Web shells everywhere
Written by
You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page.
Web shells everywhere. So many web shells. There are a LOT of web shells.
A China-linked espionage campaign against select US targets has exploded into a frenzy of indiscriminate exploitation that has compromised tens of thousands of Microsoft Exchange servers across the globe.
The timeline of these attacks is worth exploring.
In October 2020, Cheng-Da Tsai (‘Orange Tsai’) from Taiwan-based pen-test shop DEVCORE began researching potential vulnerabilities in Microsoft Exchange Server. Tsai claims in a blog post that he was interested in hacking on-premises Exchange because of its “holy grail” impact: there hasn’t been a pre-authenticated RCE against Exchange since Microsoft’s 2003 release.
It’s worth noting that Tsai is based in Taiwan, a contested space that (like Ukraine) is routinely a target of state-backed attacks from a large neighbouring country. Perhaps someone got tipped off that Exchange would be fruitful territory for Tsai’s unique research skills? Keep that in mind as you read on.
Tsai said he discovered a bug chain between December 10 and December 31, 2020, and disclosed it to Microsoft via its MSRC portal on January 5, 2021. According to Microsoft, Tsai’s bug report was the first it knew of the vulnerability.
So far, so normal. But then – somehow – the bug chain turned up in the wild.
Researchers at Denmark-based Dubex and US-based Volexity contacted Microsoft on January 27 and February 2, respectively, after discovering exploitation of the vulnerabilities during incident response engagements. Volexity now says the intrusions it observed began on January 3, 2021, two days before Tsai disclosed the bug chain to Microsoft.
A month later, on March 2, Microsoft released an out-of-band patch for four zero-day vulnerabilities in Exchange 2013, 2016 and 2019, including the two disclosed by Tsai. It announced that a group of state-backed hackers “operating out of China” (which it calls Hafnium) had used the bug chain to steal the entire contents of internet-facing Microsoft Exchange servers over a period of several months.
In some cases, the hackers dropped web shells or pivoted further into the targeted networks. Microsoft said Hafnium went after espionage targets in America such as infectious disease researchers, law firms and defence contractors.
But today we know that starting from around February 26, four days before the patch was released, several distinct groups of actors started scanning the entire IP4 address space for vulnerable Exchange servers and got busy dropping web shells. It’s almost like someone knew an out-of-cycle patch was imminent and wanted to make hay while the sun was shining.
FireEye grouped these attacks under three distinct UNC (uncategorised) buckets of activity. ESET identified at least five groups – which included Chinese espionage actors LuckyMouse (aka Emissary Panda, APT27, TG-3390) and Tick (aka Bronze Butler) as well as several previously uncategorised ones.
We don’t know just how many different groups got involved or their (various) motivations. But we’re left with web shells on tens if not hundreds of thousands of Exchange Servers, with evidence of multiple hacking groups contesting the same infected servers. The organisations that run these servers are in for a very bad time.
CISA issued an emergency directive that ordered civilian agencies to patch Exchange boxes. The National Security Advisor to the US President is tweeting about it.
At this point, the biggest challenge is getting the patches, alternate mitigations and detection tools into the hands of poorly-resourced SysAdmins. So you might still be wondering why we’re so focused on the timeline.
Well, CISA updated its initial advisory about the vulnerabilities on March 4, recommending defenders grep for suspicious activity dating back to September 2020. That’s odd when the first attacks on the public record were seen from early January 2021. The US government is asking defenders to study logs from about the time Tsai first took interest in putting Microsoft Exchange through its paces.
We don’t have the answers on this one. But what we do have are some engrossing questions. Who developed this bug chain? Who used it first, and how did they get it? Did they develop it themselves or steal it? Did anyone involved in this mess have insight into Microsoft’s patching timeline? If so, how? How and why did the bug chain suddenly become so widely distributed?
So many questions.
What’s in a name?
Risky Business has for several months tried to avoid using the words “SolarWinds” or “Solorigate” to describe the cyber espionage operation that’s rocked the United States since its discovery in December 2020.
Our sources have long warned us that the operation is dynamic. It wasn’t limited to the compromise of one vendor and wasn’t specific to a fixed period of time. This, we’re told, is the new normal: activities that result in a perpetual state of disruption and degradation.
This week, Microsoft retired the use of the term “Solorigate” to describe the actors behind these activities, and has reserved the use of that term to describe a specific piece of malware. This is a positive step, in our view, as the compromise of SolarWinds was only one means to the operator’s ends.
(Microsoft now uses the name Nobelium to describe FireEye’s UNC2452, Volexity’s Dark Halo and Palo Alto’s SolarStorm. Risky Business continues to call it Holiday Bear, a name that’s even catching on in Congress.)
Microsoft’s change of nomenclature came as it documented the discovery of three new malware strains found on networks compromised by this actor between June and September 2020.
One strain was a second-stage backdoor written in Go that Microsoft calls “GoldMax”, which FireEye also observed at a US victim compromised by UNC2452. FireEye calls the backdoor “Sunshuttle”, and said that while there are indicators that link the malware to the Russian espionage operation, it’s yet to “fully verify” this connection.
It’s pretty interesting to see investigators making new discoveries three months after the Sunburst backdoor was found.
