April’s NTT Global Threat Intelligence Report is focused on the ongoing Microsoft Exchange attack and the growing incidents involving XMRig. It is over a month since several zero-day exploits against Microsoft Exchange were announced. Since then, tens of thousands of companies have seen their email servers attacked, many successfully.
Evidence suggests that the attacks on Exchange have been ongoing since January. However, the zero-day attacks’ announcement seems to have pushed the attackers into increasing their activity. Dan Saunders, Senior Consultant, Incident Response, UK & I, NTT has taken a closer look at what is known about the attacks and the attackers. Of most interest in his article in April’s GTIC report are what to look for and how to mitigate the attack.
Indications that Exchange has been attacked
Saunders talks about the known vulnerabilities in Exchange for which Microsoft has issued patches. He says that attackers are doing mass scanning of Exchange servers to look for those that have not been patched. It shows that, once again, we are in an attack phase where companies are not taking every step to protect themselves. Some of those not patching may think they are too small to be of interest. That is a false premise as their email can be used to compromise suppliers and clients.
Saunders notes that to maintain control of infected Exchange servers, attackers are using the China Chopper webshell. To reduce the chance of detection, the attackers are constantly changing the file names containing their malicious code. They are also changing file permissions to hide those files. He says there is a way to identify if there has been an attack: “In many cases, attackers used China Chopper webshells, and the malcode is typically located within the ExternalUrl reference field.”
Another way to detect compromise is to check IIS logs. These will reveal the requests that interact with the webshells. Saunders says: “Analysis of IIS log files reveals significant HTTP GET and POST requests, that interact with webshells. These have typically used abnormal user-agent strings such as ExchangeServicesClient/0.0.0.0 and pythonrequests/ 2.25.1. Analysts should review IIS Logs to identify a timeline of initial exploitation activity. In some instances, it may be possible to identify early signs of system discovery.”
How to mitigate an Exchange attack
Mitigating an attack usually starts by applying all patches and using any tools to detect signs of compromise. Saunders says that organisations should use the Microsoft Exchange On-Premise Mitigation Tool (EOMT). It is designed to: “simplify and automate steps to help mitigate potential Microsoft Exchange attacks. It is important to note that this tool is not an alternative to patching, but a workaround until the security update is applied.”
Use of the tool does not mean an organisation no longer needs to patch. It provides some degree of pre-patch mitigation while organisations prepare their patch processes. It should not be used long-term. Such an action would leave servers potentially vulnerable to any future attacks and give a false sense of protection.
Another mitigation step is: “restricting traffic on port 443 inbound/outbound to/from the Microsoft Exchange Servers to authorized IP address ranges only, however this does not fix the underlying issue relating to the vulnerabilities.”
One key message from Saunders is not to rely on patching alone. As he points out, in attacks like this, a compromised Exchange server may already have been backdoored by the attackers. It means that a full security sweep to find evidence of an attack should take place. To help, he provides six threat hunting tips in his article.
XMRig drives cryptocurrency mining to new heights
The surge in cryptocurrency values has led to increased mining activity by cybercriminals. There are two reasons why they do this illegally. The first is the amount of processing power required to mine some of the high-value currencies. By taking over their victims’ machines, they don’t need to buy the components to build their own.
The second reason is also cost-based. Mining cryptocurrency requires an increasing amount of electricity that eats into the profits of the miners. Why pay for it when you can steal it? It is the same mentality seen in every city worldwide, where people illegally connect into someone else’s electricity meter to grow drugs or power other illegal enterprises.
Jon Heimerl, CISSP, Sr. Manager, Global Threat Intelligence Center, US, NTT Ltd, writes about the rise of XMRig. Originally designed to allow people to mine the cryptocurrency Monero, its effectiveness has made it popular. Among its fans are cybercriminals who install it as malware on unsuspecting victims computers. It then sits there and uses the victims’ hardware and electricity to make the criminal richer.
What is surprising is how quickly it has become the go-to software for illicit mining. Heimerl reports that in 2019 it accounted for less than 0.2% of malware and 4% of all mining activities globally. He also says: “According to data gathered for the GTIC 2021 Global Threat Intelligence Report, XMRig was the single most detected malware, accounting for over 33% of all malware activity.” He also goes on to say it is responsible: “for nearly 82% of all coinmining activity during 2020.”
Attacks not confined to individual machines
One of the concerns over the spread of XMRig as malware is the impact on organisations. Heimerl points out: “XMRig has often been distributed via exploit kits or hostile websites disguised as Adobe Flash updates. But attackers have also used vulnerabilities in Windows, Oracle WebLogic, Apache Solr, PHP Weathermap, EternalBlue and even brute-force attacks. The reality is that if XMRig has been installed in an organization’s environment, it likely proves the organization has vulnerabilities they should be worried about, as these can provide opportunities for further exploitation by threat actors with more nefarious purposes.”
Many of the exploit kits will move laterally through an organisation and install XMRig, and other malware, throughout the business. Its use can also significantly impact the life of hardware by forcing processors to run at 100% to mine cryptocurrency. It means that hardware will have to be replaced more often and, with hardware costs increasing over 2020, that has a financial penalty on organisations.
Heimerl also points out that most antivirus programmes should detect XMRig, but that assumes organisations are protecting all their endpoints. With increasing numbers of people working at home during 2020 and now returning to the office, new infections could spread quickly.
Enterprise Times: What does this mean?
Attackers are quick to adapt and exploit any opportunity. With Microsoft Exchange, this is not just about attacks on email. It has already created the real risk of Business Email Compromise (BEC). Attackers can send emails through an exchange server where the recipient will see them as coming from a trusted source. It will increase the likelihood that they will act on the email and even open malicious attachments.
Organisations need to begin by assuming their Exchange server has been compromised. That changes the mindset to hunt for evidence rather than just patch and hope. Saunders’ threat hunting tips provide a good place to start.
The growth in XMRig infections should concern organisations just as much. Many employees may have become infected while working at home. As they return to the office and bring devices with them, they can spread malware quickly. One of the key steps for all IT departments is to ensure that all their security software is up to date and working before people return. Failure to do so could result in a new wave of malware infections over the next few months