Cyberattacks by exploiting vulnerabilities in Microsoft Exchange
source: own elaboration
In January 2021, a global wave of cyberattacks began. They used four zero-day exploits, programs designed to exploit existing weakness in Microsoft Exchange servers before the service provider publishes patches. Thanks to them, attackers gained full access to e-mails and passwords of users, administrator rights on servers and to devices connected in the same network. By mid-March 2021, hackers had attacked more than 250,000 servers, including 30,000 owned by organizations in the United States, as well as those belonging to the European Banking Authority, the Norwegian Parliament and the Chilean Financial Market Commission (CMF). The other victims of cybercriminals were mainly small and medium-sized enterprises, local institutions and local governments. The most frequently attacked were companies and organizations outsourcing IT services to external suppliers, and thus having little security.
As Microsoft itself claims, Microsoft Exchange is „a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance”. Therefore, it can be considered a target of great value by hackers. An opportunity to take advantage of this giant’s weakness in software came in early 2021 and was carefully used to launch cyberattacks around the world.
How was the wave of attacks going?
On January 5, 2021, DEVCORE, a security testing company, released a Microsoft vulnerability report. The DEVCORE report was verified by Microsoft on January 8. However, as noted by another cybersecurity company - Volexity, the first breach of the Microsoft Exchange Server installation occurred two days earlier, on January 6, 2021.
A wave of attacks began. On February 27 and 28, 2021, the first automated attack took place, and on March 2 and 3, 2021, the attackers were already using scripts that allowed them to return to attacked servers later, the so-called backdoors (software that gives the attacker full access to the affected servers, even if they are updated later). Regarding the first week of March, CrowdStrike co-founder Dmitri Alperovitch stated: „Every possible victim that hadn’t patched by mid-to-end of last week has already been hit by at least one or several actors”.
On March 2, 2021, Microsoft released updates for Microsoft Exchange Server 2010, 2013, 2016, and 2019, and the Microsoft Security Response Center (MSRC) released an out-of-band issue of Common Vulnerabilities and Exposures (CVE), calling for patching Exchange servers to remove a number of critical security vulnerabilities. However, this didn’t reverse the damage or remove the backdoors installed by the attackers. On the same day, cybersecurity company ESET said that in addition to the Hafnium group (chinese hacker group operating worldwide), which was behind part of the attacks, had observed numerous attackers exploiting Microsoft’s vulnerabilities, including several powerful espionage organizations.
According to Intel, on March 5, 2021, one of the Microsoft Exchange servers of the world-famous company Acer was attacked. The data on the server has been encrypted and the company has lost access to it. REvil, who was behind the attack, demanded a ransom of $ 50 million, claiming that if it received this amount, it would not only delete data stolen from the giant, but also decrypt information on the server and provide a vulnerability report. The ransom is to be doubled if not paid by March 28, 2021.
Two days later, on March 7, 2021, CNN announced that the administration of President Joe Biden would create a task force to deal with the topic of cyberattacks taking advantage of Microsoft Exchange vulnerabilities. Organizations from the private sector were also invited to participate in this group.
Security researcher Nguyen Jang posted 169 lines of code on Microsoft’s GitHub on March 10, 2021, describing how the exploit works. It was intentionally written with errors so that security researchers could understand how it works, but potential hackers couldn’t use it to gain access to the servers.
On March 12, 2021, Microsoft announced the detection of a „new family of ransomware” called DearCry. It encrypted all files on servers it infected, making them unable to function. The attackers using DearCry most often demanded payment of a certain amount for the restoration.
Microsoft responded on March 15 by releasing the PowerShell utility, The Exchange On-Premises Mitigation Tool, which installs specific updates, runs malware scans and removes detected threats, and finds installed Internet backdoors. It is recommended as a temporary protection against attacks as it doesn’t install other available updates.
How did the hackers act?
Attackers used four separate zero-day vulnerabilities to gain access to the Outlook Web Access (OWA) of Microsoft Exchange servers, which allowed them to view e-mail messages, calendar invitations, and sometimes the content of affected corporate servers.
The only information the cybercriminals needed was the server address. They could obtain it directly or by mass scanning for potential victims. The attackers then used four exploits:
- the first one allowed them to connect to the server and fake authentication as a regular user,
- the second escalated this user’s access to administrator rights,
- the third one allowed an attacker who had automatic administrator rights to send the code to the server in any location,
- and the fourth was to install the Internet shell, providing a backdoor to the compromised server (as long as the network shell and Exchange server were enabled).
Who was attacked?
Cybercriminals have used vulnerabilities to spy on a wide range of targets (over 250,000 servers in total). Tom Burt, Microsoft’s vice president of Customer Security and Trust, wrote that the targets were mostly disease researchers, law firms, universities, defense contractors, NGOs, and think tanks (non-profit organizations dealing with research and analysis on public affairs).
Check Point Research found that the most frequently attacked country was the United States - this country was affected by 17% of all attacks, followed by Germany - 6%, the UK and the Netherlands - 5% each, and Russia - 4%. In terms of industries - the government and military sectors were the leaders - almost every 4th attack was associated with it (23% of all attacks), followed by production - 15%, banking and financial services - 14%, software vendors - 7% and healthcare - 6%.
Cyberattacks carried out in early 2021 are further evidence that anyone, even a small entrepreneur, can fall victim to online crimes. In order to protect yourself against them, you should constantly update the software you use, make sure that your access passwords are changed frequently and are as difficult as possible (we also recommend using double verification) and invest in good anti-virus programs. However, we would like to remind you that these types of attacks are not the only form of crimes committed online - the most popular ones include phishing (which occurs when a criminal impersonates another person or institution in order to extort data or force the victim to perform a specific task) or also so often mentioned by us - Ad Frauds.