Exchange servers under siege from at least 10 APT groups

On 2021-03-02, Microsoft released out-of-band patches for Microsoft Exchange Server 2013, 2016 and 2019. These security updates fixed a pre-authentication remote code execution (RCE) vulnerability chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that allows an attacker to take over any reachable Exchange server, without even knowing any valid account credentials. We have already detected webshells on more than 5,000 email servers as of the time of writing, and according to public sources, several important organizations, such as the European Banking Authority, suffered from this attack.

These vulnerabilities were first discovered by Orange Tsai, a well-known vulnerability researcher, who reported them to Microsoft on 2021-01-05. However, according to a blogpost by Volexity, in-the-wild exploitation had already started on 2021-01-03. Thus, if these dates are correct, the vulnerabilities were either independently discovered by two different vulnerability research teams or that information about the vulnerabilities was somehow obtained by a malicious entity. Microsoft also published a blogpost about the early activity of Hafnium.

On 2021-02-28, we noticed that the vulnerabilities were used by other threat actors, starting with Tick and quickly joined by LuckyMouse, Calypso and the Winnti Group. This suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse engineering Microsoft updates.

Finally, the day after the release of the patch, we started to see many more threat actors (including Tonto Team and Mikroceen) scanning and compromising Exchange servers en masse. Interestingly, all of them are APT groups interested in espionage, except for one outlier (DLTMiner), which is linked to a known cryptomining campaign. A summary of the timeline is shown in Figure 1.

Exploitation statistics

For the past few days, ESET researchers have been monitoring closely the number of webshell detections for these exploits. At the date of publication, we had observed more than 5,000 unique servers in over 115 countries where webshells were flagged. These numbers utilize ESET telemetry and are (obviously) not complete. Figure 2 illustrates these detections before and after the patch from Microsoft.

The heatmap in Figure 3 shows the geographical distribution of the webshell detections, according to ESET telemetry. Due to mass exploitation, it is likely that it represents the distribution of vulnerable Exchange servers around the world on which ESET security products are installed.

From RCE to webshells to backdoors

We have identified more than 10 different threat actors that likely leveraged the recent Microsoft Exchange RCE in order to install implants on victims’ email servers.

Our analysis is based on email servers on which we found webshells in Offline Address Book (OAB) configuration files, which is a specific technique used in the exploitation of the RCE vulnerability and has already been detailed in a Unit 42 blogpost. Unfortunately, we cannot discount the possibility that some threat actors might have hijacked the webshells dropped by other groups rather than directly using the exploit.

Once the vulnerability had been exploited and the webshell was in place, we observed attempts to install additional malware through it. We also noticed in some cases that several threat actors were targeting the same organization.

Tick

On 2021-02-28, Tick (also known as Bronze Butler) compromised the webserver of a company based in East Asia that provides IT services. This means that the group likely had access to the exploit prior to the patch’s release – in this case at least two days before.

The attacker used the following name for the first-stage webshell:

C:inetpubwwwrootaspnet_clientaspnet.aspx

We then observed a Delphi backdoor, highly similar to previous Delphi implants used by the group. C&C addresses used by this backdoor are www.averyspace[.]net and www.komdsecko[.]net.

Tick is an APT group active since as early as 2008 and targeting organizations primarily based in Japan but also in South Korea, Russia and Singapore amongst others. Its main objective seems to be intellectual property and classified information theft. It makes use of various proprietary malware such as Daserf, xxmm and Datper as well as open source RATs such as Lilith. Tick is among the APT groups now having access to the ShadowPad backdoor, which was used during Operation ENTRADE documented by Trend Micro.

LuckyMouse

On 2021-03-01, LuckyMouse compromised the email server of a governmental entity in the Middle East, which means this APT group likely had access to the exploit at least one day before the patch release, when it was still a zero day.

