It may be April Fool’s Day, but zero-day exploits detected in Microsoft Exchange Servers are no joke. It’s now been four weeks since Microsoft announced threat actors were exploiting four zero-day vulnerabilities, collectively known as the “ProxyLogon” vulnerabilities. At the time, we wrote a blog mapping MITRE ATT&CK to the Microsoft Exchange exploits, but a lot has happened since then. In this blog, we take on what happened next.

For those who avoided all the cyber headlines, here’s a recap of what happened. In early March, Microsoft announced that four zero-day vulnerabilities in their Exchange Servers were being actively exploited by a threat group linked to the People’s Republic of China (PRC) named HAFNIUM. Microsoft quickly issued patches for these vulnerabilities but warned its customers that they may still be vulnerable to attacks if previously targeted. Additionally, Microsoft released a script that would allow its customers to check for indicators of compromise attributed to HAFNIUM and warned that attacks would also likely emanate from different threat groups.

HAFNIUM is not alone in its efforts

Over a week later, researchers observed that “at least ten” advanced persistent threat (APT) groups had exploited the ProxyLogon vulnerabilities. Some of these threat actors had access to the exploits before Microsoft released their announcement and the patch. According to a blog by Volexity, the earliest detection of threat actors exploiting the ProxyLogon vulnerabilities was on 03 Jan 2021. Microsoft was informed of these vulnerabilities by a “well-known vulnerability researcher” on 05 Jan 2021. It is unclear what action Microsoft took between January and March to protect its customers from attack. Still, the APT groups kept coming for the vulnerable Exchange Servers.

Security researchers observed the “Tick” group exploiting the ProxyLogon vulnerabilities in late February 2021, and a group named LuckyMouse used the exploits the day before Microsoft’s patch was released. Many of the APT groups listed by researchers also had links to the PRC, including the infamous “Winnti” group (sometimes known as the Winnti threat umbrella). Winnti was observed using the exploits just hours before Microsoft released the patch. After Microsoft released the patch, unsurprisingly, even more threat actors took notice, and mass exploitation of the ProxyLogon vulnerabilities began.

Timeline of Proxylogon attacks
Timeline of Proxylogon attacks

A two-month gap between discovery and public notification means that threat actors attacked organizations before they knew they were vulnerable. Given that early attacks were conducted by sophisticated APT groups, it is likely those attacks went undetected. This clearly demonstrates the need for Microsoft’s detection script. Applying the patch is necessary, but organizations affected by the ProxyLogon vulnerabilities (estimates reach up to 60,000!) need to investigate their networks. A patch alone won’t save organizations from threat actors who have already set up camp in their networks.

The groups using the ProxyLogon vulnerabilities early on were likely highly sophisticated and, therefore, technically-advanced enough to remove other threat actors from compromised networks. However, when the hijacking of existing web shells is possible, the technical bar is lowered. It is realistically possible that some less-sophisticated, threat groups hijacked web shells that were already on vulnerable Exchange Servers. As a result, exploitation of ProxyLogon vulnerabilities becomes accessible to many more threat actors of all technical levels across the world.

Ransomware actors and Cryptominers joined the exploit

Enter the ransomware operators. We know from previous blogs that ransomware operators are flexible and quick to adapt to new exploitation opportunities. Exploiting these vulnerabilities was no different, and ransomware operators quickly used them to their advantage. The operators of a ransomware variant named DearCry used the ProxyLogon vulnerabilities to compromise victim networks. Microsoft has acknowledged the existence of DearCry and is reportedly blocking DearCry ransomware from being deployed via compromised Exchange Servers. 

Not to be left behind, “Black Kingdom” ransomware operators reportedly began using these Exploits not long after and have successfully accessed approximately 1,500 vulnerable Exchange Servers. Black Kingdom ransomware has previously been observed targeting Pulse VPN flaws to access organizations and encrypt their networks. Researchers also reported that REvil (aka Sodinokibi) ransomware operators exploited the ProxyLogon vulnerabilities to target Acer in March 2021, when they demanded a record-breaking $50 million ransom. REvil’s use of ProxyLogon is unconfirmed at the time of writing. As vulnerability exploitation is a popular initial access method, it is likely that many other ransomware operators will also exploit ProxyLogon flaws. They do enjoy copying each other, after all.

Around the same time that DearCry was exploiting ProxyLogon, other threat actors exploited the vulnerabilities to deploy cryptocurrency miners. Researchers detected attacks using web shells deployed on compromised servers to download malicious payloads associated with the LemonDuck botnet. LemonDuck is most known for installing XMRig, which mines cryptocurrency for the botnet owners. From APT groups to cryptocurrency mining botnets, the ProxyLogon vulnerabilities make an attractive prospect for all cybercriminals.

Given all that we now know, it is still unclear how initial threat actors discovered the exploits. It is also unclear how they were subsequently distributed to other threat groups. We found a user of the Chinese-language marketplace Tea Horse Road advertising an offering related to vulnerabilities in Microsoft Exchange Servers, including “direct RCE (remote code execution) to obtain system permissions.” The listing suggested that the user was selling the offering 1,000 times, with a single unit costing a buyer $8,000! Although when we captured the post, it didn’t appear as though any had been sold. 

