Microsoft Exchange logo

WASHINGTON: The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency have issued a joint advisory that warns of potential follow-on ransomware and even “destructive” attacks against vulnerable Microsoft Exchange email servers.

The FBI, CISA, and security companies are reporting they see no decrease in the number of attempted and successful Exchange hacks, as an array of threat actors continue to hammer servers. The “likely” mix of threat actors is now said to range from nation-states to cybercriminals, according to the advisory.

Security company ESET said Wednesday it has seen “at least 10” threat actor groups exploiting zero days and deploying web shells against targeted Exchange servers. Zero days provide threat actors their initial access to vulnerable servers, while web shells provide persistent access to and remote control over those servers once they’ve been compromised. Web shells also enable threat actors to compromise additional assets located on internal networks.

Within standard threat models, cybercriminals are more likely than most nation-states to use ransomware. Certain nation-states and some cybercriminal gangs may be motivated to conduct “destructive” attacks, such as wiping out data across organizations.

The advisory urges organizations that have the in-house capability to “forensically triage” all on-premise Exchange servers immediately to determine whether or not they are compromised. If organizations identify indicators of compromise but do not have in-house forensics expertise, the advisory urges “Immediately disconnect[ing] Microsoft Exchange on-premises servers” and reporting the incident to the FBI or CISA. For organizations that do have in-house forensics capabilities, step-by-step guidance is provided. The advisory states the FBI is “proactively investigating” Exchange server incidents via its 24/7 operations center called CyWatch and specialized “cyber squads” based in its 56 field offices.

Security company Gurucul CEO Saryu Nayyar told Breaking Defense, “A threat like this really is one of those rare ‘Stop what you are doing and fix this now!’ events.”

The advisory is notable in that it maps what is currently known about threat actors’ tactics, techniques, and procedures (TTPs) onto MITRE’s ATT&CK framework, providing one of the first, detailed looks at the end-to-end cyber kill chain for this hack.

While discovering the zero days may have required specialized technical skill, exploiting them does not. Security company Volexity, one of the first to observe the zero days being exploited in the wild, wrote in a Mar. 2 blog post, “This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail.”

The ease of exploitation and prevalence of unpatched, on-premise Exchange servers help to explain the reportedly high number of successful attacks, threat actors involved, and victim organizations. These Exchange server attacks rise nowhere near the level of technical sophistication demonstrated in the hack of the SolarWinds Orion Platform.

The joint advisory reiterates that, left unpatched, the four zero-day vulnerabilities “pose a serious risk” to federal agencies and other organizations. So far, the FBI has seen threat actors targeting “local governments, academic institutions, non-governmental organizations, and business entities in multiple industry sectors, including agriculture, biotechnology, aerospace, defense, legal services, power utilities, and pharmaceutical.”

Microsoft initially disclosed the four vulnerabilities on Mar. 2 and released out-of-band patches, which are still considered the best permanent fix for the zero days. But additional remediation and mitigation measures could be required if web shells are discovered in an already compromised server. Microsoft provides detailed guidance here.

Based on threat intelligence and forensics evidence Microsoft gathered, the tech giant attributed the initial attacks to a China-based threat actor group it calls HAFNIUM, whose primary motive appears to be cyberespionage. But once the vulnerabilities became public — and it became clear how easy they were to exploit — the hack became what Recorded Future called “a free-for-all.”