Many exchange servers are being hijacked on premises, but Microsoft warns that their searches have found a number of threats to compromise on already compromised systems.
Microsoft raises warnings about possible follow-up attacks on already compromised exchange servers, especially if the attackers used web shell scripts to gain stability on the server, or where whether the attacker stole credentials during earlier attacks.
Microsoft released patches for systems on Exchange properties on March 2nd. Four Exchange lice have already been attacked by a state-backed hockey club called Hafnium.
SEE: Security Awareness and Training Policy (Premium TechRepublic)
Microsoft said earlier in the week that 92% of vulnerable exchange servers were detained or had a discount applied. However, cybersecurity company F-Secure said “tens of thousands” of Exchange servers have already been hacked.
In a new blog post, Microsoft reiterated its warning that “capturing a system will not take away the attacker’s reach”.
“Many of the compromise systems have not yet received secondary action, such as human-operated ransomware attacks or data deletions, indicating that attackers could set up and maintain the access for later operations, “the Microsoft 365 Protection Risk Intelligence Team notes.
Where systems are compromised, Microsoft urges admins to use the principle of minimum benefit and mitigate lateral movement on a network.
Minimum benefit to address the common practice where an exchange service or scheduled transaction has been settled with an account with a high benefit will help to perform tasks such as backup.
“Because service account credentials are not changed frequently, this can be of great benefit to an attacker even if they lose their original access to web shells as a result of anti-virus detection, as the account can be compromised. used to enhance benefits later on, “Microsoft notes.
Using DoejoCrypt ransomware, aka DearCry, for example, Microsoft notes that the web shells used by that snort write a batch file to C: Windows Temp xx.bat. This has been found on all systems hit by DoejoCrypt and may give the attacker a way to recover where infections have been detected and removed.
“This batch file backs up the Security Account Manager (SAM) database and the System and Security registers, allowing attackers to access local user passwords. on the system and, more importantly, in the LSA [Local Security Authority] Confidentiality part of the registry, where passwords for registered services and activities are stored, “Microsoft notes.
Even where victims have not been crushed, the attacker’s use of the xx.bat file allows them to scan a network through the web shell that left the file in the first place. The web shell also downloads the Cobalt Strike pilot test package before downloading the ransomware payment load and the encrypted files. In other words, a victim may not have been evacuated today, but the attacker has left the devices on the network to do so tomorrow.
The other cyber threat to Exchange servers comes from malicious cryptocurrency miners. Lemon Duck cryptocurrency botnet was seen taking advantage of vulnerable exchange servers. Interestingly, Lemon Duck operators cleaned up an exchange server with the xx.bat file and a web shell, giving the exchange server unique access. Microsoft also discovered that it was being used to replace cryptocurrency mining with other malware.
Microsoft has unveiled a number of compromise signals that network defenders can use to detect the presence of these threats and signs of credit theft.