F-Secure is seeing a spike in proxylogon attacks
March 2021 by F-Secure
The ProxyLogon vulnerability is essentially an electronic version of removing all access controls, guards, and locks from the company’s main entry doors so that anyone could just walk in, according to Antti Laatikainen, senior security consultant at F-Secure. But companies can prevent maximum exploitation of this weakness in their Microsoft Exchange Servers it they act now.
“We’re nearing the end of the period of time when we can influence how much data is stolen,” Laatikainen said. “These attacks aren’t powered by black magic. Companies that have security monitoring capabilities in place—such as Endpoint Detection and Response (EDR) or Rapid Detection and Response (RDS) along with networking monitoring and effective pathing policy can fight back. There are a ton of things they can do manually to prevent a full disaster. I just encourage them to do them immediately.”
Prevalence of TR/Downloader.Gen from 01.03.2021 to date.
A generic webshell detection, TR/Downloader.Gen, spiked last week after the ProxyLogon vulnerability proof-of-concept file was released on March 11th. Although it peaked last Wednesday, it continues to detect significant amounts of activity, in the tens of thousands. Countries seeing the most detections, in descending order, are Italy, Germany, France, the United Kingdom, the United States, Belgium, Kuwait, Sweden, the Netherlands, and Taiwan.
Prevalence of TR/Downloader.Gen detections per country.
The need to act is urgent
An attacker could quickly own a hacked server, upload files and programs, and use the server as a stepping- stone into other parts of a network. Because ProxyLogon allows access to the lower layers of the server—and from there to the rest of the organization’s network—this makes an extensive series of silent network intrusions possible. For example, in the Vastaamo case, 40,000 psychotherapy patients had their records hacked before anyone was aware the database server had been compromised.
The worst fear in the cybersecurity community is that dozens or even hundreds of Vastaamo-type data breaches are happening in corporate networks at this moment. These breaches could be occurring in the background, completely unnoticed. Only after months or years will it become clear what was stolen. If an attacker knows what they are doing, the data has most likely already been stolen or is being stolen right now.
To make matters worse, proof-of-concept automated attack scripts are being made publicly available, making it possible for even unskilled attackers to quickly gain remote control of a vulnerable Microsoft Exchange Server. There is even a fully functioning package for exploiting the vulnerability chain published to the Metasploit application, which is commonly used for both hacking- and security testing. This free-for-all attack opportunity is now being exploited by vast numbers of criminal gangs, state-backed threat actors and curious opportunistic “script kiddies.”
“Tens of thousands of servers have been hacked around the world,” Laatikainen says. “They’re being hacked faster than we can count. Globally, this is a disaster in the making.”
According to F-Secure analytics, only about half of the Exchange servers visible on the Internet have applied the Microsoft patches for these vulnerabilities. Unfortunately, installing the security patches alone does not guarantee that the server is secure, as a hacker may have breached it before the update was installed.
“Never in the past 20 years that I’ve been in the industry, has it been as justified to assume that there has been at least a digital knock at the door for every business with Exchange Outlook Web Access installed in the world. Because access is so easy, you can assume that majority of these environments have been breached,” Laatikainen said.
Damage can still be limited
As breaches like this are performed in stages, intruders’ reconnaissance can often be detected. It is still possible to limit the damage, or in some cases, prevent it completely.
Laatikainen expects that companies will start reporting breaches soon.
“The GDPR data protection regulation demands that theft of personal data must be reported to the data protection authorities within 72 hours. You have to expect that the number of GDPR breach reports coming in the next few weeks will be historic. Your company doesn’t have to be on the long list of organizations reporting breaches tomorrow if your take the right steps today.”