Microsoft Exchange logo

 

WASHINGTON: How did multiple threat actors seemingly know about planned security patches for vulnerabilities in Microsoft Exchange software before the company released them? Microsoft said it is investigating.

Meanwhile, a weekend CISA update added malware analysis reports for seven of the many web shells that threat actors are using in a multi-step hack of Exchange servers. The four zero days provide threat actors initial access to servers, and web shells enable threat actors to gain persistent access to and remote control over servers, including remote code execution.

The update included information on recently discovered malware attacks against vulnerable Exchange servers.

Unusual Circumstances Around Exchange Zero-Day Patches 

Microsoft said it is now investigating how threat actors appear to have found out about the security patches for four zero-day vulnerabilities in Exchange servers before the company publicly disclosed the zero days and released out-of-band patches. The four zero days are being referred to collectively as ProxyLogon.

The investigation arose, in part, after security research revealed two unusual circumstances around the hacking campaign: The first, uncovered last week by security company ESET, is how threat actors stepped up exploits of ProxyLogon just prior to Microsoft’s announcement. The second is what appears to be potentially coordinated targeting of ProxyLogon by multiple threat actor groups.

In its Mar. 2 public disclosure, Microsoft said the primary threat actor in the Exchange campaign is a previously unknown China-based group the company dubbed HAFNIUM.

According to ESET’s research, another threat actor group dubbed “Tick” began compromising servers in East Asia on Feb. 28, two days before Microsoft’s disclosure. Tick has been active since at least 2008, according to ESET, primarily targeting Japan and other Asian countries for cyberespionage.

Then, on Mar. 1, three more threat actor groups began exploiting ProxyLogon, according to ESET. These groups included “LuckyMouse,” “Calypso,” and “Websiic.” LuckyMouse and Calypso are known threat actors. LuckyMouse focuses on cyberespionage campaigns primarily against governments and international organizations in Asia and the Middle East. Calypso targets governmental organizations in Asia, the Middle East, and South America. Websiic is a previously unidentified threat actor.

Security company Volexity, the first to observe the Exchange vulnerabilities being exploited in the wild, has previously said that it noticed HAFNIUM accelerating its attacks in the days prior to the Mar. 2 disclosure.

So, how did not one, but at least five threat actor groups — all believed to be linked to China — know to step up attacks just before Microsoft’s public disclosure?

Microsoft is reportedly investigating some partners involved in a Microsoft industry group called Microsoft Active Protections Program, which is said to include approximately 80 organizations, including 10 Chinese companies. Through MAPP, Microsoft quietly notifies member organizations of patches before public disclosure and release.

It has been reported that Microsoft is looking at a small Taiwanese security company called DEVCORE, among others. DEVCORE reportedly notified Microsoft of the vulnerabilities in December. A security researcher at DEVCORE made the first public mention of new Exchange server zero-day vulnerabilities in an early January tweet, using the Twitter handle Orange Tsai. DEVCORE is reported to be a MAPP member.

DEVCORE has denied sharing information about the vulnerabilities or then-planned patches prior to Microsoft’s announcement. DEVCORE said it has not been hacked.

A Microsoft spokesperson said there is “no indication” the information leaked from inside the Redmond, Wash.-based technology company.

The investigation continues.

Exchange Server Follow-On Attacks

CISA’s weekend update included new information on ransomware attacks enabled by ProxyLogon and arrived after the agency warned in multiple advisories last week of follow-on Exchange attacks. CISA said the possibilities include additional data exfiltration, ransomware, and even “destructive” attacks.

Security researchers at ID-Ransomware, Microsoft, and McAfee all independently reported late last week that they were observing threat actors using ProxyLogon to install DearCry ransomware. (Microsoft refers to DearCry as DoejoCrypt.)

In addition to the four threat actors it identified as being active prior to public disclosure, ESET said it saw “at least” six additional threat actors exploiting ProxyLogon.

Approximately 80,000 Exchange servers are estimated to still be unpatched, according to security company RiskIQ, which is a high number but an improvement on the estimated 400,000 unpatched servers prior to Mar 2.