Malicious actors were abusing four vulnerabilities disclosed this week in on-premise instances of Microsoft Exchange Server as far back as January 2021, according to a new report produced by FireEye Mandiant researchers Matt Bromiley, Chris DiGiamo, Andrew Thompson and Robert Wallace.
Disclosed earlier this week alongside an out-of-sequence patch, exploitation of the four vulnerabilities, one rated critical and three medium, was linked by Microsoft to a Chinese advanced persistent threat (APT) group known as Hafnium, although there is already bountiful evidence to suggest exploitation of the CVEs goes far beyond one group.
In Mandiant’s report, the researchers said that had observed multiple instances of abuse within at least one client environment, with observed activity including the creation of web shells to gain persistent access, remote code execution (RCE), and reconnaissance for endpoint security solutions from FireEye, Carbon Black and CrowdStrike.
“The activity reported by Microsoft aligns with our observations. FireEye currently tracks this activity in three clusters, UNC2639, UNC2640, and UNC2643,” said Bromiley, DiGiamo, Thompson and Wallace in a disclosure blog.
“We anticipate additional clusters as we respond to intrusions. We recommend following Microsoft’s guidance and patching Exchange Server immediately to mitigate this activity.”
Like other researchers who have been tracking exploitation, the team said the number of victims was likely much higher than Microsoft has said – it had described them as targeted and limited but this is now hotly disputed.
“Based on our telemetry, we have identified an array of affected victims including US-based retailers, local governments, a university, and an engineering firm. Related activity may also include a Southeast Asian government and Central Asian telecom,” they said.
The team corroborated Microsoft’s assessment of multiple post-exploitation activities, including credential theft, compression of data for exfiltration, use of Exchange PowerShell snap-ins to steal mailbox data, and use of other offensive cyber tools such as Covenant, Nishang and PowerCat for remote access.
“The activity we have observed, coupled with others in the information security industry, indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments. This activity is followed quickly by additional access and persistent mechanisms. We have multiple ongoing cases and will continue to provide insight as we respond to intrusions,” they said.
Meanwhile, more groups have been observed piling in in Hafnium’s wake, with many of them leveraging the China Chopper web shell, a backdoor that allows malicious actors to gain remote control of the compromised system and conduct further post-exploitation activities. Notably, China Chopper contains a GUI interface that allows the user to manage and control the web shell attack commands.
According to Cynet’s Max Malyutin, those using it include Leviathan, closely associated to APT40; Threat Group-3390, aka Emissary Panda, Bronze Union or Iron Tiger; Soft Cell (not the synth-pop duo); and APT41. All of these groups are thought to have some association with activity originating in China.
Gurucul CEO Saryu Nayyar said the ongoing attacks were a reminder that despite stratospheric growth in the use of cloud services, on-premise equipment remains vulnerable and is all too easily neglected.
“With organisations migrating to Microsoft Office 365 en masse over the last few years, it’s easy to forget that on-premises Exchange servers are still in service. Some organisations, notably in government, can’t migrate their applications to the cloud due to policy or regulation, which means we will see on-premises servers for some time to come,” said Nayyar.
“This is another case that shows how vital it is to keep up with security patches, and to make sure the organisation’s security stack is up to the task of identifying novel attacks and remediating them quickly,” she added.