On March 2, Microsoft urgently released out of band security updates for Microsoft Exchange Server 2013, 2016 and 2019, fixing a pre certified remote code execution (RCE) vulnerability chain (cve-2021-26855, cve-2021-26857, cve-2021-26858 and cve-2021-27065).
Hackers can take over any accessible exchange server without knowing the valid account credentials. Up to now, more than 5000 right-click servers have detected webshells, more than 60000 customers have been affected, and many important institutions such as the European Banking authority have been attacked.
Since February 28, 2021, exchange users have been attacked continuously. First, tick, then lucky mouse, calypso and winnti gangs have started to attack quickly. This shows that many hackers got the details of the vulnerability before the patch was released, which means that we can abandon the possibility that they can reverse engineer the Microsoft Update to build the vulnerability.
On the second day after the patch was released, hackers took more crazy attacks, including teams such as Tonto team and mikroceen, which also launched attacks on the exchange server. Interestingly, all of these are advanced persistent threat (APT) organizations interested in espionage, with one exception (dltminer), which is associated with a known crypto mining activity. The figure below is an overview of the attack timeline.
In the past few days, ESET researchers have been paying close attention to the number of webshell detections for these vulnerabilities. Based on the telemetry data of ESET, more than 5000 exchange servers in more than 115 countries were marked as webshell on the patch release date, and the actual number of infected servers must be more. Figure 2 shows the detection before and after Microsoft patch.
The heat map in Figure 3 shows the geographical distribution of webshell detection based on ESET telemetry. Due to large-scale utilization, it is likely to represent the global distribution of vulnerable exchange servers with ESET security products installed.
ESET has identified more than 10 different cyber threats who are likely to take advantage of the recent Microsoft Exchange rce to install implants on the victim's email server.
Our analysis is based on e-mail servers. We found webshell in the configuration file of offline address book (OAB) on these servers. This is a special technology to exploit rce vulnerability, which has been described in detail in a blog article in unit 42. Unfortunately, we can not rule out that some threat actors may hijack webshells launched by other groups instead of directly using the vulnerability. Once the vulnerability is exploited and webshell is installed in place, we observe that some people try to install more malware through it. We also note that in some cases, several threat actors target the same organization.