all too easily neglected. “With organizations migrating to Microsoft Office 365 en masse over the last few years, it’s easy to forget that on-premises Exchange servers are still in service. Some organizations, notably in government, can’t migrate their applications to the cloud due to policy or regulation, which means we will see on-premises servers for some time to come,” said Nayyar. “This is another case that shows how vital it is to keep up with security patches and to make sure the organization’s security stack is up to the task of identifying novel attacks and remediating them quickly,” she added.
