An Exchange Vulnerability in Ransomware

A New Crowbar for an Old Burglar (i.e., only a week from disclosure to weaponization)

A few days ago, in an article by Lawrence Abrams, a new ransomware flavor has been discussed in depth and I truly recommend that you read it.  

The short story is this. Microsoft started by observing the HAFNIUM group was attacking on-premises Exchange servers using several zero-day attacks. Subsequently Microsoft recently disclosed details on this campaign. Then, once the cat was out of the bag, all kinds of organized attackers started leveraging these vulnerabilities and weaponizing this attack against unpatched on-prem Exchange servers to help plan and distribute a new ransomware flavor (Decry). These groups have been quite fast and effective. 

Attackers managed to operate under a week dwell time: 

• A campaign using a series of vulnerabilities gets disclosed on March 2, 2021 (obviously the vulnerability existed before that) 
• The exploit technique gets weaponized, used in the wild and discovered on March 9th 

So that’s a theoretical seven-day window between disclosure and payday for attackers. Have you patched your on-premises Exchange server already? Did you do it by March 9^th? If so, congratulations, you are in the absolute minority. However, for most, chances are your Exchange server was not patched by then. That means that you need to assume breach. Now your job is not only detection, but investigation and continuous threat hunting for this attack. 

We have seen this situation before. In fact, a few years back, Exabeam’s research team coined the term “Ransomware Kill Chain” in a research report where we discussed in depth not only the financial motivation of the attackers, but also how the attacks unfold in stages and appear as a timeline of events. This work is as relevant now as it was then. Nothing has changed. Back then, our research team looked at the new attack flow and concluded that besides the new infection vector, the kill chain remained the same, which means – you can still be effective in detecting it even without zero-day signatures. Why is that? While the code and actors change, the attack is still surfacing by connecting the activities that unfold. As long as you can connect the dots and stitch it all back together with the proper context, you will understand what is happening. 

A timeline of events, that unfolds stage by stage, is still the best way to connect the otherwise scarce information into a solid investigation that allows analysts to respond to a threat, even through different iterations and changes of the threat (such as a new exploit, new zero-day, new vulnerability, etc.). This is exactly what Exabeam Smart Timelines does continuously, and automatically. 

So, what can you do about this latest Exchange-based ransomware? 

• If you are an Exabeam customer – detection as well as timeline-based continuous threat hunting is already in place for ransomware, so you have the floodlight where you need it. 
• If you are not an Exabeam customer – we have guidelines for your SIEM. Read our ransomware research paper for guidelines on how to effectively understand as well as detect ransomware with log signals. 

Stay safe out there.