SANS NewsBites

All you wanted to know about the Microsoft Exchange Breach Infecting 30-60,000 Enterprises

March 9, 2021  |  Volume XXIII - Issue #19

Top of the News


2021-03-07

Microsoft’s MSERT Tool Can Now Detect Exchange Server Indicators of Compromise

Microsoft has updated its MSERT security scanning tool that enables it to detect web shell scripts used in the recent Exchange Server attacks.

Editor's Note

Windows Defender has also been updated to detect the web shells. The Microsoft Safety Scanner, (https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download), also called MSERT, can be used to detect and will automatically remove the implanted web shells unless you start it with the /N argument. Note MSERT is not a real-time defense tool and only performs spot checks. Select the full scan option, which can take a while. Microsoft also released a PowerShell script “Test-ProxyLogin.ps1” to search for IOCs in Exchange and OWA log files, see GitHub CSS-Exchange link below.

Lee Neely
Lee Neely

Given the nature of these vulnerabilities and the widespread exploitation of them, if your company has not yet applied the patches then assume you have been breached and respond accordingly. Applying the patches will fix the vulnerability but will not address any compromise or additional backdoors attackers may have planted before the patches were applied.

Brian Honan
Brian Honan

2021-03-06

30,000+ Exchange Servers Breached

At least 30,000 organizations in the US have been breached through vulnerabilities in Microsoft Exchange Server. Microsoft released emergency updates to address the flaws on Tuesday, March 2. Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive instructing federal civilian departments and agencies to apply the patches or disconnect their vulnerable systems from the Internet.


2021-03-05

Alternative Mitigations for Exchange Server Vulnerabilities

Microsoft has released a set of suggested mitigations for organizations that are unable to apply the March 2 emergency Exchange Server updates. Microsoft cautions that ”these mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack.”

Editor's Note

Examine the mitigations carefully before deciding to implement. They include disabling services you may be using. Even if you decide to implement them, you still need to apply the security patches for a complete fix as well as check your services for IOC’s to make sure you’re not already compromised.

Lee Neely
Lee Neely

2021-03-08

Exchange Server Attacks Timeline

Brian Krebs enumerates events from DEVCORE’s January 5, 2021 disclosure of the Exchange Server vulnerabilities to Microsoft through current efforts “to notify victims, coordinate remediation, and remain vigilant for ‘Stage 2’ of this attack.” The ZDNet article answers questions such as “What Happened?”; “What are the vulnerabilities and why are they important?”; and “What do I do now?”

Editor's Note

The Brian Krebs article includes an excellent timeline that helps explain how these bugs went from to a bug disclosure with updates on patch Tuesday scenario to an act immediately situation. Make sure that you examine the mitigation and remediation options from Microsoft, do not leave your exchange services unchecked, act on the assumption that many threat actors are looking for an opportunistic exploit. Don’t be exploit 60,001.

Lee Neely
Lee Neely

2021-03-08

Exchange Server Attack Victims

Organizations affected by Exchange Server attacks include US defense contractors, international aid organizations, think tanks, and the European Banking Authority, which took its email systems offline following an attack. Czech Investigators are trying to determine whether email systems attacks affecting the city of Prague and the Czech Labor Ministry are related to the Exchange Server vulnerabilities.

The Rest of the Week's News


2021-03-08

SITA Breach Compromised Airline Passenger Data

Aviation IT services provider SITA has confirmed that its systems were hit with a cyberattack that compromised passenger data stored on its SITA Passenger Service System servers. The incident occurred on February 24, 2021. Affected airlines have begun notifying passengers. SITA (Société Internationale de Télécommunications Aéronautiques) is based in Geneva, Switzerland.

Editor's Note

This is third-party compromise. Affiliated airlines, (e.g., Star Alliance) share data. One of the Airlines is also a SITA customer, with associated data sharing, which allowed access to not only their customers’ data but also passenger data for other member airlines. When sharing data, make sure only the minimum necessary to operate is shared, that protection requirements are clearly stated, then monitor for misuse. In this case the data is limited to member name, status and membership number; airlines are watching for misuse of that information.

Lee Neely
Lee Neely

Frequent flyers should take this occasion to review the often extensive personal information that airlines and travel agencies hold on them and change their passwords. Few airlines or travel agencies offer strong authentication.

William Hugh Murray
William Hugh Murray

2021-03-08

Scottish University and Nottinghamshire Schools Victims of Separate Cyberattacks

Scotland’s University of the Highlands and Islands (UHI) is dealing with “an ongoing cyber incident” that has forced it to shut down many of its 13 campuses. Fifteen schools in the Nova Education Trust have been affected by a cybersecurity incident that prevented them from providing much remote learning.


2021-03-08

More Accellion Breach Victims

The scope of the breaches exploiting vulnerabilities in Accellion’s File Transfer Appliance (FTA) continues to grow. Michigan-based Flagstar Bank recently disclosed that some of their data were accessed. Accellion released fixes for the vulnerabilities in December 2020 and January 2021. Accellion has planned to end support for FTA on April 30, 2021; the company has been encouraging customers to migrate to its new Kiteworks platform.

