WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
It may be April Fool’s Day, but zero-day exploits detected in Microsoft Exchange Servers are no joke. It’s now been four weeks since Microsoft announced threat actors were exploiting four zero-day vulnerabilities, collectively known as the “ProxyLogon” vulnerabilities. At the time, we wrote a blog mapping MITRE ATT&CK to the Microsoft Exchange exploits, but a lot has happened since then. In this blog, we take on what happened next.
For those who avoided all the cyber headlines, here’s a recap of what happened. In early March, Microsoft announced that four zero-day vulnerabilities in their Exchange Servers were being actively exploited by a threat group linked to the People’s Republic of China (PRC) named HAFNIUM. Microsoft quickly issued patches for these vulnerabilities but warned its customers that they may still be vulnerable to attacks if previously targeted. Additionally, Microsoft released a script that would allow its customers to check for indicators of compromise attributed to HAFNIUM and warned that attacks would also likely emanate from different threat groups.
Over a week later, researchers observed that “at least ten” advanced persistent threat (APT) groups had exploited the ProxyLogon vulnerabilities. Some of these threat actors had access to the exploits before Microsoft released their announcement and the patch. According to a blog by Volexity, the earliest detection of threat actors exploiting the ProxyLogon vulnerabilities was on 03 Jan 2021. Microsoft was informed of these vulnerabilities by a “well-known vulnerability researcher” on 05 Jan 2021. It is unclear what action Microsoft took between January and March to protect its customers from attack. Still, the APT groups kept coming for the vulnerable Exchange Servers.
Security researchers observed the “Tick” group exploiting the ProxyLogon vulnerabilities in late February 2021, and a group named LuckyMouse used the exploits the day before Microsoft’s patch was released. Many of the APT groups listed by researchers also had links to the PRC, including the infamous “Winnti” group (sometimes known as the Winnti threat umbrella). Winnti was observed using the exploits just hours before Microsoft released the patch. After Microsoft released the patch, unsurprisingly, even more threat actors took notice, and mass exploitation of the ProxyLogon vulnerabilities began.
A two-month gap between discovery and public notification means that threat actors attacked organizations before they knew they were vulnerable. Given that early attacks were conducted by sophisticated APT groups, it is likely those attacks went undetected. This clearly demonstrates the need for Microsoft’s detection script. Applying the patch is necessary, but organizations affected by the ProxyLogon vulnerabilities (estimates reach up to 60,000!) need to investigate their networks. A patch alone won’t save organizations from threat actors who have already set up camp in their networks.
The groups using the ProxyLogon vulnerabilities early on were likely highly sophisticated and, therefore, technically-advanced enough to remove other threat actors from compromised networks. However, when the hijacking of existing web shells is possible, the technical bar is lowered. It is realistically possible that some less-sophisticated, threat groups hijacked web shells that were already on vulnerable Exchange Servers. As a result, exploitation of ProxyLogon vulnerabilities becomes accessible to many more threat actors of all technical levels across the world.
Enter the ransomware operators. We know from previous blogs that ransomware operators are flexible and quick to adapt to new exploitation opportunities. Exploiting these vulnerabilities was no different, and ransomware operators quickly used them to their advantage. The operators of a ransomware variant named DearCry used the ProxyLogon vulnerabilities to compromise victim networks. Microsoft has acknowledged the existence of DearCry and is reportedly blocking DearCry ransomware from being deployed via compromised Exchange Servers.
Not to be left behind, “Black Kingdom” ransomware operators reportedly began using these Exploits not long after and have successfully accessed approximately 1,500 vulnerable Exchange Servers. Black Kingdom ransomware has previously been observed targeting Pulse VPN flaws to access organizations and encrypt their networks. Researchers also reported that REvil (aka Sodinokibi) ransomware operators exploited the ProxyLogon vulnerabilities to target Acer in March 2021, when they demanded a record-breaking $50 million ransom. REvil’s use of ProxyLogon is unconfirmed at the time of writing. As vulnerability exploitation is a popular initial access method, it is likely that many other ransomware operators will also exploit ProxyLogon flaws. They do enjoy copying each other, after all.