LuckyMouse operators started by dropping the Nbtscan tool in C:programdata, then installed a variant of the ReGeorg webshell and issued a GET request to http://34.90.207[.]23/ip using curl. Finally, they attempted to install their SysUpdate (aka Soldier) modular backdoor that uses the aforementioned IP address as its C&C server.

LuckyMouse, also known as APT27 and Emissary Panda, is a cyberespionage group known to have breached multiple government networks in Central Asia and the Middle East but also transnational organizations such as International Civil Aviation Organization (ICAO) in 2016. It uses various custom malware families such as HyperBro and SysUpdate.

Calypso

On 2021-03-01, Calypso compromised the email servers of governmental entities in the Middle East and in South America, which means the group likely had access to the exploit as a zero day, like LuckyMouse and Tick. In the following days, Calypso operators targeted additional servers of governmental entities and private companies in Africa, Asia and Europe using the exploit.

The attacker used the following names for the first-stage webshell:

• C:inetpubwwwrootaspnet_clientclient.aspx
• C:inetpubwwwrootaspnet_clientdiscover.aspx

As part of these attacks, two different backdoors were observed: a variant of PlugX specific to the group (Win32/Korplug.ED) and a custom backdoor that we detect as Win32/Agent.UFX (known as Whitebird in a Dr.Web report). These tools are loaded using DLL search-order hijacking against legitimate executables (also dropped by the attackers):

• netcfg.exe (SHA-1: 1349EF10BDD4FE58D6014C1043CBBC2E3BB19CC5) using a malicious DLL named netcfg.dll (SHA-1: EB8D39CE08B32A07B7D847F6C29F4471CD8264F2)
• CLNTCON.exe (SHA-1: B423BEA76F996BF2F69DCC9E75097635D7B7A7AA) using a malicious DLL named SRVCON.OCX (SHA-1: 30DD3076EC9ABB13C15053234C436406B88FB2B9)
• iPAQDetetion2.exe (SHA-1: C5D8FEC2C34572F5F2BD4F6B04B75E973FDFEA32) using a malicious DLL named rapi.dll (SHA-1: 4F0EA31A363CFE0D2BBB4A0B4C5D558A87D8683E)

The backdoors were configured to connect to the same C&C servers: yolkish[.]com and rawfuns[.]com.

Finally, we also observed a variant of a tool known as Mimikat_ssp that is available on GitHub.

Calypso (which is also tied to XPATH) is a cyberespionage group targeting governmental institutions in Central Asia, the Middle East, South America and Asia. Its main implant is a variant of the PlugX RAT.

Websiic

Starting 2021-03-01, ESET researchers observed a new cluster of activity we have named Websiic, targeting seven email servers belonging to private companies (in the domains of IT, telecommunications and engineering) in Asia and a governmental body in Eastern Europe. As observed in the cases above, the operators behind this cluster likely had access to the exploit before the patch’s release.

This cluster was identified by the presence of a loader as its first stage, generally named google.log or google.aspx, and an encrypted configuration file, generally named access.log. The loader stops a specific service identified in the config and creates a new entry under the Windows service registry HKLMSYSTEMCurrentControlSetServicesParameters (the service’s filename is provided by the config). It sets two keys ServiceDll and ServiceMain. The first one contains the path to a DLL while the latter contains the export to call (INIT in this case). Finally, it restarts the service that was stopped at the outset.

While the loader was deployed on all victims from this cluster, the second stage (also a loader) was observed on the computer of only one of the victims and was located in C:Program FilesCommon Filesmicrosoft sharedWMIiiswmi.dll. The DLL has an export named INIT that contains the main logic and uses the same XOR encryption loop as well as the same technique to dynamically resolve the Windows API names as seen in the first stage. It loads the following DLL %COMMONPROGRAMFILES%Systemwebsvc.dll with an argument extracted from the registry key HKLMSOFTWAREClassesInterface{6FD0637B-85C6-D3A9-CCE9-65A3F73ADED9}. Unfortunately, the lack of indicators matching previously known threat actors prevents us from drawing any conclusions or a reasonable hypothesis as to the group behind these attacks.

