Microsoft: patch your Exchange servers, they are attacked

GitHub met en garde les développeurs Java contre les nouveaux logiciels malveillants qui empoisonnent les projets NetBeans Cybersecurity

Microsoft is warning organizations that use Exchange mail servers, calling on them to keep their systems secure. The company says it observed a massive spike in highly sophisticated attacks in April.

The company’s alert details how cyber attackers use free software available for free and a known and critical vulnerability to attack Exchange mail servers – one of the most valuable sources of information in any organization.

Exchange has been attacked for months by several groups close to governments, which target these servers thanks to a particularly unpleasant Exchange security flaw (CVE-2020-0688.) The attacks began shortly after Microsoft offered patches, in February.

The flaw in question stems from the fact that all Exchange mail servers marketed in the last decade used identical cryptographic keys for the back-end of the control panel. This allowed remote attackers to run malware there and take full control of the server to access target email.

But many organizations have ignored Microsoft’s warning to fix the bug. In April, security researchers warned that more than 350,000 Exchange servers with this vulnerability were exposed on the internet.

A long-known fault

“Delete everything and immediately fix this vulnerability,” warned Jonathan Cran, research manager at Kenna Security.

Microsoft says the most common way to compromise Exchange servers is to use phishing attacks or attacks on desktop vulnerabilities and from there move around the organization to access an Exchange server – the system primary hosting a target’s email communications.

But in April, the company saw an increase in attacks exploiting a particular remote code execution vulnerability affecting the Internet Information Service (IIS) component of an Exchange server.

“The first scenario is more common, but we are seeing an increase in attacks of the second variety; in particular, attacks that exploit the vulnerabilities of Exchange like CVE-2020-0688, “said Hardik Suri of the Microsoft Defender ATP research team.

“The security update that addresses this vulnerability has been available for several months, but attackers still find vulnerable servers to target today. In many cases, once the attackers have accessed an Exchange server, the following is the deployment of a web shell in one of the many web paths on the server. “

This new warning from Microsoft comes a week after the Australian government sounded the alarm about ongoing attacks against organizations in the country.

An operating method also known

The Australian Cyber ​​Security Center (ACSC) opinion does not highlight the use of CVE-2020-0688, but details techniques similar to those described by Microsoft for attacks against IIS and Exchange mail servers.

In both cases, the attackers implemented a Web shell backdoor code on the Internet accessible parts of Exchange, such as the connection page for Outlook on the web, formerly Outlook Web Access.

According to Microsoft, there were several simultaneous campaigns explaining the resurgence of Exchange attacks in April. Most use web shells on Exchange servers connected to the internet for initial access. The attackers used several Web shells, but the most used was China Chopper.

“Telemetry has shown attackers operating on local Exchange servers using deployed web shells,” says Hardik Suri. “Each time attackers interact with the web shell, the pool of pirated applications execute the command on behalf of the attacker, generating an interesting process chain. Common services, such as Outlook on the web (formerly known as Outlook Web App or OWA) or the Exchange admin center (EAC, formerly known as the Exchange Control Panel or ECP), running net.exe, cmd. exe and other tools commonly used in attacks, (LOLBins) like mshta.exe, are very suspicious and should be investigated further, “warns Hardik Suri.

After deploying a web shell, attackers explore the target domain and, when a misconfigured server is found, add new accounts to elevated privilege groups such as administrators, remote desktop users, and administrators corporate.

This provides attackers with “unlimited access to all users or groups in the organization”. Subsequently, the credentials of these accounts were targeted using native Windows tools to flush Local Security Authority Subsystem Service (LSASS) memory – a key service for managing authentication in Active Directory domains. – and download them to a remote server to decrypt the data.

Use of open source software

To gain persistence on a machine purely in memory, or without leaving traces on the hard drive, the attackers turned to open source software. On systems configured to detect the open source Mimikatz ID recovery tool, attackers used a modified version placed in a wrapper written in the Go programming language.

“The binary used the open source MemoryModule library to load the binary using a reflective DLL injection. Thus, the payload never touched the disk and was only present in memory, which enabled file-free persistence, ”notes Hardik Suri.

The attackers also attempted to disable Microsoft Defender Antivirus and disable archive scanning to protect .zip files and compression tools like rar.exe, a method used to steal .pst files and memory dumps.

Hardik Suri recommends that organizations apply the available updates, enable multi-factor authentication, and ensure on Windows 10 machines that tamper protection is enabled to prevent attackers from disabling antivirus .

He also suggested that organizations consider highly privileged groups such as administrators, remote desktop users, and corporate administrators. Security teams should also apply the principle of least privilege and prioritize alerts indicating suspicious activity on Exchange servers.

Organizations subject to these types of attacks could potentially benefit from Microsoft Defender’s ATP capabilities such as behavioral monitoring of IIS and Exchange.

Source: ZDNet.com

Source: www.zdnet.fr

Rate article