BRATISLAVA, MONTREAL – ESET Research has discovered that more than ten different advanced persistent threat (APT) groups are exploiting the recent Microsoft Exchange vulnerabilities to compromise email servers. ESET has identified more than 5,000 email servers that have been affected by malicious activity related to the incident. The servers belong to organizations – businesses and governments alike – from around the world, including high-profile ones. Thus, the threat is not limited to the widely reported Hafnium group.

In early March, Microsoft released patches for Exchange Server 2013, 2016 and 2019 that fix a series of pre-authentication remote code execution (RCE) vulnerabilities. The vulnerabilities allow an attacker to take over any reachable Exchange server, without the need to know any valid account credentials, making internet-connected Exchange servers especially vulnerable.

“The day after the release of the patches, we started to observe many more threat actors scanning and compromising Exchange servers en masse. Interestingly, all of them are APT groups focused on espionage, except one outlier that seems related to a known coin-mining campaign. However, it is inevitable that more and more threat actors, including ransomware operators, will have access to the exploits sooner or later,” says Matthieu Faou, who is leading ESET’s research effort into the recent Exchange vulnerability chain. ESET researchers noticed that some APT groups were exploiting the vulnerabilities even before the patches were released. “This means we can discard the possibility that those groups built an exploit by reverse engineering Microsoft updates,” adds Faou.

ESET telemetry flagged the presence of webshells (malicious programs or scripts that allow remote control of a server via a web browser) on more than 5,000 unique servers in over 115 countries.

ESET hourly detections for webshells dropped via CVE-2021-26855 – one of the recent Exchange vulnerabilities

Proportion of webshell detections by country (2021-02-28 to 2021-03-09)

ESET has identified more than ten different threat actors that likely leveraged the recent Microsoft Exchange RCE vulnerabilities in order to install malware like webshells and backdoors on victims’ email servers. In some cases, several threat actors were targeting the same organization.

The identified threat groups and behavior clusters are:

• Tick – compromised the web server of a company based in East Asia that provides IT services. As in the case of LuckyMouse and Calypso, the group likely had access to an exploit prior to the release of the patches.
• LuckyMouse – compromised the email server of a governmental entity in the Middle East. This APT group likely had an exploit at least one day before the patches were released, when it was still a zero day.
• Calypso – compromised the email servers of governmental entities in the Middle East and in South America. The group likely had access to the exploit as a zero day. In the following days, Calypso operators targeted additional servers of governmental entities and private companies in Africa, Asia and Europe.
• Websiic – targeted seven email servers belonging to private companies (in the domains of IT, telecommunications and engineering) in Asia and a governmental body in Eastern Europe. ESET named this new cluster of activity as Websiic.
• Winnti Group – compromised the email servers of an oil company and a construction equipment company in Asia. The group likely had access to an exploit prior to the release of the patches.
• Tonto Team – compromised the email servers of a procurement company and of a consulting company specialized in software development and cybersecurity, both based in Eastern Europe.
• ShadowPad activity – compromised the email servers of a software development company based in Asia and a real estate company based in the Middle East. ESET detected a variant of the ShadowPad backdoor dropped by an unknown group.
• The “Opera” Cobalt Strike – targeted around 650 servers, mostly in the US, Germany, the UK and other European countries just a few hours after the patches were released.
• IIS backdoors – ESET observed IIS backdoors installed via webshells used in these compromises on four email servers located in Asia and South America. One of the backdoors is publicly known as Owlproxy.
• Mikroceen – compromised the exchange server of a utility company in Central Asia, which is the region this group typically targets.
• DLTMiner – ESET detected the deployment of PowerShell downloaders on multiple email servers that were previously targeted using the Exchange vulnerabilities. The network infrastructure used in this attack is linked to a previously reported coin-mining campaign.

“It is now clearly beyond prime time to patch all Exchange servers as soon as possible. Even those not directly exposed to the internet should be patched. In case of compromise, admins should remove the webshells, change credentials and investigate for any additional malicious activity. The incident is a very good reminder that complex applications such as Microsoft Exchange or SharePoint should not be open to the internet,” advises Faou.

For more technical details about these attacks exploiting the recent Exchange vulnerabilities, read the blogpost “Exchange servers under siege from at least 10 APT groups” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

On March 15, 1962, President John F. Kennedy called on Congress to enact legislation to protect consumer rights – he was the first world leader to formally address the issue. Since 1983 this date has been marked as World Consumer Rights Day. The consumer movement uses this day every year to mobilize action on important issues and campaigns, including digital marketplaces, plastic pollution, and fair mobile phone services. Simply put, celebrating World Consumer Rights Day is an opportunity to demand that the rights of all consumers be respected and protected, and to protest against market abuse and social injustice that undermine those rights.