Seven victims were flagged by the presence of the first loader and at one of them, the second loader was identified. We have not currently tied any known threat actor to Websiic. A recent article from GTSC also briefly describes the same cluster.

Winnti Group

Starting 2021-03-02, a few hours before Microsoft released the patch, the Winnti Group (also known as BARIUM or APT41) compromised the email servers of an oil company and a construction equipment company both based in East Asia. This indicates that this APT group also had access to the exploit prior to the patch release.

The attackers started by dropping webshells at the following locations, depending on the victim:

• C:inetpubwwwrootaspnet_clientcaches.aspx
• C:inetpubwwwrootaspnet_clientshell.aspx

At one of the compromised victims we observed a PlugX RAT sample (also known as Korplug) with C&C domain mm.portomnail[.]com and back.rooter.tk. Note that mm.portomnail[.]com was previously used by the Winnti Group with ShadowPad and the Winnti malware. On the same machine, during the same timeframe, we also observed some malware, not yet fully analyzed, using 139.162.123[.]108 as its C&C address but at the time of writing we don’t know whether this is related to the Exchange compromise or not.

At the second victim, we observed a loader that is highly similar to previous Winnti v4 malware loaders such as that mentioned in our white paper on the arsenal of the Winnti Group. Like that Winnti v4 loader, this loader is used to decrypt an encrypted payload from disk and execute it using the following command:

srv64.exe

where is the decryption key used to decrypt the payload stored in . Once executed, this loader drops a malicious DLL at the following location:

C:Windowssystem32oci.dll

This malicious DLL shares multiple similarities with a previous Winnti implant documented by Trend Micro as well as the Spyder backdoor recently documented by DrWeb and that we have observed being used by the Winnti Group in the past. The C&C address used by this implant is 161.129.64[.]124:443.

Additionally, we observed various Mimikatz and password dumping tools.

The Winnti Group, active since at least 2012, is responsible for high-profile supply-chain attacks against the video game and software industries, leading to the distribution of trojanized software (such as CCleaner, ASUS LiveUpdate and multiple video games) that is then used to compromise more victims. It is also known for having compromised various targets in multiple different verticals such as healthcare and education.

Tonto Team

On 2021-03-03, Tonto Team (also known as CactusPete) compromised the email servers of a procurement company and of a consulting company specialized in software development and cybersecurity, both based in Eastern Europe.

In that case, the attacker used C:inetpubwwwrootaspnet_clientdukybySSSS.aspx for the first-stage webshell.

The attacker then used PowerShell to download their payloads from 77.83.159[.]15. Those payloads consist of a legitimate and signed Microsoft executable used as a DLL search-order hijacking host and a malicious DLL loaded by that executable. The malicious DLL is a ShadowPad loader. The C&C address being used by ShadowPad here is lab.symantecsafe[.]org and the communication protocol is HTTPS.

In addition to ShadowPad, the attacker also made use of a variant of the Bisonal RAT highly similar to a Bisonal variant that was previously used during Operation Bitter Biscuit attributed to Tonto Team.

On one of the compromised machines, the attacker used an LSAS dumper that was also previously used by Tonto Team.

Tonto Team is an APT group active since at least 2009 and targeting governments and institutions mostly based in Russia, Japan and Mongolia. For more than ten years, Tonto Team has been using the Bisonal RAT. Tonto Team is one of the APT groups that now has access to the ShadowPad backdoor.

Unattributed ShadowPad activity

Starting 2021-03-03, we observed the compromise of email servers at a software development company based in East Asia and a real estate company based in the Middle East where ShadowPad was dropped by the attacker and that we were not able to conclusively attribute to any known groups at the time of writing.

The attackers used C:inetpubwwwrootaspnet_clientdiscover.aspx and C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthRedirSuiteServerProxy.aspx as first-stage webshells and dropped ShadowPad at the following locations:

• C:WindowsHelpmui