Exchange Server attacks: Microsoft shares intelligence on post-compromise activities

Many on-premises Trade servers are being patched, however Microsoft warns that its investigations have discovered a number of threats lurking on already-compromised programs.

Microsoft is elevating an alarm over potential follow-on assaults concentrating on already compromised Trade servers, particularly if the attackers used internet shell scripts to realize persistence on the server, or the place the attacker stole credentials throughout earlier assaults.

Microsoft launched patches for Trade on-premises programs on March 2. 4 Trade bugs have been already below assault from a state-sponsored hacking group known as Hafnium. 

SEE: Security Awareness and Training policy (TechRepublic Premium)

Microsoft earlier this week stated that 92% of susceptible Trade servers had been patched or had mitigations utilized. Nevertheless, cybersecurity agency F-Safe stated “tens of 1000’s” of Trade servers had already been breached.      

In a brand new weblog submit, Microsoft reiterated its warning that “patching a system doesn’t essentially take away the entry of the attacker”.

“Lots of the compromised programs haven’t but obtained a secondary motion, equivalent to human-operated ransomware assaults or information exfiltration, indicating attackers might be establishing and conserving their entry for potential later actions,” the Microsoft 365 Defender Threat Intelligence Team notes

The place programs have been compromised, Microsoft urges admins to observe the precept of least privilege and mitigate lateral motion on a community.

Least privilege will assist tackle the widespread observe the place an Trade service or scheduled process has been configured with a extremely privileged account to carry out duties like backups.

“As service account credentials are usually not continuously modified, this might present an incredible benefit to an attacker even when they lose their preliminary internet shell entry attributable to an antivirus detection, because the account can be utilized to raise privileges later,” Microsoft notes. 

Utilizing DoejoCrypt ransomware, aka DearCry, for instance, Microsoft notes that the online shells utilized by that pressure write a batch file to C:WindowsTempxx.bat. This was discovered on all programs hit by DoejoCrypt and should supply the attacker a path to regaining entry the place infections have been detected and eliminated.

“This batch file performs a backup of the Safety Account Supervisor (SAM) database and the System and Safety registry hives, permitting the attackers later entry to passwords of native customers on the system and, extra critically, within the LSA [Local Security Authority] Secrets and techniques portion of the registry, the place passwords for providers and scheduled duties are saved,” Microsoft notes. 

Even the place victims haven’t been ransomed, the attacker’s use of the xx.bat file permits them to discover a community by way of the online shell that dropped the file within the first place. The net shell additionally downloads the Cobalt Strike penetration testing package earlier than downloading the ransomware payload and encrypting information. In different phrases, a sufferer might not have been ransomed right now, however the attacker has left the instruments on the community to do it tomorrow. 

The opposite cybercrime risk to Trade servers comes from malicious cryptocurrency miners. The Lemon Duck cryptocurrency botnet was noticed exploiting susceptible Trade servers. Curiously, the operators of Lemon Duck cleaned up an Trade server with the xx.bat file and an internet shell, giving it unique entry to the Trade server. Microsoft additionally discovered that it was getting used to put in different malware relatively simply mining for cryptocurrency.    

Microsoft has published numerous indicators of compromise that community defenders can use to seek for the presence of those threats and indicators of credential theft.