Around the same time that DearCry was exploiting ProxyLogon, other threat actors exploited the vulnerabilities to deploy cryptocurrency miners. Researchers detected attacks using web shells deployed on compromised servers to download malicious payloads associated with the LemonDuck botnet. LemonDuck is most known for installing XMRig, which mines cryptocurrency for the botnet owners. From APT groups to cryptocurrency mining botnets, the ProxyLogon vulnerabilities make an attractive prospect for all cybercriminals.
Given all that we now know, it is still unclear how initial threat actors discovered the exploits. It is also unclear how they were subsequently distributed to other threat groups. We found a user of the Chinese-language marketplace Tea Horse Road advertising an offering related to vulnerabilities in Microsoft Exchange Servers, including “direct RCE (remote code execution) to obtain system permissions.” The listing suggested that the user was selling the offering 1,000 times, with a single unit costing a buyer $8,000! Although when we captured the post, it didn’t appear as though any had been sold.
This post demonstrates that it is likely that details of these exploits have been shared between cybercriminals on forums, on public message boards, or via private message. Also, from as little as three days after Microsoft’s announcement, chatter began on cybercriminal forums about these zero-days. A user on one cybercriminal forum asked if anyone was working on or using the exploits, alongside posting links to public reporting on the issue. Other users were interested in whether a proof of concept (PoC) was publicly available for these exploits.
And the cybercriminals didn’t have to wait long for those PoCs! A PoC is code developed to demonstrate security flaws in software or networks to identify vulnerabilities and patch them. They are regularly used by network defenders but are often exploited by cybercriminals.
In mid-March, two PoCs were released for the ProxyLogon vulnerabilities. The first was published to GitHub but required some fixes to work correctly. Even so, it provided enough information to develop a functional RCE exploit for the vulnerable Exchange Servers. The PoC was taken down by GitHub to protect devices. This caused some disquiet among security professionals, as its removal meant they couldn’t use it for legitimate network hardening purposes. The second published PoC worked with minor modifications. The researcher who tested it warned that less technically sophisticated threat actors would be able to carry it out.
On 12 Mar 2021, Microsoft reportedly investigated whether the information required to conduct ProxyLogon attacks was obtained via public disclosures the company made to its security partners. Before their public disclosure of the ProxyLogon vulnerabilities, Microsoft released PoC attack codes to anti-virus and other cyber-security firms. The PoC exploits seen in recent attacks resemble those provided by Microsoft, leading the organization to investigate whether its PoC was leaked deliberately or accidentally.
In a further attempt to protect all its customers, Microsoft released a one-click Microsoft Exchange mitigation tool on 15 Mar 2021. The tool is an “easy to use” automated solution that means organizations without dedicated security teams can protect themselves from ProxyLogon attacks. Of course, this is only a temporary solution; organizations should still apply patches and hunt for malicious activity on their networks.
At the end of March, Microsoft announced that 92% of vulnerable Microsoft exchange servers were now patched. This sounds like great news, doesn’t it? But it is a little like a false economy. This statistic comes after weeks of reporting that threat actors have been actively exploiting these vulnerabilities. The damage has, arguably, already been done. It is unknown how many organizations have fallen foul of ProxyLogon exploits. Still, there will undoubtedly be more added to that figure in the coming months.
It’s fundamental to stay updated on the latest vulnerabilities and security updates related to this high-profile exploit. As more details emerge, Digital Shadows (now ReliaQuest) will continue to update this post with additional analysis and recommendations in addition to delivering intelligence updates to our clients. Having an in-house or outsourced Cyber Threat Intelligence (CTI) team can quickly identify trends and listings relevant to your organization. This practice can help security teams prioritize the most vulnerable areas, thus granting a more robust security posture.
If you’d like to get a clear picture of your attack surface, SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) aggregates data from billions of sources across the open, deep, and dark web, giving you a view of your exposure in real-time. Unlike other threat intelligence providers, Digital Shadows (now ReliaQuest) focuses on high-priority, actionable alerts related to genuine threats to the business. Get a demo request of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.
For existing clients, Digital Shadows (now ReliaQuest) recommends the following Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection) queries for updates on developments of this event:
The following MITRE ATT&CK techniques cover the exploitation of ProxyLogon vulnerabilities: