Exchange Server attacks: Microsoft shares intelligence on post-compromise activities

If you're cleaning up a infected Exchange server, you need to look for traces of multiple threats, warns Microsoft.
Written by Liam Tung, Contributing Writer

Many on-premises Exchange servers are being patched, but Microsoft warns that its investigations have found multiple threats lurking on already-compromised systems.

Microsoft is raising an alarm over potential follow-on attacks targeting already compromised Exchange servers, especially if the attackers used web shell scripts to gain persistence on the server, or where the attacker stole credentials during earlier attacks.

Microsoft released patches for Exchange on-premises systems on March 2. Four Exchange bugs were already under attack from a state-sponsored hacking group called Hafnium

SEE: Security Awareness and Training policy (TechRepublic Premium)

Microsoft earlier this week said that 92% of vulnerable Exchange servers had been patched or had mitigations applied. However, cybersecurity firm F-Secure said "tens of thousands" of Exchange servers had already been breached.      

In a new blog post, Microsoft reiterated its warning that "patching a system does not necessarily remove the access of the attacker".

"Many of the compromised systems have not yet received a secondary action, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions," the Microsoft 365 Defender Threat Intelligence Team notes

Where systems have been compromised, Microsoft urges admins to practice the principle of least privilege and mitigate lateral movement on a network.

Least privilege will help address the common practice where an Exchange service or scheduled task has been configured with a highly privileged account to perform tasks like backups.

"As service account credentials are not frequently changed, this could provide a great advantage to an attacker even if they lose their initial web shell access due to an antivirus detection, as the account can be used to elevate privileges later," Microsoft notes. 

Using DoejoCrypt ransomware, aka DearCry, as an example, Microsoft notes that the web shells used by that strain write a batch file to C:\Windows\Temp\xx.bat. This was found on all systems hit by DoejoCrypt and may offer the attacker a route to regaining access where infections have been detected and removed.

"This batch file performs a backup of the Security Account Manager (SAM) database and the System and Security registry hives, allowing the attackers later access to passwords of local users on the system and, more critically, in the LSA [Local Security Authority] Secrets portion of the registry, where passwords for services and scheduled tasks are stored," Microsoft notes. 

Even where victims have not been ransomed, the attacker's use of the xx.bat file allows them to explore a network via the web shell that dropped the file in the first place. The web shell also downloads the Cobalt Strike penetration testing kit before downloading the ransomware payload and encrypting files. In other words, a victim may not have been ransomed today, but the attacker has left the tools on the network to do it tomorrow. 

The other cybercrime threat to Exchange servers comes from malicious cryptocurrency miners. The Lemon Duck cryptocurrency botnet was observed exploiting vulnerable Exchange servers. Interestingly, the operators of Lemon Duck cleaned up an Exchange server with the xx.bat file and a web shell, giving it exclusive access to the Exchange server. Microsoft also found that it was being used to install other malware rather just mining for cryptocurrency.    

Microsoft has published numerous indicators of compromise that network defenders can use to search for the presence of these threats and signs of credential theft.

Editorial standards