Window Closing to Secure Small Organizations from Ransomware
Computer security researchers have acquired an enormous list of compromised email servers from the perpetrators of the mass Microsoft Exchange compromises – a lucky but not uncommon find that is now being put to use to alert infected organizations.
The victim list contains 86,000 IP addresses of Exchange servers infected worldwide as the result of the latest vulnerabilities revealed by Microsoft last week, says Allison Nixon, chief research officer with Unit221b, a New York-based cybersecurity company.
The list is now being used to power a web-based service that can help organizations identify if their email systems were infected in the first wave of attacks, Nixon says. That service, Check My OWA, is now active.
The list contains IP and domains. Users can enter an email address, and Check My OWA will send an email response if the organization appears to be infected. However, Nixon says it is best to log into Exchange and visit the site using the IP address of an actual Exchange server, as the list has many entries with just an IP address and no domain.
The site aims to solve a problem commonly encountered by researchers with mass compromises: A vast group doesn’t know if they’re infected, and it’s difficult to let those that are affected know.
“Out of that frustration, we’ve had to try to figure out what’s the best way to notify victims,” Nixon says.
Nixon says she can’t reveal who found the victim list or where it was located. But she says that while the mass Exchange compromise situation is extraordinary in its scope, it’s not uncommon for researchers to come across lists like this one. The Check My OWA website says the list came “from perpetrators of this mass breach event.”
Perhaps encouragingly, there’s been a noticeable decrease in recent days in new webshells planted in organizations, says Katie Nickels, director of intelligence for Red Canary. Nickels says that insight comes from Red Canary’s own customer base.
“It seems like from our visibility the initial infections have slowed down, but because we saw a lot of activity end of last week and over the weekend, it’s reasonable to assess there are still a lot of victim servers out there and organizations who don’t know they’ve been compromised,” Nickels says.
Nickels says Red Canary has published a blog post aimed at educating administrators at smaller organizations for how to detect infections. Nixon says at minimum, organizations should patch and run an email backup to ensure they at least have a copy of their data.
Frantic Patching, Clean Up
There’s a frantic patching and clean up effort involved right now, and time is running out to hold off broader and uglier impacts than simply backdoored Exchange servers, experts say. That’s due in part to the mystery behind how the attack spread so quickly.
On March 2, Microsoft released patches for four vulnerabilities in Exchange, two of which were found by Cheng-Da Tsai, better known as the security researcher Orange Tsai, of the Taiwanese security company Devcore.
Devcore describes on a website it set up, ProxyLogon, the timeline for its findings. The real zinger bug, CVE-2021-26855, was found on Dec. 10, and Devcore found a second one, CVE-2021-27065, on Dec. 30. Devcore says one day later, they chained the bugs together for a workable, pre-authentication remote code execution exploit.
Efforts to reach Tsai and Devcore weren’t immediately successful.
Devcore reported the bugs to Microsoft through its MSRC portal on Jan. 5. But now it has emerged that various security companies were seeing signs of exploitation prior to that. Volexity said on Tuesday it has traced signs of exploitation of CVE-2021-26855 back to Jan. 3.
After Microsoft’s announcement, security companies including ESET began seeing as many as five so-called advanced persistent threat groups using the bugs to indiscriminately target any exposed server. That activity started as early as Feb. 27, according to Rapid7. It’s unknown how the information managed to fall in the hands of several groups.
“How they [the different attack groups] knew is indeed a puzzle,” says Dmitri Alperovitch, co-founder and former CTO for CrowdStrike, who is now chairman of the Silverado Policy Accelerator.
Although the flaws can be exploited to plant a backdoor that allows access to email, they also can be used to pivot deeper into other infrastructure, posing a wide-ranging and long-term risk.
And that poses an interesting question: Why are organizations still using on-premise Exchange servers rather that hosted Exchange, which leaves patching in the hands of Microsoft?
Turns out, it’s a long, complicated story, as shown in this Twitter thread started by Lesley Carhart of Dragos. Web-based Exchange isn’t as customizable as on-premise Exchange, and just switching over is far from trivial given how Exchange is woven in deep and weird ways into organizations.
The reasons are varied, ranging from routing issues, user permissions, compatibility and compliance reasons to even enabling something as mundane as scan-to-email functionality. This tweet sums it up succinctly:
Facts! A lot of places I’ve worked still had remnants of Exchange because (their words) removing it is akin to replacing the lymphatic system.
— n1cFury (@n1c_fury) March 6, 2021
Nickels says there’s no right answer for every organization about whether to use on-prem or hosted Exchange. She says it depends on each organization’s specific network and their acceptance of risk, and there’s risk in the cloud as well.
“Like many things in this industry, it’s very easy for people to go to one extreme or the other,” Nickels says. “It’s not an easy answer. Each organization I think needs to make an assessment for themselves.”
Nixon says large, well connected organizations are likely to get a heads up that they’re infected, but there’s a long tail of victims that needs to be notified and take action.
She’s hoping Check My OWA will get the word out because there is high concern over what is going to happen in the coming weeks. Nixon says there’s a precious moment of opportunity now to fix the problems.
Infected Exchange servers can also be taken over by other attackers. Already, there are signs threat actors are playing “king of hill,” dropping shells on servers, removing shells from other groups or renaming them, Nixon says.
Nickels says Red Canary saw one organization that had shells dropped on its systems on March 3, then one on March 4 and a third on March 5. She says it is impossible to tell if different attack groups placed those shells due to intelligence gaps.
“We have seen some victims where there are multiple different shells,” Nickels says.
Nixon believes there are storm clouds ahead. Eventually, a proof-of-concept exploit script will likely become public, and then it may be a full-force blitz to infect whatever Exchange servers haven’t been fixed, she says. And that likely means ransomware.
“At some point in time, all of the Exchange servers that are exposed either implode in ransomware or are deleted,” Nixon says. “That [ransomware] is the inevitable final outcome of this situation.”