Tea Horse Road post advertising Exchange Server vulnerabilities
Tea Horse Road post advertising Exchange Server vulnerabilities

This post demonstrates that it is likely that details of these exploits have been shared between cybercriminals on forums, on public message boards, or via private message. Also, from as little as three days after Microsoft’s announcement, chatter began on cybercriminal forums about these zero-days. A user on one cybercriminal forum asked if anyone was working on or using the exploits, alongside posting links to public reporting on the issue. Other users were interested in whether a proof of concept (PoC) was publicly available for these exploits.

PoCs were uploaded then taken down

And the cybercriminals didn’t have to wait long for those PoCs! A PoC is code developed to demonstrate security flaws in software or networks to identify vulnerabilities and patch them. They are regularly used by network defenders but are often exploited by cybercriminals.

In mid-March, two PoCs were released for the ProxyLogon vulnerabilities. The first was published to GitHub but required some fixes to work correctly. Even so, it provided enough information to develop a functional RCE exploit for the vulnerable Exchange Servers. The PoC was taken down by GitHub to protect devices. This caused some disquiet among security professionals, as its removal meant they couldn’t use it for legitimate network hardening purposes. The second published PoC worked with minor modifications. The researcher who tested it warned that less technically sophisticated threat actors would be able to carry it out.

On 12 Mar 2021, Microsoft reportedly investigated whether the information required to conduct ProxyLogon attacks was obtained via public disclosures the company made to its security partners. Before their public disclosure of the ProxyLogon vulnerabilities, Microsoft released PoC attack codes to anti-virus and other cyber-security firms. The PoC exploits seen in recent attacks resemble those provided by Microsoft, leading the organization to investigate whether its PoC was leaked deliberately or accidentally.

Microsoft released One-click mitigation tool

In a further attempt to protect all its customers, Microsoft released a one-click Microsoft Exchange mitigation tool on 15 Mar 2021. The tool is an “easy to use” automated solution that means organizations without dedicated security teams can protect themselves from ProxyLogon attacks. Of course, this is only a temporary solution; organizations should still apply patches and hunt for malicious activity on their networks. 

At the end of March, Microsoft announced that 92% of vulnerable Microsoft exchange servers were now patched. This sounds like great news, doesn’t it? But it is a little like a false economy. This statistic comes after weeks of reporting that threat actors have been actively exploiting these vulnerabilities. The damage has, arguably, already been done. It is unknown how many organizations have fallen foul of ProxyLogon exploits. Still, there will undoubtedly be more added to that figure in the coming months.

It’s fundamental to stay updated on the latest vulnerabilities and security updates related to this high-profile exploit. As more details emerge, Digital Shadows (now ReliaQuest) will continue to update this post with additional analysis and recommendations in addition to delivering intelligence updates to our clients. Having an in-house or outsourced Cyber Threat Intelligence (CTI) team can quickly identify trends and listings relevant to your organization. This practice can help security teams prioritize the most vulnerable areas, thus granting a more robust security posture.

If you’d like to get a clear picture of your attack surface, SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) aggregates data from billions of sources across the open, deep, and dark web, giving you a view of your exposure in real-time. Unlike other threat intelligence providers, Digital Shadows (now ReliaQuest) focuses on high-priority, actionable alerts related to genuine threats to the business. Get a demo request of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.

For existing clients, Digital Shadows (now ReliaQuest) recommends the following Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection) queries for updates on developments of this event:

  • (type=[blog posts] OR type=[intelligence updates] OR type=[indicator feeds] OR type=[Vulnerabilities & Exploits]) AND (“CVE-2021-26855” OR “CVE-2021-26857” OR “CVE-2021-26858” OR “CVE-2021-27065”)
  • (type=[blog posts] OR type=[intelligence updates] OR type=[indicator feeds] OR type=[Vulnerabilities & Exploits]) AND (“Hafnium” OR “Microsoft Exchange Servers”) AND date=[now-14d TO now]
  • (type=[forum posts]) AND (“CVE-2021-26855” OR “CVE-2021-26857” OR “CVE-2021-26858” OR “CVE-2021-27065”)
  • (type=[forum posts]) AND (“Hafnium” OR “Microsoft Exchange Servers”) AND date=[now-14d TO now]

The following MITRE ATT&CK techniques cover the exploitation of ProxyLogon vulnerabilities:

ID Name
T1595 Active Scanning
T1587.004 Develop Capabilities: Exploits
T1190 Exploit Public-Facing Application
T1203 Exploitation for Client Execution
T1078 Valid Accounts
T1072 Software Deployment Tools
T1505.003 Server Software Component: Web Shell
T1041 Exfiltration over C2 channel
T1114.001 Email Collection: Local Email Collection
T1005 Data from Local System
T1083 File and Directory Discovery