As the world becomes increasingly digitalized and consumption moves online – with 61% of consumers worldwide shopping online, more often now than they were before the pandemic – the digital aspect of consumer rights is more important than ever. Tech development, from IoT devices to financial technology (FinTech) to new online marketplaces, has a huge impact on consumer rights. As Consumers International notes, digital has become the default way of working for the majority of businesses – and with it comes consumer rights issues, including data protection, privacy, and online scams.

When consumers are online, businesses collect and store data about their purchases and behaviors. This can be convenient, with companies recommending what you’re interested in, sharing discounts, and even reminding you when you need to buy a birthday present. Unfortunately, the downsides can be far more troubling. Organizations may have access to information that helps to influence your decisions, removing some of your free choice without you even realizing. Also, big caches of data – including personally identifiable information (PII) – are attractive to cybercriminals. If breached by hackers, the information stored by online outlets can put you at risk of identity theft, phishing attacks, and scams. This may to contribute to the fact that less than one-third of global consumers (29%) feel very secure when shopping online.

Knowing who has access to information about you is an important step in protecting your data. Mark this World Consumer Rights Day by checking where your information is stored – and what you can do to limit it. According to ESET’s new research into data security and financial technology, consumers around the world are not always aware of how their data is treated. Of those consumers who use free FinTech apps around the world, 50% do not know if these apps sell their data. Seemingly, consumers in different countries have vastly different attitudes to this. Brazil and the UK have the lowest levels of awareness, with over 60% of consumers in both countries not knowing if FinTech apps are selling their data (Brazil 62%, UK 63%). In contrast, far more FinTech users in the US are in the know about how free apps use their data – less than a third (31%) do not know if their data is being sold.

Knowing who has access to your data and how it is being used is a key aspect of protecting your consumer rights online. In President Kennedy’s words, consumers – both online and in store – deserve “the right to safety, the right to be informed, the right to choose, and the right to be heard.” To find out more about World Consumer Rights Day, visit the Consumers International website. For more information on ESET, how to keep your data safe online, and our global FinTech research, click here.

國際資安大廠ESET發現已有十多個駭客組織正在開採微軟於3月2日修補、統稱為ProxyLogon的4個Exchange Server安全漏洞，而且自微軟公布相關漏洞之後，ESET所偵測到的惡意Web Shell大幅增加。

根據ESET的調查，在微軟公布及修補ProxyLogon漏洞之前，就有多個駭客組織開採了相關漏洞，從1月3日的Hafnium，2月28日的Tick，3月1日的LuckyMouse、Calypso Websiic，到3月2日的Winnti，而當微軟公布及修補漏洞之後，又再出現了Tonto、ShadowPad 、Opera、IIS、Mikroceen DLTMiner，而上述除了DLTMiner是為了植入挖礦程式之外，其它所有組織都是屬於鎖定間諜行動的APT駭客組織。

駭客的攻擊路徑類似，在利用ProxyLogon漏洞進駐受駭者系統之後，會先植入惡意的Web Shell，再安裝額外的惡意程式。於是，ESET密切觀察全球Exchange Server上的惡意Web Shell，發現在微軟發布及修補ProxyLogon漏洞之前，被嵌入惡意Web Shell的伺服器不超過200臺，但3月10日時，全球115個國家已有超過5,000臺伺服器含有惡意Web Shell。

ESET研究人員表示，他們至少看到了超過10個APT駭客組織濫用相關漏洞，並針對特定目標發動攻擊，這些駭客組織包括LuckyMouse、Tick，以及Winnti Group等。而對於目前全球的受害情況如何，ESET也提出相關數據──他們對自家用戶進行遙測的結果發現，該公司在全球超過115個國家裡，偵測到至少5千個已遭植入網頁殼層（Web Shell）、疑似受害的Exchange伺服器。

根據ESET的數據顯示，他們約從2月28日就陸續偵測到有Exchange伺服器受害，但在微軟發布修補程式之後，遭到攻擊者濫用CVE-2021-26855漏洞攻擊的郵件伺服器數量，約於世界協調時間（UTC）3月3日零時開始大幅增加，到了4時凌晨，最多出現將近2千臺伺服器被植入網頁殼層。再者，ESET也看到，一些受害組織的Exchange伺服器上，遭到多組人馬鎖定。

以下是ESET揭露的駭客組織與攻擊行動：
1.Tick（Bronze Butler）
開始發動攻擊時間：2021年2月28日
攻擊目標：一家東亞IT服務業者

2.LuckyMouse（APT27、Emissary Panda）
開始發動攻擊時間：2021年3月1日
攻擊目標：一個中東政府實體

3.Calypso
開始發動攻擊時間：2021年3月1日
攻擊目標：中東與北美政府實體

4.Websiic
開始發動攻擊時間：2021年3月1日
攻擊目標：7臺郵件伺服器。這些伺服器所有者的身分，包含了亞洲的IT、電信，以及工程公司，以及一個東歐政府機關。

