The advanced persistent threat actor ToddyCay is still targeting Microsoft Exchange servers for over a year now, according to various cyber security firms. The pre-authentication remote code execution vulnerability chain tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, was patched by Microsoft in March of 2021. The vulnerability allowed attackers to take over Exchange servers without even known account credentials. Shortly after the patches were released, threat actors started scanning servers en masse.
Government and military entities
Kaspersky published a post about the threat actor and stated that the first wave of attacks exclusively targeted Microsoft Exchange Servers, which were compromised with Samurai backdoor, that usually works on ports 80 and 443. Since its first appearance, ToddyCat has continued its intense activity, especially in Asia. Kaspersky also stated that they discovered many other variants in Asia. Kaspersky also discovered other waves of attacks against infected desktop machines by sending the malicious loaders via Telegram. Kaspersky said,
« ToddyCat is a sophisticated APT group that uses multiple techniques to avoid detection and thereby keeps a low profile. During our investigations we discovered dozens of samples, but despite the number of files and the duration of their activities, we were unable to attribute the attacks to a known group; and there is also quite a bit of technical information about the operations that we don’t have. »
The research showed that the hacker group is targeting high-profile organizations, such as government and military entities and military contractors. ESET stated that they have identified more than 10 different threat actors targeting the vulnerability. They also found webshells in Offline Address Book configuration files. Some threat actors might have hijacked the webshells dropped by other groups. Some of the attacks ESET discovered are:
- On 2021-02-28, Tick (also known as Bronze Butler) compromised the webserver of a company based in East Asia that provides IT services.
- On 2021-03-01, LuckyMouse compromised the email server of a governmental entity in the Middle East, which means this APT group likely had access to the exploit at least one day before the patch release, when it was still a zero-day.
- On 2021-03-01, Calypso compromised the email servers of governmental entities in the Middle East and in South America, which means the group likely had access to the exploit as a zero-day
- Starting 2021-03-01, ESET researchers observed a new cluster of activity we have named Websiic, targeting seven email servers belonging to private companies in Asia and a governmental body in Eastern Europe.
- Starting 2021-03-02, a few hours before Microsoft released the patch, the Winnti Group (also known as BARIUM or APT41) compromised the email servers of an oil company and a construction equipment company both based in East Asia.
- On 2021-03-03, Tonto Team (also known as CactusPete) compromised the email servers of a procurement company and of a consulting company specialized in software development and cybersecurity, both based in Eastern Europe.
- Starting 2021-03-03, we observed the compromise of email servers at a software development company based in East Asia and a real estate company based in the Middle East where ShadowPad was dropped by the attacker.
- On 2021-03-03 at 04:23 AM UTC, just a few hours after the patch was released, we noticed that another set of malicious activities had started.
- Starting 2021-03-03, we observed that on four email servers located in Asia and South America, webshells were used to install so-called IIS backdoors.
- On 2021-03-04, the Mikroceen APT group compromised the Exchange server of a utility company in Central Asia, which is the region it mainly targets.
- Starting 2021-03-05 at 02:53 AM UTC, we detected the deployment of PowerShell downloaders on multiple email servers that were previously targeted using these Exchange vulnerabilities.
ESET also said,
« Our ongoing research shows that not only Hafnium has been using the recent RCE vulnerability in Exchange, but that multiple APTs have access to the exploit, and some even did so prior to the patch release. It is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later.
It is now clearly beyond prime time to patch all Exchange servers as soon as possible. Even those not directly exposed to the internet should be patched because an attacker with low, or unprivileged, access to your LAN can trivially exploit these vulnerabilities to raise their privileges while compromising an internal (and probably more sensitive) Exchange server, and then move laterally from it. »