Microsoft investigates possible leaks that enable hackers to exploit Exchange

Microsoft investigates possible leaks that enable hackers to exploit Exchange

Microsoft is investigating whether a hacker has caught confidential research on recently discovered Exchange Server vulnerabilities through one of its security partners.

The Wall Street Journal says that Microsoft is trying to explain how an attacker has become limited to the actor, while the tech giant spread each other just before sending a software fix to customers on 2 March. When Microsoft first revealed the four vulnerabilities enabling the four bases to compromise the Exchange, the company said that a China-based group called Hafnium was exploiting the hole. After Microsoft released the patch, other groups were discovered using exploits to install web shells and back doors.

However, not long after this revelation, ESET stated that it was revealed that four other threat actors were using the exploit before Microsoft's patch was released, suggesting that those groups did not reverse engineer the Microsoft patch did.

According to the Journal, Microsoft shared some threat information about the vulnerability with security partners before March 2. Microsoft is reportedly unknowingly considering the possibility of a partner - or intentionally - leaking information because some of the tools used in the second wave of attacks. The end of February "proof of concept" attack code is similar to Microsoft's distributed in trust.

Meanwhile, security experts continue to use the techniques that some are calling a Proxylogan attack. Researchers at Trustwave's SpiderLabs released a report on Hafnium's web shell this morning after compromising with Exchange Savers.

Known as the Chinese Chopper Web Shell, it is an Active Server Page Extended (ASPX) web shell typically performed on Internet Information Services (IIS) servers to execute code through an exploit such as Downloading and uploading files, report notes. Usually the shell is just one line and there are many versions to execute code in different languages ​​such as ASP, ASPX, PHP, JSP and CFM. It is a web shell that has been in use for years.

The report states, "In addition to ASPX scripts, while checking the server for signs of compromise, also be aware of the associated DLLs generated by the ASP.NET runtime."

Dearcree Ransomware Analysis

Separately, Sophos offered insight into the Dyersi ransomware that a threat group is beating up with ProxyLogon victims. From an encryption-behavior standpoint, DearCry is a 'copy' ransomware, which is Mark Lowman, director of the Sopos Engineering Technology Office. It creates encrypted copies of the attacked files and removes the original. This causes encrypted files to be stored on different logical fields, allowing victims to potentially recover some data - depending on where Windows Freeze reuses logical fields. Human powered ransomware and in-place 'ransomware such as Ryuk, REvil, BitPaymer, Maze and Clop are. Because of this attack the encrypted file can logically be stored on the same fields, making data retrieval impossible by uncompressed tools.

Sophos maintains that Diercree's encryption is based on a public-key cryptocurrency. The public encryption key is embedded in the ransomware binary, meaning that it does not need to contact the attacker's command-and-control server to encrypt your files. Microsoft Exchange servers that are set to allow Internet access for Exchange services only will still be encrypted. Without the decryption key (which owns the attacker), decryption is impossible.

"WannaCry was also a copy ransomware. DearCry not only shares a similar name, but also has an equally similar file header, ”Lowman wrote. “Defenders should take immediate steps to install Microsoft's patch to prevent exploitation of their Microsoft Exchange patches. If this is not possible, the server must be cut off from the Internet or closely monitored by a threat response team.

While IT administrators are quickly installing Microsoft patches to cover supported and unsupported versions, it is believed that there are still thousands of unreleased installations.

According to Check Point Software, the number of ProxyLogin attacks has increased from 700 on March 11 to 7,200 as of this morning.

The countries that have suffered the most attacks are the United States (17 percent of all exploitation attempts), followed by Germany (six percent), the United Kingdom (five percent), the Netherlands (five percent) and Russia (four percent). ) Belongs to.

The most targeted industry sectors are government / military (23 percent of all exploitation efforts), followed by manufacturing (15 percent), banking and financial services (14 percent), software vendors (seven percent) and healthcare (six per cent). .