An Exchange Vulnerability in Ransomware - Exabeam

An Exchange Vulnerability in Ransomware

Published
March 26, 2021

Author
Gorka Sadowski

A New Crowbar for an Old Burglar (i.e., only a week from disclosure to weaponization)

A few days ago, in an article by Lawrence Abrams, a new ransomware flavor has been discussed in depth and I truly recommend that you read it.  

The short story is this. Microsoft started by observing the HAFNIUM group was attacking on-premises Exchange servers using several zero-day attacks. Subsequently Microsoft recently disclosed details on this campaign. Then, once the cat was out of the bag, all kinds of organized attackers started leveraging these vulnerabilities and weaponizing this attack against unpatched on-prem Exchange servers to help plan and distribute a new ransomware flavor (Decry). These groups have been quite fast and effective. 

Attackers managed to operate under a week dwell time: 

  • A campaign using a series of vulnerabilities gets disclosed on March 2, 2021 (obviously the vulnerability existed before that) 
  • The exploit technique gets weaponized, used in the wild and discovered on March 9th 

So that’s a theoretical seven-day window between disclosure and payday for attackers. Have you patched your on-premises Exchange server already? Did you do it by March 9th? If so, congratulations, you are in the absolute minority. However, for most, chances are your Exchange server was not patched by then. That means that you need to assume breach. Now your job is not only detection, but investigation and continuous threat hunting for this attack. 

We have seen this situation before. In fact, a few years back, Exabeam’s research team coined the term “Ransomware Kill Chain” in a research report where we discussed in depth not only the financial motivation of the attackers, but also how the attacks unfold in stages and appear as a timeline of events. This work is as relevant now as it was then. Nothing has changed. Back then, our research team looked at the new attack flow and concluded that besides the new infection vector, the kill chain remained the same, which means – you can still be effective in detecting it even without zero-day signatures. Why is that? While the code and actors change, the attack is still surfacing by connecting the activities that unfold. As long as you can connect the dots and stitch it all back together with the proper context, you will understand what is happening. 

A timeline of events, that unfolds stage by stage, is still the best way to connect the otherwise scarce information into a solid investigation that allows analysts to respond to a threat, even through different iterations and changes of the threat (such as a new exploit, new zero-day, new vulnerability, etc.). This is exactly what Exabeam Smart Timelines does continuously, and automatically. 

So, what can you do about this latest Exchange-based ransomware? 

  • If you are an Exabeam customer – detection as well as timeline-based continuous threat hunting is already in place for ransomware, so you have the floodlight where you need it. 
  • If you are not an Exabeam customer – we have guidelines for your SIEM. Read our ransomware research paper for guidelines on how to effectively understand as well as detect ransomware with log signals. 

Stay safe out there. 

Recent Information Security Articles

How Attackers Leverage Pentesting Tools in the Wild

Read More

The Differences between SIEM and Open XDR

Read More

Why I Joined Exabeam

Read More

Exabeam Growth and the Opportunity Ahead

Read More

Expand Coverage Against Threats with Exabeam Content Library and TDIR Use Case Packages

Read More



Recent Information Security Articles

Expand Coverage Against Threats with Exabeam Content Library and TDIR Use Case Packages

Read More

Demystifying the SOC, Part 2: Prevention isn’t Enough, Assume Compromise

Read More

How Attackers Leverage Pentesting Tools in the Wild

Read More

The Differences between SIEM and Open XDR

Read More

Why I Joined Exabeam

Read More

Exabeam Growth and the Opportunity Ahead

Read More