Security Week 11: Exchange Vulnerabilities, Github Censorship, and Timeline Attacks

There are “slow” crises in cybersecurity, such as potential attacks on boot code on smartphones and mobile computers – anything that requires physical access to the hardware. The fact that such access does not require such access also does not always represent a problem that must be dealt with “yesterday”: even critical vulnerabilities are often exploited with many caveats and additional difficulties on the way to important data. Attacks on Microsoft Exchange mail servers are likely to become a textbook example of a rapidly developing and most dangerous problem for potential victims.

Four actively exploited vulnerabilities in Exchange were reported on March 3. The second week of the “postal crisis” was eventful. A demo code has been published on Github that exploits the vulnerabilities. Proof-of-Concept was promptly deletedfor which Github (and Microsoft, as the owner of the service) has been criticized. Several studies at once reported an attack on mail servers by not one, but at least a dozen different groups. March 13 it became known about using already compromised servers for data encryption and ransomware attacks. At the same time, the discoverers of the vulnerabilities clarified the timeline of the investigation: apparently, the key Exchange vulnerability was discovered during an audit back in December.

Detailed timeline of the development of events published on the Brian Krebs website. According to him, the vendor was notified of the vulnerabilities almost simultaneously by two companies, independently of each other. At the same time, Volexity notified Microsoft on the trail of investigating real attacks. Devcore discovered two of the four vulnerabilities without being aware of their exploitation in an Exchange security audit back in October last year. Last week Devcore published a detailed chronology of their own interaction with Microsoft: in early December, they found a way to bypass authentication on the mail server, on New Year’s Eve, they found a vulnerability in writing arbitrary data to the server and thus simulated a working attack.

At the end of January, Trend Micro informs about cases of hacking of mail servers with the organization of a web shell for subsequent control over them, but connects the attacks with another vulnerability that was already closed at that time. In mid-February, Microsoft announced to Devcore that it plans to patch the vulnerabilities with the planned patch release scheduled for March 9th. But at the very end, those who previously hacked servers selectively move on to the tactics of large-scale search and hacking of vulnerable organizations. This, in turn, forces Microsoft to distribute patches six days before Patch Tuesday, March 3rd. Already at the time the patches were distributed, the number of attacked mail servers was estimated at tens of thousands.

On March 12, Microsoft, citing RiskIQ, provides an overall estimate of the number of potentially vulnerable servers. As of March 1, there were about 400 thousand of them. By March 9, 100 thousand servers were not patched, by March 12, their number had dropped to 82 thousand. At the same time, a separate drama arises with the publication of PoC on Github. After the patch was released, it was only a matter of time before the proof-of-concept was reverse-engineered.

The code for the attack on Exchange is published on March 10, and is immediately banned on GitHub, for which Microsoft receives a portion of criticism: is it censorship? As a countermeasure, censorship fighters begin post copies of the code in their accounts. It is clear that the Internet does not work like that: what was once published in it, it will no longer be possible to publish. But there is also a counterargument: the finished exploit is, of course, useful for “research” purposes and as part of a suite for testing corporate networks, but for those hundreds of thousands of organizations with an open hole, it will bring even more problems. They are now being attacked by everyone, and most likely companies that have the very minimum of resources to solve any security problems have fallen under the distribution.

If you feel like this story hasn’t done enough damage, here’s another point. IN research Palo Alto provides some details of the web shell installed on compromised servers. For these details, a Devcore employee known as Orange Tsai makes assumptionthat the exploit he developed was used in real attacks before the patch was released. He privately shared a demo exploit with Microsoft in early January. How did he end up in the hands of one (or more) attacking groups? By data The media, the leak occurred after Microsoft shared information with partners. The exploit was put into operation almost unchanged, and it is identified by the “orange” string sewn into it, left by Orange Tsai.

Well, in conclusion, let’s talk about extortion. Closing the vulnerability will not help if the server has already been compromised, and its owners were unable to identify the presence of a web shell. It appears that the typical backdoor left behind by the original cracking groups is now being exploited by ransomware. Access is used to encrypt data, and the text uses the term DearCry, a reference to a ransomware attack WannaCry 2017. Brief interim verdict: everything is very bad. So bad that Microsoft released patch for a long-unsupported version of Exchange Server 2010. And we still do not know about the consequences of attacks, which were probably accompanied by theft of mail correspondence, hacking of other servers in the corporate network, and so on. The names of the affected organizations are already becoming known. Among them, for example, Norwegian parliament

What else happened

BleepingComputer informs about a new tactic of scammers advertising “cryptocurrency distribution” on social networks. Instead of mimicking Elon Musk, they advertise the scam in a straightforward manner through the paid mechanisms of Twitter.

Google for research purposes publishes demo code exploiting the Specter vulnerability. The practical attack shows the theft of memory contents through the Chrome 88 browser at a speed of 1 kilobyte per second.

The set of updates for Microsoft products released on March 9, closes zero-day vulnerability in Internet Explorer. And users complainthat another update from this set crashes Windows into a blue screen when trying to print something to the printer.

Video in tweet The above shows how to trigger a denial of service in a car multimedia system by connecting a USB keyboard to the port.

Critical vulnerabilities in high-performance network devices, BIG-IP and BIG-IQ from F5 Networks can bypass the authorization mechanism.

Similar Posts

Leave a Reply