Attacks Surge After Code Published

There has been a spike in web shells being detected, as ransomware gangs and other attackers increasingly target vulnerable Microsoft Exchange Servers following publication of proof-of-concept attack code for ProxyLogon, which is one of four zero-day flaws patched by Microsoft in early March.

See Also: Live Webinar | Mitigating the Risks Associated with Remote Work

A new report by security firm F-Secure says that since proof-of-concept code was first released on March 13 for exploiting the ProxyLogon flaw, it has been increasingly exploited by criminal gangs, state-backed threat actors and script kiddies globally.

Malicious activity tied to such attacks includes the “Downloader.Gen” Trojan web shell, F-Secure says, noting that detections of the tool surged following the release of the proof-of-concept exploit. F-Secure says it saw increases especially in Italy, Germany, France, the United Kingdom, the United States, Belgium, Kuwait, Sweden, the Netherlands and Taiwan.

“Although it peaked last Wednesday, (F-Secure) continues to detect significant amounts of activity, in the tens of thousands,” the report notes.

Security experts have been warning that as more and more security researchers have been releasing proof-of-concept attack code, criminals and others would no doubt begin to put it to use.

“The current situation is a crisis, and despite efforts to take down the emerging ProxyLogon PoCs, or neuter them by making them less than fully functional, you can bet they will be put to use by criminals,” Pieter Arntz, a malware intelligence researcher at Malwarebytes, warned on Tuesday. “This while the owners of the remaining unpatched systems are scrambling to save what they can.”

Organizations: Assume You Have Been Breached

Although patches for the flaw have been released by Microsoft, F-Secure notes that half of in-use Exchange servers remain unpatched. As a result, thousands of Exchange servers are at risk of potential compromise. In addition, Antti Laatikainen, senior security consultant at F-Secure, notes that patching alone does not guarantee server security, as attackers could have breached networks before any updates were installed.

“Because ProxyLogon allows access to the lower layers of the server – and from there to the rest of the organization’s network – this makes an extensive series of silent network intrusions possible,” F-Secure says. “These breaches could be occurring in the background, completely unnoticed. Only after months or years will it become clear what was stolen. If an attacker knows what they are doing, the data has most likely already been stolen or is being stolen right now.”

Therefore, Laatikainen says organizations should assume they have been breached and take necessary security measures such as deploying endpoint detection and effective network monitoring to mitigate the threat. Laatikainen recommends proceeding with urgency: “We’re nearing the end of the period of time when we can influence how much data is stolen. There are a ton of things they (companies using Microsoft Exchange) can do manually to prevent a full disaster. I just encourage them to do them immediately.”

“Never in the past 20 years that I’ve been in the industry has it been as justified to assume that there has been at least a digital knock at the door for every business with Exchange Outlook Web Access installed in the world,” he says. “Because access is so easy, you can assume that majority of these environments have been breached.”

Ransomware Threats

Since the zero days were disclosed, security experts have been warning that ransomware gangs were sure to begin exploiting the flaws, including the ProxyLogon vulnerability.

ProxyLogon, which has been designated as CVE-2021-26855, is a Microsoft Exchange Server vulnerability that allows an attacker to bypass the authentication and impersonate an administrator. Earlier in March, Microsoft warned that attackers were exploiting the flaws in the wild (see: Microsoft Exchange: Server Attack Attempts Skyrocket).

On Friday, BleepingComputer reported that the REvil – aka Sodinokibi – ransomware-as-a-service operation had targeted Taiwanese PC-maker Acer, likely via the ProxyLogon flaw. The criminal group allegedly accessed the company’s financial spreadsheets, bank balances and bank communications and leaked images of these documents, then issued an opening ransom demand of $50 million, which is the largest sum ever known to be demanded by a ransomware group.

Earlier this month, Microsoft warned that attackers were wielding a new strain of ransomware called DearCry, designed to exploit the ProxyLogon flaw in unpatched versions of Microsoft Exchange running on premises and crypto-lock files and demand a ransom from victims in return for the promise of a decryption tool (see: DearCry Ransomware Targets Unpatched Exchange Servers).

When Microsoft first began releasing security updates on March 2, it warned that a Chinese APT group called Hafnium appeared to have been exploiting the flaws in recent months. But security firm ESET subsequently reported that at least 10 APT groups have been exploiting the flaws, including some before March 2.