Joerg Habermeier - stock.adobe.c

Cisco Talos: Exchange Server flaws accounted for 35% of attacks

More than one third of incidents recorded by Cisco Talos in the past three months were related to four Microsoft Exchange Server zero-days first revealed in March.

A set of four vulnerabilities in Microsoft Exchange Server have emerged as the top target for attackers looking to break into networks.

Researchers with Cisco Talos Incident Response (CTIR) said in their latest quarterly report that over the last three months, some 35% of attacks targeted one of these four security bugs: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. First disclosed in March by Microsoft, the Exchange Server vulnerabilities were part of a package of zero-day bugs that were exploited by a Chinese state-sponsored hacking operation known as Hafnium.

The attacks prompted Microsoft to issue a rare, out-of-band security update for Exchange Server. But despite the massive push to get servers updated against the flaws, they remain an extremely popular target for exploits.

"This shows that when a vulnerability is recently disclosed, severe, and widespread, CTIR will often see a corresponding rise in engagements in which the vulnerabilities in question are involved," wrote David Liebenberg and Caitlin Huey of Cisco Talos in the blog post. "Thankfully, the majority of these incidents involved scanning and not post-compromise behavior, such as file encryption or evidence of exfiltration."

In attacks logged by Cisco Talos, the Exchange bugs were often exploited via maliciously crafted emails. In general, the attackers seek to infiltrate targets by either impersonating actual system administrators or by creating fake personalities.

Interestingly, the researchers found that many of the threat actors exploiting the flaws in the last three months seemed to understand that they were likely to be patched soon and as such attacked a broad range of targets

The attackers likely understood that a patch for these vulnerabilities would soon be released and acted quickly and in an indiscriminate manner to obtain access to as many victim networks as possible while these exploits remained viable.
David Liebenberg and Caitlin HueyCisco Talos

"The attackers likely understood that a patch for these vulnerabilities would soon be released and acted quickly and in an indiscriminate manner to obtain access to as many victim networks as possible while these exploits remained viable," Liebenberg and Huey wrote. "This notion is supported in part by their apparent failure to conduct relatively simple follow-on actions that would have helped them achieve victim compromise."

While the Exchange Server bugs were the big story of the report, the Cisco Talos team also noted a jump in ransomware attacks. The researchers found that not only are infections increasing with numerous prominent ransomware families, but new variants are also emerging. And those who operate the attacks have continued using a particularly nasty tactic to make money.

"This quarter featured several ransomware families that we have not previously encountered in CTIR engagements, including MountLocker, Zeppelin and Avaddon. These families fit the ransomware-as-a-service (RaaS) model and are typically deployed with Cobalt Strike and are delivered by an initial commodity Trojan loader," the researchers wrote. "These ransomware families also engage in double extortion, threatening to publish victim data if the ransom demand is not met."

Next Steps

Hackers port Cobalt Strike attack tool to Linux

Dig Deeper on Threats and vulnerabilities

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close