Microsoft has been reporting a massive attack on their Exchange Server throughout the last few days. Attackers have successfully penetrated Microsoft Exchange Server versions 2013 through 2019 via four vulnerabilities. Though the extent of the attack is yet unknown, it is set to affect hundreds of thousands of organizations worldwide. This will make it one of the most significant attacks to date. Worse, according to Kaspersky’s IT security experts, Germany and Switzerland are among the countries most affected.
The hackers managed to penetrate the affected systems and install so-called web shells. Using these, they can access the Exchange servers and mails even after the security patches. Dangerously, attackers can leverage the web shell to deploy additional malware tools in the company network, such as PowerShell scripts, Mimikatz or Cobalt Strike. This leaves victims exposed to attackers spreading throughout the network, compromising, stealing, and encrypting data for ransom (ransomware attack) as they advance.
The scale of the attack is on a completely unprecedented scale. Reputable security media report that even if patched on the same day of the announcement, there is a high probability that the web shell has been installed on servers. Those who have not patched yet have a high likelihood of being affected by the attack.
Faced with this critical situation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive: all civilian and government-run Microsoft Exchange servers should be updated immediately or, if necessary, disconnected from the systems.
Although the attack is very advanced, ExeonTrace can help to detect the intrusion. The detection relies on two functionalities of ExeonTrace:
ExeonTrace features several models detecting irregular data flows and patterns occurring when attackers try to spread within a network (Internal Reconnaissance, Lateral Mocvement, and Data Exfiltration). We suggest treating ExeonTrace's alarms triggered for on-premise Microsoft Exchange Servers with the highest priority. Typical anomalies include:
Depending on the applications that run on the Exchange servers some of those communication patterns might go unseen to automated detection. Therefore, we strongly recommend conducting a manual analysis through ExeonTrace in addition to the automatic detection.
The "Client server pairs" flow visualization is particularly powerful for this investigation. There, an analyst can filter for the exchange servers by adding their IPs to the search bar at the top of the page. We recommend to check the three connection matrix visualizations (internal traffic/outbound traffic/inbound traffic) regarding the following aspects:
To summarize, unless there were already applications on the Exchange server that created similar data
flows before the attack, ExeonTrace automatically detects the anomalies with a high likelihood. The additional manual analysis of the Exchange server through ExeonTrace’s traffic visualization provides you with the additional confidence.