An ongoing investigation into the active exploit of four Microsoft Exchange zero-day flaws has revealed attacks against local US government agencies.
On March 2, Microsoft warned that the four zero-day vulnerabilities — now tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — were being exploited by threat actors in the wild.
If abused, the vulnerabilities could be used to compromise servers running Exchange Server 2013, 2016, and 2019 software.
Microsoft has urged customers to immediately apply patches provided to fix the vulnerabilities, but as is often the case with the disclosure of zero-days, cyberattackers are quick to exploit them.
According to FireEye’s Mandiant Managed Defense cybersecurity team, a wave of attacks against US targets has been tracked that abuses the Exchange security flaws.
Among the latest victims are local government entities, an unnamed university, an engineering company, and a host of retailers in the United States.
This month, one threat actor was observed using at least one of the vulnerabilities to deploy a web shell on a vulnerable Exchange server in order to “establish both persistence and secondary access,” according to the team. In two cases, cyberattackers sought to delete existing administrator accounts on Exchange servers.
Credential theft, the compression of data for exfiltration, and the use of PowerShell to steal entire email inboxes were also recorded. Covenant, Nishang, and PowerCat tools are being used to maintain remote access.
Mandiant added that the compromise of two other entities, a Southeast Asian government and a Central Asian telecommunications firm, may be related to this campaign.
“The activity we have observed, coupled with others in the information security industry, indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments,” Mandiant says. “This activity is followed quickly by additional access and persistent mechanisms.”
Microsoft has previously attributed attacks to Hafnium, a Chinese state-sponsored advanced persistent threat (APT) group. The APT has been connected to assaults in the past against US defense firms, the legal sector, researchers, and think tanks.
Mandiant expects more clusters of intrusions to appear, a problem that will likely be ongoing until more vulnerable servers are patched. Kaspersky says that there is a high risk of ransomware and data theft.
Microsoft Exchange users are urged to update their software as quickly as possible.
In related news this week, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive instructing federal agencies to immediately tackle the Microsoft Exchange vulnerabilities.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0