Summary of Findings
- At least 10 APT groups have exploited zero day vulnerabilities in Microsoft Exchange Server to attack email servers worldwide.
- “Maza” is the latest Russian-language cybercrime forum to be breached.
- A new variant of the Mirai botnet is targeting vulnerabilities in unpatched D-Link, Netgear, and SonicWall devices.
- A new CISA table can help defenders protect against TTPs used by the APT actor involved in the SolarWinds and Active Directory/M365 compromise.
- An increase in Dridex-related network attacks is being driven by the Cutwail botnet.
Zero Day Vulnerabilities in Exchange Server Continue to Be Widely Exploited
The recently patched zero day Microsoft Exchange Server vulnerabilities have been widely targeted by multiple advanced persistent threat (APT) and cybercriminal groups. Researchers at ESET have found various APTs including LuckyMouse, Tick, Winnti Group, and Calypso are exploiting the pre-authentication remote code execution (RCE) vulnerability chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).
Microsoft reported that attackers are deploying DearCry ransomware after exploiting the Exchange Server vulnerabilities. Until recently, attackers had only utilized web shells post-exploitation. The use of ransomware suggests new threat actors are targeting these vulnerabilities for financial gain.
Officials at the United Kingdom’s National Cyber Security Centre (NCSC) said they have helped detect and remove malware related to the attacks from more than 2,300 machines at businesses in the country.
It remains critical for organizations to remediate these vulnerabilities immediately by applying the remediation steps and patches. Microsoft has launched a mitigation tool to assist teams in securing their environments.
Russian-Language Cybercriminal Forum "Maza" Breached
An unknown attacker has compromised “Maza” (formerly "Mazafaka"), a highly restricted Russian-language cybercrime forum dating back to 2003. The breach was first detected by researchers at Flashpoint on March 3, 2021.
Maza is the fourth Russian-language online forum to be targeted in 2021. In January, an actor claimed to have breached “Verified,” an established Russian-language forum. In February, the administrator of “Crdclub,” a well-known cybercrime forum, announced that an administrator's account was compromised. Earlier in March, the administrator of the "Exploit[.]"in forum announced that they detected unauthorized secure shell (SSH) access to a proxy server used for protection against distributed denial-of-service (DDoS) attacks.
New Mirai Variant Targeting Network Security Devices
Mirai variants exploiting CVE-2021-27561, CVE-2021-27562, CVE-2021-22502, and CVE-2020-26919 have been uploaded between February and March 2021 from various IP addresses, some merely hours after the vulnerability details were published.
Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers.
CISA Releases SolarWinds APT Activity Detection Table
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has released a table of APT tactics, techniques, and procedures (TTPs) used by the actor involved with the recent SolarWinds compromise. The table is based on the MITRE ATT&CK framework and should be used to detect and respond to related activity.
Cutwail Botnet Spreads Dridex Malware
Researchers at IBM observed an increasing number of a Dridex-related network attacks driven by the Cutwail botnet. The campaign involves first-stage attacks utilizing malicious macro documents attached to spear phishing emails. The macro, when executed by the victim, runs a PowerShell script that deploys the Dridex loader as a second-stage infector. At the time of the report (March 11), the researchers were seeing relatively limited campaigns that were active in Italy and Japan.