Security Week 11: Exchange Vulnerabilities, Github Censorship, and Timeline Attacks

There are โ€œslowโ€ crises in cybersecurity, such as potential attacks on boot code on smartphones and mobile computers - anything that requires physical access to hardware. The fact that such access does not require such access also does not always represent a problem that must be dealt with "yesterday": even critical vulnerabilities are often exploited with many caveats and additional difficulties on the way to important data. Attacks on Microsoft Exchange mail servers are likely to become a textbook example of a rapidly developing and most dangerous problem for potential victims.



Four Actively Exploited Exchange Vulnerabilities RevealedMarch, 3rd. The second week of the "postal crisis" was eventful. A demo code has been published on Github that exploits the vulnerabilities. Proof-of-Concept was promptly removed , for which Github (and Microsoft, as the owner of the service) was criticized. Several studies at once reported an attack on mail servers by not one, but at least a dozen different groups. March 13 it became known about the use of already compromised servers to attacks with data encryption and extortion. At the same time, the discoverers of the vulnerabilities clarified the timeline of the investigation: apparently, the key Exchange vulnerability was discovered during an audit back in December.



A detailed timeline of the development of events is published on the website of Brian Krebs. According to him, the vendor was notified of the vulnerabilities almost simultaneously by two companies, independently of each other. At the same time, Volexity notified Microsoft on the trail of investigating real attacks. Devcore discovered two of the four vulnerabilities without being aware of their exploitation in an Exchange security audit back in October last year. Last week, Devcore published a detailed chronology of its own interaction with Microsoft: in early December, they found a way to bypass authentication on the mail server, on New Year's Eve, they found a vulnerability in writing arbitrary data to the server and thus simulated a working attack.



At the end of January, Trend Micro reported cases of hacking mail servers with the organization of a web shell for subsequent control over them, but associates the attacks with another vulnerability that was already closed at that time. In mid-February, Microsoft announced to Devcore that it plans to patch the vulnerabilities with the planned patch release scheduled for March 9th. But at the very end, those who have previously selectively hacked servers switch to the tactics of large-scale search and hacking of vulnerable organizations. This, in turn, forces Microsoft to distribute patches six days before Patch Tuesday, March 3rd. Already at the time the patches were distributed, the number of attacked mail servers was estimated at tens of thousands.





On March 12, Microsoft, citing RiskIQ, provides an overall estimate of the number of potentially vulnerable servers. As of March 1, there were about 400 thousand of them. By March 9, 100 thousand servers were not patched, by March 12, their number had dropped to 82 thousand. At the same time, a separate drama arises with the publication of PoC on Github. After the patch was released, it was only a matter of time before the proof-of-concept was reverse-engineered.



The code for the attack on Exchange is published on March 10, and is immediately banned on GitHub, for which Microsoft receives a portion of criticism: is it censorship? Anti-censors start posting as a countermeasure copies of the code in their accounts. It is clear that the Internet does not work like that: what was once published in it, it will no longer be possible to publish. But there is also a counterargument: the finished exploit is, of course, useful for "research" purposes and as part of a suite for testing corporate networks, but for those hundreds of thousands of organizations with an open hole, it will bring even more problems. They are now being attacked by everyone, and most likely companies that have the very minimum of resources to solve any security problems have fallen under the distribution.





If you feel like this story hasn't done enough damage, here's another point. A study by Palo Alto provides some details of a web shell installed on compromised servers. From these details, a Devcore employee known by the nickname Orange Tsai makes the assumption that the exploit he developed was used in real attacks before the patch was released. He privately shared the demo exploit with Microsoft in early January. How did he end up in the hands of one (or more) attacking groups? According toThe media, the leak occurred after Microsoft shared information with partners. The exploit was put into operation almost unchanged, and it is identified by the โ€œorangeโ€ string sewn into it, left by Orange Tsai.





Well, in conclusion, let's talk about extortion. Closing the vulnerability will not help if the server has already been compromised, and its owners were unable to identify the presence of a web shell. It appears that the typical backdoor left behind by the original cracking groups is now being exploited by ransomware. Access is used to encrypt data, and the text uses the term DearCry, a reference to the 2017 WannaCry ransomware attack . Brief interim verdict: everything is very bad. It's so bad that Microsoft has released a patchfor a long-unsupported version of Exchange Server 2010. And we still do not know about the consequences of attacks, which were probably accompanied by theft of mail correspondence, hacking of other servers in the corporate network, and so on. The names of the affected organizations are already becoming known. Among them, for example, the parliament of Norway .



What else happened



BleepingComputer is reporting a new tactic for scammers touting "cryptocurrency giveaways" on social media. Instead of mimicking Elon Musk, they advertise the scam in a straightforward manner through paid Twitter mechanisms.



Google publishes a demo code for research purposes that exploits the Specter vulnerability. The practical attack shows the theft of memory contents through the Chrome 88 browser at a speed of 1 kilobyte per second.



A set of updates for Microsoft products, released on March 9, addresses a zero-day vulnerability in Internet Explorer. And users complainthat another update from this set crashes Windows into a blue screen when trying to print something to the printer.





The video in the tweet above shows how to trigger a denial of service in a car's multimedia system by connecting a USB keyboard to the port.



Critical vulnerabilities in high-performance BIG-IP and BIG-IQ devices from F5 Networks allow bypassing the authorization mechanism.



All Articles