Microsoft analyzes attacks targeting “Exchange Server”, post-infringement activities, etc.

As security patches are being applied to many “Microsoft Exchange Servers” in on-premises environments, Microsoft said on March 25 that systems that were previously attacked are still under multiple threats. Announced the results of the investigation and sounded the alarm bell. The company warns of potential secondary attacks on Exchange servers that have been victims of previous attacks, especially the installation of web shell scripts to gain permanent access to the server and the theft of credentials in the first attack. did. On the 2nd, Microsoft released an emergency security update for four zero-day vulnerabilities, etc. after multiple vulnerabilities were found in Exchange Server. He also warned that the vulnerability was being exploited by Hafnium, a Chinese APT (highly targeted attack) group suspected of involving the state. Microsoft said last week that 92% of seriously vulnerable Exchange Servers had patched or mitigated so far. But cybersecurity firm F-Secure has already pointed out that “tens of thousands” of servers have been damaged. In a blog post, Microsoft reminded us that “patching a system does not necessarily remove attacker access.” According to the Microsoft 365 Defender threat intelligence team, “Many of the affected systems have not yet experienced secondary attacks such as manual ransomware attacks or data breaches, so attackers have access. It is possible that it has been established and is being maintained in case of a later attack. ” Microsoft strongly recommends that administrators of already damaged systems apply the principle of least privilege to limit horizontal movement within the network. Applying the principle of least privilege helps to work on Exchange server services and the general practice of setting scheduled tasks like backups as high-privilege accounts. “The service account credentials don’t change often, so even if antivirus software detects early access to the webshell and blocks the way, the account will be attacked later by privilege escalation. It could give an attacker a great advantage in that it can be used for. ” According to the company, for example, a ransomware called “DoejoCrypt” (also known as “DearCry”) uses a web shell to create a batch file named “C: Windows Temp xx.bat”. This file has been found on all Doejo Crypt-affected systems, providing a means for attackers to regain access even after the infection has been detected and removed. According to Microsoft, “This batch file backs up the Security Account Manager (SAM) database and the System and Security-related registries, allowing an attacker to identify passwords for local users on the system. We’ll make it available, and later access to the more sensitive LSA Secrets, which contains passwords for each service and scheduled task in the registry. ” Even if the victim is not required to pay a ransom, the attacker can use the xx.bat file created in the first attack to break into the network via this web shell. The webshell also downloads the ransomware payload and a penetration testing kit called “Cobalt Strike” prior to encrypting the file. Exchange servers are also targeted by criminals who want to mine cryptocurrencies. It has been confirmed that a cryptocurrency mining botnet called “Lemon Duck” targets a vulnerable Exchange server. Interestingly, Lemon Duck says it will remove the xx.bat file and webshell from the Exchange server and try to use the Exchange server exclusively. Microsoft says it has been found to be used not only to mine cryptocurrencies, but also to install other malware. Microsoft has published a number of compromise indicators (IoCs) that network defenders can use to look for signs of the existence of these threats and the theft of credentials.