10 APT groups that joined the MS Exchange exploitation party
At least five advanced threat actors (APTs) were exploiting the Microsoft Exchange servers before the company released patches. After Microsoft announced vulnerabilities, at least five other APTs joined the party, and the number of cyberattack attempts skyrocketed.
On March 2, Microsoft detected multiple 0-day exploits being used to attack on-premises versions of the Microsoft Exchange Server. Microsoft attributed the campaign to the China-linked threat actor group Hafnium. However, vulnerabilities were and may still be exploited by threat actors beyond Hafnium.
Research by ESET showed that the vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 were exploited by at least 10 APT groups.
APTs are state-sponsored hacker groups that engage in espionage and sabotage attacks to steal sensitive data and cripple an opponent’s infrastructure and defense systems. Their operations are now regarded as the biggest threat to government institutions and private organizations.
“Just after the release of the patch, the number of exploitation attempts increased and was quite high during the next few days,” ESET researcher Matthieu Faou said.
According to him, the earliest exploitation of ProxyLogon (vulnerability CVE-2021- 26855) happened on January 3 by an APT group known as Hafnium. Two months after, another APT group, known as Tick, started to exploit the vulnerability. On March 1, three new groups - LuckyMouse, Calypso, and Websiic - started exploiting the vulnerability.
“Again, the day after, the Winnti group started to exploit this vulnerability. It was just a few hours before Microsoft released a patch for Exchange. The very next day, we observed that multiple different APT groups started to do mass exploitation of the remote code execution (REC) vulnerability. It means that they were mass scanning the internet to find vulnerable Exchange servers and compromise them before they were patched,” Faou explained.
Two days after the patch was released, Shodan published statistics, showing that more than 250k servers were vulnerable.
“Due to the ongoing mass exploitation and mass scanning, it is likely that most of them have been compromised. The fact that this vulnerability did not require any valid credentials allowed attackers to perform mass scanning and to compromise very quickly most of the unpatched servers,” Faou said.
During the first week of massive exploitation, ESET uncovered at least 10 APT groups exploiting the ProxyLogon vulnerability. On several occurrences, researchers saw multiple threat actors deploying their malware on the same Exchange server.
Faou’s colleague Mathieu Tartare overviewed the APT groups.
Tick, according to Tartare, was the first APT group that researchers have seen exploiting the vulnerability. On February 28th, they compromised the mail server of an IT company based in East Asia.
Tick is a cyber espionage group with likely Chinese origins. Its main objective is intellectual property and classified information theft. Researchers can trace their activities back to at least 2008. They mostly target organizations based in South Korea, Japan, and Russia.
One day after Tick, on March 1, researchers observed LuckyMouse, also known as Emissary Panda or APT 27, starting to exploit the vulnerability. LuckyMouse is a Chinese cyber espionage group, active at least since 2010. This APT group is known for having breached the ICAO (International Civil Aviation Administration) and governments in the Middle East. They have good technical capabilities. Their arsenal includes complex backdoors and a rootkit.
On the same day, LuckyMouse was quickly followed by Calypso that compromised the email servers of government entities in the Middle East and South America. In the following days, Calypso also targeted servers of government entities and private companies in Africa, Asia, and Europe. Calypso is a suspected Chinese cyber espionage group, which was first documented by a global provider of enterprise security solutions for vulnerability and compliance management company Positive Technology in 2019.
Websiic targeted several email servers belonging to private IT, telecommunications, and engineering companies in Asia, they also targeted public bodies in Eastern Europe. It is a cyber espionage group. Researchers have not tied Websiic to any known threat actor.
“Last but not least among the groups that exploited the vulnerability before the release of the patch by Microsoft is the Winnti group,” Tartare said. On March 2, a few hours before the release of the patch, they compromised the email server of two companies based in East Asia. It is a cyber espionage group that has been active at least since 2012. They are responsible for high-profile supply chain attacks leading to compromised software, including CCleaner, Asus, and multiple video games. They target a wide range of verticals, including the chemical and pharmaceutical industry, and the education sector.
Tonto: the party begins
“One day after the release of the patch by Microsoft, the Tonto team joined the party and compromised the email servers of companies based in Eastern Europe,” Tartare recalled. It is a cyber espionage group, and, like Tick, it is pretty old. Researchers can track their activities back to at least 2009. They mostly target governments and institutions in Russia, Japan, and Mongolia. They have been developing and using Bisonal malware (remote access trojan) for more than ten years. Like Tick, the Tonto team is part of the groups that know how to access the ShadowPad (one of the largest known supply-chain attacks) backdoor.
Unattributed ShadowPad activity
From March 3, researchers observed the compromise of email servers at a software development company based in East Asia and a real estate company based in the Middle East, where ShadowPad was dropped by an attacker, and that they were not able to conclusively attribute to any known groups.
The ShadowPad backdoor is a modular backdoor that was exclusive to the Winnti Group until the end of 2019. To the best of researchers' knowledge, ShadowPad is now used by at least five additional groups: Tick, Tonto Team, KeyBoy, IceFog, and TA428.
The “Opera” Cobalt Strike
Just a few hours after the patch was released, researchers noticed that another set of malicious activities had started. At this point, they don’t know if these threat actors had access to the exploit beforehand or reverse-engineered the patch. It corresponds to indicators published on Twitter and by FireEye, but researchers haven’t been able to link this set to any group we are already tracking.
From March 3 until March 5, ESET telemetry showed this activity targeting around 650 servers, mostly in the US, Germany, the UK, and other European countries.
On March 4, ESET observed the Mikroceen APT group that compromised the Exchange server of a utility company in Central Asia. It is a cyber espionage group that targets mostly Central Asia.
The Mikroceen APT group, also known as Vicious Panda, is a threat actor operating since at least 2017. It mainly targets government institutions and telcos in Central Asia, Russia, and Mongolia.
On March 5, ESET detected the deployment of PowerShell downloaders on multiple email servers that were previously targeted using these Exchange vulnerabilities. Contrary to other groups, DLTMiner is a financially motivated group. It is also known as Sapphire pigeon.
Even patched systems might be breached, Brandon Wales, the acting CISA (the Cybersecurity and Infrastructure Security Agency) director, said.
“We know that multiple adversaries have compromised networks prior to patches being applied. And if you apply a patch, your system may still be compromised, the adversary can still be inside of your network, still be able to utilize you to attack others and disrupt your operations,” Wales said.
So companies, even those that have applied patches, should make sure that their systems are not breached.
“You should not have a false sense of security. You should fully understand the risk. In this case, how to identify whether your system is already compromised, how to remediate it, and whether you should bring in a third party if you are not capable of doing that,” he said.
According to ESET researchers, even those servers that are not directly exposed to the internet should be patched because an attacker with low or unprivileged access to your LAN can trivially exploit these vulnerabilities to raise their privileges while compromising an internal (and probably more sensitive) Exchange server, and then move laterally from it.
“In case of compromise, one should remove web shells, change credentials, and investigate for any additional malicious activity. Finally, this is a very good reminder that complex applications such as Microsoft Exchange or SharePoint should not be open to the internet since, in case of mass exploitation, it is very hard, if not impossible, to patch in time,” ESET recommends.