Summary of Findings
- Widespread exploitation in the wild of four zero-day vulnerabilities in Microsoft Exchange Server has led to attacks on potentially thousands of servers.
- The SolarWinds campaign is believed to be an intelligence-gathering operation designed to access sensitive communications residing in Office 365 environments.
- A recent cyberattack on the Dutch Research Council that impacted operations was caused by the DoppelPaymer ransomware group.
- Sophisticated, ultra-thin self-checkout skimmers for chip cards take advantage of terminals designed for older card types.
- Povlsomware proof-of-concept ransomware adds compatibility with the Cobalt Strike post-exploitation tool to perform in-memory loading and execution.
- A spike in malicious emails distributing Zloader malware has been noted.
Four Zero-Day Vulnerabilities in Exchange Server Exploited in the Wild
Volexity and Microsoft reported in-the-wild exploitation of four security loopholes in Exchange Server, tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. They grant attackers initial access to the targeted environment.
Microsoft has attributed the activity to a previously undisclosed Chinese state-sponsored threat group named HAFNIUM. According to Microsoft, HAFNIUM primarily targets entities in the United States across a number of industry sectors, including healthcare (infectious disease researchers), legal (law firms), higher education (colleges and universities), and government (defense contractors and policy think tanks).
According to Volexity, upon successful exploitation, attackers write webshells (ASPX files) to disk and execute further operations to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT), and move laterally to other systems and environments.
Microsoft has released out-of-band security updates for the vulnerabilities and provided a script for checking HAFNIUM indicators of compromise.
SolarWinds Targeted Sensitive Information Stored in Microsoft Products
The CEO of SolarWinds provided an update to its internal investigation, stating that hackers had compromised the company’s Microsoft Office 365 environment. The National Aeronautics and Space Administration (NASA) and the Federal Aviation Administration (FAA) were added to the list of victims, which includes other government agencies. EclecticIQ analysts find the update consistent with prior reporting:
- Threat actors demonstrated an interest in secret areas of Microsoft source code and files.
- In search of Office 365 files, actors demonstrated an interest in pivoting from internal networks to cloud infrastructure.
- Widespread access to proprietary information in Microsoft files provides deep espionage capabilities. The TTPs and actions on objectives are highly consistent with a state-sponsored espionage campaign mostly targeting entities in the United States.
Dutch Research Council Confirms Incident with DoppelPaymer Ransomware
The email systems of the NWO, a Dutch research council responsible for approximately 1 billion euros per year in research grants, were compromised and attackers installed DoppelPaymer ransomware. The NWO has been forced to stop the grant application process for at least “a couple of weeks” to take systems offline and investigate. Weeks of downtime very likely equate to delays in awarding tens of millions of euros in grant money and conducting important research.
Checkout Skimmers Powered by Chip Cards Will Very Likely Increase Risk to Financial Industry
A new type of skimming device is powered by RFID-induced fields and needs no other battery, so the form factor can be small and paper thin. The skimmers contain small chips that can store multiple gigabits of data. Each unit is paired with a primary card that can be inserted discreetly and automatically to exfiltrate any stored data to the card. These cards make detection, installation, and retrieval much more difficult.
Open Source Povlsomware Ransomware Contains Cobalt Strike Functionality
Developers of the open source proof-of-concept (PoC) ransomware Povlsomware integrated Cobalt Strike functionality. The inclusion of Cobalt Strike allows the ransomware to perform in-memory loading and execution, making it more difficult to detect. Because the malware is open source, it is easy to use as a starting point for further development.
Possible Increase in Zloader Activity
Chances are about even that Zloader activity is increasing after the Emotet takedown in January 2021. Phishlabs has reported a rise in phishing incidents that are delivering Zloader. EclecticIQ analysts cannot confirm the increase in data collected from other open source reporting.
Zloader is a loader malware that typically delivers Zeus OpenSSL (XSphinx). If Zloader activity is growing, it may take several days or week to see a rise in Zeus infections, too.