First came the hacks, then the patch. Then came more hacks.
The floodgates are open. Ransomware operators and botnet gangs are flocking to vulnerable Exchange servers.
On the day Taiwanese cybersecurity firm Devcore disclosed its findings to Microsoft about critical zero-day flaws in Exchange software in January, researcher Orange Tsai, wrote on Twitter about reporting a a pre-authentication remote code execution (RCE) chain to an unnamed vendor, adding "This might be the most serious RCE I have ever reported!"
So "serious" that a week later, the situation has swiftly turned from bad to worse.
Following Microsoft's initial disclosure and the rollout of emergency fixes for the four bugs in Exchange software on March 2, unpatched servers have come under heavy assault from nation-state hackers and cybercriminals, who have seized the opportunity to abuse the same bugs to carry out their own attacks.
On the same day, Microsoft also said it detected a Chinese state-sponsored hacking group dubbed Hafnium abusing the vulnerabilities — also called "ProxyLogon" — to install web shells on email servers around the world as early as January 3. The attack is said to have been deployed widely, although post-exploitation activity, including data theft, has been carried out only against a narrow group of targets deemed of interest to the threat actor.
But since then, at least 10 different advanced persistent threat (APT) groups have targeted vulnerable devices — some of which gained access to the details of the vulnerabilities even before the release of the patch — with Check Point Research noting that that the number of exploitation attempts on organizations have tripled every two to three hours.
Just as the attacks continue to skyrocket, Microsoft has warned that cybercriminals are now using compromised Microsoft Exchange servers as a pathway to deploy a new ransomware family called DearCry on systems belonging to victims located in Austria, Australia, Canada, Denmark, and the U.S.
The ransomware infections are believed to have started around March 9, indicating that the attackers developed their own private exploit to strike unpatched Exchange email servers. The good news, under the circumstances, is that it's not a self-propagating ransomware variant like WannaCry and requires manual targeting of the Exchange servers to deploy it.
What's more, while previously the flaws were leveraged to plant backdoors for further exploitation within the target environment, hacking groups have gone a step further by hijacking the web shells left by Hafnium to deploy the new ransomware strain as well as cryptominers such as DLTminer.
Also entering the fray is another cryptocurrency mining botnet group called "Lemon_Duck," which has been spotted hitting vulnerable Exchange servers via the ProxyLogon flaws, according to Kaspersky researcher Costin Raiu. The malware is known for installing XMRig Monero miner on infected devices to mine cryptocurrency for the botnet's owners.
While the breadth of the intrusions are being assessed, Microsoft is also reportedly investigating how the limited and targeted attacks it detected in early January quickly evolved into a widespread mass exploitation campaign, forcing it to release the security fixes a week before it was due.
The Wall Street Journal on Friday reported that investigators are focused on whether a Microsoft partner, with whom the company shared information about the vulnerabilities through its Microsoft Active Protections Program (MAPP), either accidentally or purposefully leaked it to other groups.
It is also being speculated that some tools used in the "second wave" of attacks towards the end of February are similar to proof-of-concept attack code that Microsoft shared with antivirus companies and other security partners on Feb. 23. If so, the bigger question is how the adversaries managed to lay their hands on the private vulnerability disclosure notice.
What’s Trending in Security
🇳🇱 In an operation called "Operation Argus," law enforcement agencies from the Netherlands and Belgium shut down Sky ECC, a company that provided a secure encrypted messaging platform to criminal organizations worldwide. Following Encrochat’s takedown last year, many criminal gangs moved from Encrochat to Sky ECC, the agency said.
In a related development, The U.S. Department of Justice (DoJ) announced an indictment against the chief executive officer of Sky Global and an associate for wilfully participating in a criminal enterprise to help international drug traffickers avoid law enforcement. [Europol / DoJ]
🇬🇧 The U.K. government has quietly conducting a "small scale" trial of a new surveillance technology that could log and store the web browsing of every single person in the country as part of the country's Investigatory Powers Act, or Snooper's Charter that was introduced in 2016. Exact details of what data is collected, which companies are involved and how the information is being used is unclear. [WIRED U.K.]
🇨🇳 End-to-end encryption (E2EE) in chat apps is a double-edge sword. While incorporating the technology makes it impossible for a third-party to eavesdrop on conversations, the move is also being seen a way to completely absolve such platforms from having any sort of responsibility when it comes to sharing problematic content. Popular Chinese messaging app Line has found a way to get around E2EE to tackle misinformation without compromising on user privacy. [Rest of World]
⛓️ Google, Linux Foundation, and Red Hat released a new free tool called Sigstore to secure software supply chains by allowing developers to sign their code and for users to verify them to prevent software supply-chain attacks like dependency confusion. [Google Security Blog]
🌀 New evidence showed that the Supernova web shell deployed on Windows systems by capitalizing a previously undisclosed zero-day in SolarWinds' Orion network monitoring software may have been the work of a possible Chinese threat group called Spiral. [The Hacker News]
🇪🇸 Catalan police arrested four suspects, aged between 19 and 27, in Barcelona for allegedly operating a new Android malware strain named FluBot that infected more than 60,000 devices, with 97% of the victims located in Spain. [The Record]
💲 A new ransomware strain called Sarbloh has been found encrypting files along with delivering a message in support of protests against Indian government by farmers in the country over new regulations passed last September. [Bleeping Computer]
🛡️ Intel, Microsoft, and DARPA announced the DPRIVE program, which aims to make fully homomorphic encryption fast enough for practical use, via custom silicon on Azure. [AnandTech]
📲 Truecaller addressed a security issue in its Guardians app that could have allowed an attacker to login into a victim's account by just using their phone number and track all the user's family members' locations. [Pingsafe]
🚨 Security researchers have spotted a new backdoor called "NimzaLoader" that's written in a rare programming language called Nim in a bid to evade detection. [The Hacker News]
💰 The operators of the REvil (aka Sodinokibi) ransomware announced an escalation of their extortion tactics, which now include calling media companies and business partners, as well as launching DDoS attacks to "exert maximum pressure" and force a victim into paying ransom demands. As ransomware attacks continue to rise, it's becoming more evident that encryption is just a means to an end: extortion. [The Record]
🇮🇳 One more reason why fully relying on SMS for two-factor authentication is a bad idea. "Out of one billion average daily commercial SMS deliveries, around 40% traffic was disrupted" earlier this week after Indian telecom providers rolled out new blockchain-based measures to verify every business-oriented text message's content before delivery. The faulty implementation led to interruption of a raft of services and transactions, including one-time passwords. [The Economic Times]
🔐 GitHub fixed a "rare, but potentially serious, security" bug that could have caused users to login to other user accounts. [GitHub]
🇷🇺 New research from Dragos has revealed that Kamacite, a new group adjacent to the disruptive Russian intelligence hacker group known as Sandworm, targeted U.S. electric utilities, oil and gas facilities as far back as 2017. [WIRED / Dragos]
🗃 The past week in data breaches, leaks, and ransomware: Flagstar Bank, Spain’s State Public Employment Service, and Verkada
That’s it for today. Stay safe!
-Ravie