Editor's Note

This NewsBites item illustrates both the complexity and time varying nature of supply chain risk. If company X used Bank Y that had a file transfer capability that was provided by service Z that used the Accellion File Transfer appliance, December 2020 (when Accellion acknowledged it was the cause of the first reported breach) should have been an immediate severe risk flag – if Company X even know Bank Y used Service Z that used Accellion’s vulnerable product. But the risk actually started increasing in 2018 when Accellion started telling customers it would be ending support for the product in April 2021 and ending support for the appliance OS in November 2020 – all reasons for Service Z to move away from the product and for customers of Service Z to move away from Service Z if it did not – if this level of supply chain risk monitoring was being done, which some are actually doing today.

John Pescatore
John Pescatore

If you have the Accellion FTA appliance, you are hopefully finishing (or have finished) your migration to an alternative solution. If you are a customer of a company still using the FTA appliance, evaluate the risk of data exposed using that platform, versus selecting a new supplier using supported/secure services. Make sure your vendor/supply chain monitoring includes watching for and responding to these sorts of risk.

Lee Neely
Lee Neely

2021-03-08

Critical Vulnerability in The Plus Addons for Elementor WordPress Plugin

A critical flaw in The Plus Addons for Elementor plugin for WordPress can be exploited to take control of vulnerable websites. The privilege elevation vulnerability appears to affect only the premium version of the plugin; the free version, The Plus Addons for Elementor Lite, is not affected. Users of the premium version of the plugin are urged to deactivate and remove it until a fix is available.

Editor's Note

Treat this as a zero day. The coding error, when exploited, allows the creation of new admin users and login as existing ones. A firewall rule was distributed to the paid Wordfence users on March 8th; free versions will not get that rule until April 7th. If you’re using the paid version of Elementor, and you need The Plus Addons, an alternative to removing the plugins may be to switch to the free “Elementor Lite.”

Lee Neely
Lee Neely

2021-03-08

Unpatched QNAP NAS Devices are Being Targeted with Cryptomining Malware

Threat actors are targeting unpatched QNAP network attacked storage (NAS) devices to install cryptomining malware. QNAP released fixes for the firmware flaws – an improper access control vulnerability and a command injection vulnerability – in October 2020. The researchers who found the issue “noticed the attacker customized the program by hiding the mining process and the real CPU memory resource usage information, so when the QNAP users check the system usage via the WEB management interface, they cannot see the abnormal system behavior.” The issue affects all QNAP NAS devices with firmware that predates the October 2020 update.

Editor's Note

QNAP NAS devices have been a target since September 2019. Limiting access to them and keeping the firmware and apps updated needs to be SOP. If you own a QNAP NAS device, change the passwords for all accounts, remove unknown user accounts, make sure both the firmware and applications are updated, remove unused/unknown applications, limit access to the device to authorized hosts only via ACL or firewall rules, and install the QNAP MalwareRemover app.

Lee Neely
Lee Neely

NAS devices should not be attached to the public networks. They should be physically isolated, not merely firewalled.

William Hugh Murray
William Hugh Murray

2021-03-08

Charges in Georgia Hacking Cases

A US federal grand jury has indicted Robert Purbeck for allegedly breaking into computer networks of medical clinics and a city in the US state of Georgia. Purbeck is facing charges of computer fraud and abuse, access device fraud and wire fraud.

Editor's Note

These attacks were possible because working credentials were obtained for the targeted servers. MFA should be SOP when protecting access to sensitive data, such as medical records. Also make sure systems are accessible only from known clients, and that patient/customer facing systems can only be used to access the minimum amount of data, and are monitored for misuse. Make sure these systems also implement MFA.

Lee Neely
Lee Neely

2021-03-05

FBI Investigating Healthcare Ransomware Attacks

The FBI is investigating at least two healthcare-related ransomware attacks: one affecting Allergy Partners, which has locations across the US, and the second affecting the Rehoboth McKinley Christian Health Care in Gallup, New Mexico. Rehoboth’s network was hit with ransomware in February. The facility serves the Navajo Nation.

Internet Storm Center Tech Corner

From VBS, PowerShell, C Sharp, Process Hollowing to RAT

https://isc.sans.edu/forums/diary/From+VBS+PowerShell+C+Sharp+Process+Hollowing+to+RAT/27168/


YARA and CyberChef

https://isc.sans.edu/forums/diary/YARA+and+CyberChef/27180/


Cisco Patches Snort Related Vulnerabilities

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-ethernet-dos-HGXgJH8n


VMWare View Planner Update

https://www.vmware.com/security/advisories/VMSA-2021-0003.html


Google's FLoC Algorithm

https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea


Microsoft Adding Excel 4.0 Macro Hooks to AMSI

https://www.microsoft.com/security/blog/2021/03/03/xlm-amsi-new-runtime-defense-against-excel-4-0-macro-malware/


Update on Microsoft Exchange Vulnerability

https://github.com/microsoft/CSS-Exchange/tree/main/Security

https://github.com/nccgroup/Cyber-Defence/tree/master/Intelligence/Exchange

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b


Supermicro Trickbot Patch

https://www.supermicro.com/en/support/security/trickbot


Apple Find My Device Leak (PDF)

https://arxiv.org/pdf/2103.02282.pdf


Apple Updates Everything

https://support.apple.com/en-us/HT201222


Google Adds Port 554 to "Restricted Ports"

https://chromium.googlesource.com/chromium/src.git/+/refs/heads/master/net/base/port_util.cc


Yet Another Intel Side Channel Attack (PDF)

https://arxiv.org/pdf/2103.03443.pdf