Huntress has challenged Microsoft’s claim that Chinese hackers executed “limited and targeted attacks” against on-premises Exchange servers, arguing the scope of compromise is fairly widespread.
The managed detection and response (MDR) vendor said in a blog post that roughly 400 of the 2,000 Exchange servers the company has checked are susceptible to the zero-day vulnerabilities being exploited by Chinese hacking group Hafnium, with an additionally 100 servers potentially vulnerable. In addition, Huntress said nearly 200 of its partners’ servers have received malicious web shell payloads.
“This seems to be a much larger spread than just ‘limited and targeted attacks’ as Microsoft has suggested,” Huntress Senior Security Researcher John Hammond wrote in a blog post Wednesday. “These [victim] companies do not perfectly align with Microsoft’s guidance.”
Microsoft asserted Tuesday that Hafnium targets high-profile organisations such as infectious disease researchers, policy think tanks, higher education institutions, law firms, defence contractors and NGOs in hopes of exfiltrating information. But Huntress has found that many Microsoft Exchange attack victims are “less than sexy” mid-market businesses, he said.
Some of the lower-profile victims Huntress has seen include small hotels, an ice cream company, a kitchen appliance manufacturer, and multiple senior citizen communities, according to Hammond. Other victims spotted by Huntress more closely hew to Microsoft’s description, including city and county governments, healthcare providers, banks/financial institutions, and residential electricity providers.
Microsoft told CRN that it recommends “customers update as soon as possible as we anticipate that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.” The company’s stock is down $5.77 (2.47 percent) to $228.10 per share in trading Wednesday afternoon.
Among the vulnerable servers, Hammond said Huntress has found more than 350 web shells, meaning that some targets may have received more than one web shell due to automated deployment or multiple uncoordinated actors. The hackers used web shells to remotely control compromised servers, allowing the attackers to steal data and take actions that lead to further compromise, Microsoft said.
The compromised endpoints do have anti-virus or endpoint detection and response (EDR) tools installed, but Hammond said the hackers have been able to slip past most preventative security products. Huntress has seen honeypots – decoys meant to bait hackers – attacked, making it clear that adversaries are just scanning the internet looking for low-hanging fruit, according to Hammond.
The earliest sign of Microsoft Exchange compromise Huntress has observed was on Saturday morning, and the hackers were continuing to drop web shells into the early morning hours Wednesday, Huntress wrote on Reddit Wednesday morning. Huntress said it first learned about the zero-day vulnerabilities Monday afternoon when an MSP partner reached out. Microsoft didn’t disclose the hack until Tuesday.
The Microsoft Exchange zero-day vulnerabilities can be leveraged by the Chinese hackers to gain remote code execution and fully compromise targeted organisations, according to Hammond. At that point, Hammond said the hackers have a foothold in the victim’s network, allowing them to expand their access and do much more damage.
In response, Hammond said MSPs should not only patch immediately but also externally validate the patch and proactively hunt for the presence of web shells and other indicators of compromise. Thus far, Hammond said it doesn’t look like any preventive security products actually block the malicious web shell from getting dropped.
“These attacks are grave due to the fact that every organization simply has to have email, and Microsoft Exchange is so widely used,” Hammond wrote in his blog post. “These servers are typically publicly accessible on the open internet and they can be exploited remotely.”