5.Winnti Group（Barium、APT41）
開始發動攻擊時間：2021年3月2日
攻擊目標：一家石油公司，以及一家建築設備公司

6.Tonto Team（CactusPete）
開始發動攻擊時間：2021年3月3日
攻擊目標：東歐的一家採購公司，以及一家軟體開發暨資安顧問公司

7.未確認身分的駭客組織：此組駭客濫用ShadowPad的攻擊行動
開始發動攻擊時間：2021年3月3日
攻擊目標：一家東亞軟體開發公司，以及一家中東的房仲公司

8.未確認身分的駭客組織：此組駭客發動“Opera”Cobalt Strike攻擊行動
開始發動攻擊時間：2021年3月3日
攻擊目標：截至3月5日約650臺伺服器遭鎖定，多數位於美國，以及德國、英國等歐洲國家

9.未確認身分的駭客組織：此組駭客發動IIS後門攻擊行動
開始發動攻擊時間：2021年3月3日
攻擊目標：4臺郵件伺服器，位於亞洲與南美洲

10.Mikroceen（Vicious Panda）
開始發動攻擊時間：2021年3月4日
攻擊目標：一家位於亞洲中心的公營事業公司

11.DLTMiner
開始發動攻擊時間：2021年3月5日
攻擊目標：N/A

原文出處：https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

#若有任何資安需求，歡迎洽詢台灣二版資安專業團隊，服務電話：(02)7722-6899，或上官網查詢：https://version-2.com.tw/?skip=1

 

• 什麼是終止支援服務(End of Life)?
  在ESET產品結束其生命週期，將不再提供支援或協助，並無法保證產品之功能，含模組更新（其中包含病毒碼更新）。
• 該如何確認ESET使用版本號？
  【開啟ESET產品】→【說明及支援】→【技術支援詳細資料：產品版本】
  相關詳細資訊請參閱：【說明文件】
• 若為受影響之版本號，該如何升級？
  若為Windows 7 & Server 2008 R2請先更新Windows KB4474419、KB4490628；
  若為Windows 10建議移除舊版ESET重啟電腦後，再次下載並安裝；
  若為Windows XP、Server 2003建議系統需更新，若無法更新系統也請安裝ESET符合之產品。
  相關詳細資訊請參閱：
  【Windows 7 & Server 2008 R2-說明文件】【Windows XP、Server 2003-說明文件】
• 受影響之ESET產品 (未提及之系統皆為Windows 系統)

   

  ESET Business 產品名稱	版本號	停止支援	新版載點
  ESET Endpoint Security	6.6.x	2021/03	新版載點
  	5.x-6.4.x	2021/06
  ESET Endpoint Antivirus	7.0.x-7.2-x	2021/12	新版載點
  ESET File Security for Microsoft Windows Server	6.0.x-6.4.x	2021/06	新版載點
  ESET Mail Security for Microsoft Exchange Server			新版載點
  ESET Mail Security for IBM Domino;			新版載點
  ESET Security for Microsoft Sharepoint Server			新版載點
  ESET Mail Security for Microsoft Exchange Server	6.5.x	2021/08	新版載點
  ESET Mail Security for IBM Domino			新版載點
  ESET Security for Microsoft Sharepoint Server			新版載點
  ESET Remote Administrator (ERA)	All version	2020/12	ESET PROTECT
  ESET Security Management Center (ESMC)	7.0.x	2021/11
  ESET File/Mail/Gateway Security for Linux/FreeBSD	4.x含以下	2021/12	不再支援更新
  ESET Endpoint Security for macOS	6.8.x含以下	2021/06	新版載點
  ESET Endpoint Antivirus for macOS			新版載點

  ESET 舊版產品	版本號	停止支援	新版載點
  ESET NOD32 Antivirus Business Edition	4.x含以下	2021/06	至ESET官網確認您的產品， 再至下載符合您系統之軟體新版載點
  ESET Smart Security Business Edition

  ESET Home 產品名稱	版本號	停止支援	新版載點
  ESET Smart Security	10.x含以下	2019/02	新版載點
  ESET NOD32 Antivirus	13.x含以下	2021/10	新版載點
  ESET Internet Security			新版載點
  ESET Smart Security Premium			新版載點

  
  完整詳細資訊，請參閱 https://support-eol.eset.com/tw/trending_eol_products_2021.html
  更多End of Life資訊請參閱：
  ESET End of Life policy (Business products)【相關說明】
  ESET End of Life policy (Home products)【相關說明】