A new threat report shows that APTs are switching up their tactics when exploiting Microsoft services like Exchange and OWA, in order to avoid detection.
New, sophisticated adversaries are switching up their tactics in exploiting enterprise-friendly platforms — most notably Microsoft Exchange, Outlook Web Access (OWA) and Outlook on the Web – in order to steal business credentials and other sensitive data.
Both Microsoft’s Exchange mail server and calendaring server and its Outlook personal information manager web app provide authentication services – and integration with other platforms – that researchers say are prime for attackers to leverage for launching attacks.
Accenture’s 2020 Cyber Threatscape report, released Monday, shed light on how actors are leveraging Exchange and OWA – and evolving their tactics to develop new malware families that target these services, or using new detection evasion techniques.
“Web-facing, data-intense systems and services that typically communicate externally can make it easier for adversaries to hide their traffic in the background noise, while authentication services could open up a credential-harvesting opportunity for cybercriminals,” according to Accenture researchers on Monday.
One threat group that has been targeting Exchange and OWA is what researchers dub “BELUGASTURGEON” (aka Turla or Whitebear). Researchers say that this group operates from Russia, has been active for more than 10 years and is associated with numerous cyberattacks aimed at government agencies, foreign-policy research firms and think tanks across the globe.
The group is targeting these Microsoft services and using them as beachheads to hide traffic, relay commands, compromise e-mail, exfiltrate data and gather credentials for future espionage attacks, said researchers. For instance, they are manipulating legitimate traffic that’s traversing Exchange in order to relay commands or exfiltrate sensitive data.
“Hosts supporting Exchange and associated services frequently relay large volumes of data to external locations— representing a prime opportunity for malicious actors to hide their traffic within this background noise,” said researchers.
Another group, which researchers call SOURFACE (aka APT39 or Chafer), appears to have developed similar techniques to conceal malicious traffic, manipulating local firewalls and proxying traffic over non-standard ports using native commands, tools and functions, researchers said. Researchers said this group has been active since at least 2014 and is known for its cyberattacks on the oil and gas, communications, transportation and other industries in the Australia, Europe, Israel, Saudi Arabia, the U.S. and other regions.
In addition, threat groups are also creating new malware designed to specifically target Exchange and OWA. Researchers said they discovered several malicious files in the wild in 2019 that they assessed “with moderate confidence” were associated to a group called BLACKSTURGEON, used in targeting government and public sector orgs.
That includes a file that seemed like a version of the group’s customized version of the “RULER” tool, which is designed to abuse Microsoft Exchange services. This file exploits the CVE- 2017-11774 Outlook vulnerability, a security-feature bypass vulnerability that affects Microsoft Outlook and enables attackers to execute arbitrary commands, researchers said.
Cybercriminals are also targeting services that support Exchange and OWA. For instance, client-access servers (CAS), which handle all client connections to Exchange Server 2010 and Exchange 2013, typically operate in web-login portals for services including OWA. Attackers with access to CAS may be able to deploy capabilities to steal user login credentials, researchers said.
“Notably, an advanced persistent threat actor reportedly deployed web shells to harvest credentials from OWA users as they logged in,” they said.
The Windows Internet Information Services (IIS) platform, which supports OWA, is another increasing target. IIS is a web server software created by Microsoft for use with the Windows family. Researchers said they have observed SOURFACE, for instance, deploying custom Active Server Page Extended (ASPX) Web shells to IIS directories within the victim’s OWA environment. These web shells would include discrete file names, to resemble legitimate files on the victim’s system (for instance “login2.aspx” instead of “login.aspx”). And, to evade static detection, they typically contained limited functionality, often only file upload and download or command execution.
cloud security government hacks vulnerabilities web security accenture 2020 cyber threatscape report advanced threat aka apt39 apt belugasturgeon apt blacksturgeon apt chafer microsoft microsoft exchange microsoft outlook outlook on the web owa russia sourface tactics turla apt whitebear apt windows internet information services
Learn Cyber Defense programming by Cyber Security Training. Know how to stop tactics of ransomware, malware, social engineering, phishing by hacking course.
Nowadays, we can hardly do anything without surfing the internet to access some vital information. This highlights the essence of the internet, as well as our increased reliance on this awesome technology.
Despite Microsoft issuing patches almost eight months ago, 61 percent of Exchange servers are still vulnerable. Researchers warned in a March advisory that unpatched servers are being exploited in the wild by unnamed APT actors.
Microsoft has issued out-of-band patches for two “important” severity vulnerabilities, which if exploited could allow for remote code execution. One flaw (CVE-2020-17023) exists in Microsoft's Visual Studio Code is a free source-code editor made by Microsoft for Windows, Linux and macOS.
Cybercriminals are chaining Microsoft's Zerologon flaw with other exploits in order to infiltrate government systems, putting election systems at risk, a new CISA and FBI advisory warns.