Hackers have exploited recently disclosed vulnerabilities in Microsoft Exchange Server to gain entry to enterprise networks and distribute phishing emails both internally and externally, Cybereason said in a new threat report.
In August, 2021, a series of attacks exploiting vulnerabilities in Exchange servers, dubbed ProxyShell, followed earlier discoveries of similar, additional attacks termed ProxyLogon and ProxyOracle. ProxyShell is a set of three security vulnerabilities that allow an attacker to remotely load malware on an unpatched system and download and browse through emails with the ultimate intention to launch phishing campaigns.
In the last few months, Cybereason said its researchers have found a number of instances in which hackers have leveraged ProxyShell. The findings are of particular importance to companies deploying Exchange servers. Should attackers successfully gain a foothold in an enterprise network by leveraging ProxyShell, it becomes “relatively easy” to use the network to send phishing emails throughout the organization and to external user accounts with the payload of QBot and DatopLoader, Cybereason said.
DatopLoader is a malware loader initially seen in September 2021. Attackers use it to gain an initial foothold in their victim’s systems and networks. QBot (aka QakBot) is a financial Trojan used to steal banking information that has moved to working with other hacking groups to deliver payloads such as Cobalt Strike remote access capabilities.
In one particular attack Cybereason investigated, the crew used a ProxyShell vulnerability (CVE-2021-34473) to execute unauthenticated email-related activity on an Exchange server. All of the programs run by the attacks, with the exception of the Adfind freeware tool, were parts of the Windows operating system.
The vulnerability in question was patched in April, 2021 and disclosed three months later. “Several months have passed since the publication of Windows Exchange Server patches that closes the vulnerability,” Cybereason said. “Yet, It is noticeable how not many corporations have managed to apply security updates to reduce exploitable services.
Once the attackers successfully exploited the ProxyShell vulnerability for access, they sent out phishing emails to both internal and external accounts. In a twist, the malware was sent as replies to legitimate emails the hackers stole from the Exchange server using the ProxyShell vulnerability. To make the emails appear legitimate, the hackers even altered the font and language of each response, a maneuver that Cybereason said may be the increasing popularity of this type of attack.
“In any phase of exploitation attackers may have been able to reach, corporations that went under threat have to put serious amounts of time and effort to recover and marshal assets to mitigate and bring the environment to the latest known secure state in a short period of time under tremendous pressure,” Cybereason said.