It’s also telling that Microsoft published a set of CodeQL queries (search terms for indicators you might find in code) other software companies can use to flush out supply-chain compromises by the same actor that wrecked SolarWinds, while dissociating its name for those attackers from SolarWinds. We don’t know if there are more disclosures coming, but Microsoft seems to be laying some groundwork. You know. Just in case.
Russian cybercrime forums hacked. Can you smell alphabet soup?
At least two popular Russian-language forums have been hacked within the last few weeks, according to cybercrime writer Brian Krebs, and there have been attempts to compromise several others.
Krebs sighted a document that included the purported private encryption key used by administrators of the Mazafaka cybercrime forum and the ICQ numbers of forum members.
A second cybercrime forum, Verified, was compromised after its domain registrar was hacked and traffic redirected to servers the attacker controlled. Verified administrators later forced a site-wide password reset, but it would be a brave or foolish user who’d transact on that site from here on.
Intel 471 researchers also observed the administrators of the Exploit and Crdclub cybercrime forums having a bad time. Admins for the Exploit forum detected unauthorised SSH access to a proxy server it uses for DDoS protection, as well as attempts to dump network traffic.
Attributing these attacks raises an intriguing set of possibilities. The least fun scenario involves rival forums having a crack at each other. The most fun scenario includes the work of three and four letter agencies. We may never know and that’s sort of the beauty of these things.
A little loyalty data can go a long way
Geneva-based SITA, a service provider that manages loyalty programs for international airlines, has disclosed a data breach that leaked the names and membership details of millions of frequent flyers.
SITA disclosed that the data was stored on its Passenger Service System (PSS) servers, which processes frequent flyer data for airlines.
According to one of SITA’s airline partners (Lufthansa), attackers penetrated SITA’s booking system between January 21, 2021 and February 2, 2021. SITA confirmed the breach on February 24 and began informing its airline customers soon afterwards.
A Lufthansa spokesperson also told The Register and Bleeping Computer that attackers broke into the account of a single Star Alliance member, based in Asia, who was a customer of SITA’s booking system.
SITA disputed that in an email exchange with Risky Business, but hasn’t provided an alternative explanation.
The breach has confounded aviation experts we spoke to, as most affected loyalty programs don’t use SITA’s PSS. Further, the stolen data comes from both the Star Alliance and oneworld programs (airlines that don’t typically share frequent flyer data).
Airlines said the exposure was limited to what they share with partner airlines to help manage the allocation of seats using frequent flyer points/miles. That includes the traveller’s member’s name, member number, their status/tier level and sometimes their meal preferences, but not their contact details, financial information or flight history.
(One anomaly is Malaysia Airlines (MAS), which used to be a long-term customer of SITA’s Horizon system. MAS disclosed that the stolen data also included the contact information, date of birth and gender of travellers enrolled in its Enrich loyalty program between March 2010 and June 2019.)
We don’t know who was responsible. Most airlines have told members of their loyalty programs that they don’t need to take any action (like changing passwords), as the stolen data can’t in isolation be used to hack into member accounts.
But this advice assumes the actor’s motivations were criminal.
Chinese hackers popped shells in SolarWinds too
Researchers are a step closer to solving the mystery of “Supernova”, the mysterious malware found during incident response at some SolarWinds customers that appeared to be unrelated to the Russian “Holiday Bear” supply-chain attack.
SecureWorks has now attributed the Supernova web shell to a China-based group it calls Spiral, which had previously been observed exploiting public-facing ManageEngine servers to harvest credentials. Spiral’s goal in previous campaigns was to access the target’s Office 365 account.
In this case, the attackers abused an authentication bypass in SolarWinds’ Orion API to remotely execute commands on a victim’s Orion server. Exploitation required the target to have exposed its Orion API to the Internet.
Shorts
Dependency Confusion is in the wild
Dependency Confusion is all the rage among white hats and black hats inspired by Alex Birsan’s February paper. There’s also a lot of typosquatting going on. The Daily Swig reports maintainers at the npm Registry and Python Package Index are being kept very busy. Attackers have already tried using the technique to steal the password hashes and bash script histories from Amazon, Lyft, Slack and other companies, but reportedly weren’t successful. Here’s some new tools and guides to help developers avoid the problem.
REvil wants affiliates
The REvil ransomware gang is recruiting for new affiliates, promoting a range of capabilities already on offer from rivals. REvil joins a growing list of ransomware-as-a-service providers that will apply pressure on a target by reporting a breach to journalists and the target’s business partners.
Phishing campaigns zero in on vaccination efforts
Several vendors observed a pronounced increase in vaccination-themed phishing lures in recent weeks. These graphs from DomainTools tell the story better than words can.
NSA gives a very qualified thumbs up to zero trust
The NSA has passed down its judgment [pdf] on the zero trust security model, giving the thumbs up to access mechanisms based on a “principle of least privilege” mindset. But it also warns that in the absence of careful planning and a long-term commitment, things can also go very wrong.
This week’s long reads
We read two great blog posts this week that really speak to why we chose to stand up this newsletter a year ago.
- Michael Tanji wrote this blog post about the long list of big cyber policy ideas that haven’t had a measurable impact on US cyber defence. There’s clearly a disconnect between cyber security expertise and the broader policy community that needs to be bridged.
- Threat intelligence analyst Alex Orleans explained how hyperbolic exaggerations of the impact of cyber intrusions can play into the hands of adversaries, an observation that was as relevant this week as last week.
Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at editorial@risky.biz.