At a glance.
- ProxyLogon updates.
- Operation Diànxùn targets telecoms.
- Linux vulnerabilities.
- Malware operator plays innocent.
ProxyLogon updates.
KrebsOnSecurity reported on March 5th that at least 30,000 organizations in the US had been hacked by the Chinese threat actor tracked by Microsoft as "Hafnium." The threat actor exploited four (now-patched) zero-day vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019 to plant backdoors and exfiltrate emails. The flaws, which were discovered and reported by Volexity, are collectively dubbed "ProxyLogon" and tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Following Microsoft's issuance of emergency patches on March 2nd, Krebs says Hafnium "dramatically stepped up attacks on any vulnerable, unpatched Exchange servers," gaining access to hundreds of thousands of servers worldwide. Volexity's President Steven Adair told Krebs, "Even if you patched the same day Microsoft published its patches, there's still a high chance there is a web shell on your server. The truth is, if you're running Exchange and you haven't patched this yet, there’s a very high chance that your organization is already compromised."
ESET says at least four other APT groups besides Hafnium had exploited the vulnerabilities before they were publicly disclosed, and "many more threat actors" began scanning and compromising Exchange Servers after the disclosure. They include the espionage-focused groups Tick, LuckyMouse, Calypso, Tonto Team, Mikroceen, and Winnti Group, as well as the cryptojacking gang DLTMiner. The Record cites ESET and Kryptos Logic as saying that at least one of the threat actors was trying to log into and hijack Hafnium's web shells. The Record also notes that last Wednesday a Vietnamese security researcher published a working public exploit for the vulnerabilities. Palo Alto Networks' Unit 42 says one of the criminal operators exploiting the ProxyLogon vulnerabilities is the operator of DearCry, a new ransomware variant.
Criminal and intelligence service interest in exploiting unpatched Exchange Servers continues. Security firm Check Point says that it’s observed attacks increase by an order of magnitude just over the past week, from seven hundred on March 11th all the way up to seven thousand two hundred just yesterday, on March 15th. “The country most attacked has been the United States (17% of all exploit attempts), followed by Germany (6%), the United Kingdom (5%), The Netherlands (5%) and Russia (4%), Check Point researchers say. The “most targeted industry sector has been Government/Military (23% of all exploit attempts), followed by Manufacturing (15%), Banking & Financial Services (14%), Software vendors (7%) and Healthcare (6%).” Some of those targets suggest criminal activity, and others suggest spying, but both crooks and spies can show overlapping interests.
RiskIQ says the number of vulnerable Exchange Servers has fallen as patches are applied, from 400,000 vulnerable servers on March 2nd to 82,731 servers as of March 11th. The researchers also note, "One reason the response may be so slow is many organizations may not realize they have exchange servers exposed to the Internet—this is a common issue we see with new customers. Another is that while new patches are coming out every day, many of these servers are not patchable and require upgrades, which is a complicated fix and will likely spur many organizations to migrate to cloud email."
Operation Diànxùn targets telecoms.
McAfee has disclosed a cyberespionage campaign dubbed "Operation Diànxùn" that's targeting telecommunications companies. McAfee believes with "a moderate level of confidence" that this operation is run by the Chinese threat actor Mustang Panda, and that this is the same threat actor tracked by Recorded Future as RedDelta.
"In this attack, we discovered malware using similar tactics, techniques and procedures (TTPs) to those observed in earlier campaigns publicly attributed to the threat actors RedDelta and Mustang Panda. While the initial vector for the infection is not entirely clear, we believe with a medium level of confidence that victims were lured to a domain under control of the threat actor, from which they were infected with malware which the threat actor leveraged to perform additional discovery and data collection. We believe with a medium level of confidence that the attackers used a phishing website masquerading as the Huawei company career page to target people working in the telecommunications industry."
The researchers believe the actor is trying to steal information related to 5G technology (and they stress that they have no evidence that Huawei itself had any involvement in this campaign):
"By using McAfee’s telemetry, possible targets based in Southeast Asia, Europe, and the US were discovered in the telecommunication sector. We also identified a strong interest in German, Vietnamese and India telecommunication companies. Combined with the use of the fake Huawei site, we believe with a high level of confidence that this campaign was targeting the telecommunication sector. We believe with a moderate level of confidence that the motivation behind this specific campaign has to do with the ban of Chinese technology in the global 5G roll-out."
McAfee has provided a full technical analysis of the campaign as well.
Linux vulnerabilities.
Researchers at GRIMM have discovered three vulnerabilities in the Linux kernel, including a Local Privilege Escalation affecting several Linux environments. Patches for the flaws were released on March 7th. The researchers explain, "Due to the non-deterministic nature of heap overflows, the first vulnerability could be used as an unreliable, local DoS. However, when combined with an information leak, this vulnerability can be further exploited as a LPE that allows an attacker to escalate from an unprivileged user account to root. A separate information leak is not necessary, though, since this vulnerability can be used to leak kernel memory as well. The second vulnerability (kernel pointer leak) is less impactful and could only serve as a potential information leak. Similarly, the third vulnerability (out-of-bounds read) is also limited to functioning as a potential information leak or even an unreliable local DoS."
Malware operator plays innocent.
Fortinet says a "bold" malware operator decided it was worth a try to ask the security firm to whitelist their malware sample. The operator had set up a company called "Packity Networks" and sent Fortinet an email claiming that Fortinet's detection of the malware was a false positive that was "truly affecting our business heavily." The actor had also attached the executable file that they wanted whitelisted. While this file itself wasn't inherently malicious, Fortinet investigated their claim and found malicious samples that had been signed with the same certificate. Additionally, the researchers say "[t]he initial sample we got is only one part of a rather elaborate, multistage infection mechanism that can be activated at any point in time, with the final payload customized according to the attacker’s discretion."
(So, don't believe everything you read in your email...)