No, I Did Not Hack Your MS Exchange Server

March 28, 2021

New data suggests someone has compromised more than 21,000 Microsoft Exchange Server email systems worldwide and infected them with malware that invokes both KrebsOnSecurity and Yours Truly by name.

Let’s just get this out of the way right now: It wasn’t me.

The Shadowserver Foundation, a nonprofit that helps network owners identify and fix security threats, says it has found 21,248 different Exchange servers which appear to be compromised by a backdoor and communicating with brian[.]krebsonsecurity[.]top (NOT a safe domain, hence the hobbling).

Shadowserver has been tracking wave after wave of attacks targeting flaws in Exchange that Microsoft addressed earlier this month in an emergency patch release. The group looks for attacks on Exchange systems using a combination of active Internet scans and “honeypots” — systems left vulnerable to attack so that defenders can study what attackers are doing to the devices and how.

David Watson, a longtime member and director of the Shadowserver Foundation Europe, says his group has been keeping a close eye on hundreds of unique variants of backdoors (a.k.a. “web shells”) that various cybercrime groups worldwide have been using to commandeer any unpatched Exchange servers. These backdoors give an attacker complete, remote control over the Exchange server (including any of the server’s emails).

On Mar. 26, Shadowserver saw an attempt to install a new type of backdoor in compromised Exchange Servers, and with each hacked host it installed the backdoor in the same place: “/owa/auth/babydraco.aspx.

“The web shell path that was dropped was new to us,” said Watson said. “We have been testing 367 known web shell paths via scanning of Exchange servers.”

OWA refers to Outlook Web Access, the Web-facing portion of on-premises Exchange servers. Shadowserver’s honeypots saw multiple hosts with the Babydraco backdoor doing the same thing: Running a Microsoft Powershell script that fetches the file “krebsonsecurity.exe” from the Internet address 159.65.136[.]128. Oddly, none of the several dozen antivirus tools available to scan the file at currently detect it as malicious.

The Krebsonsecurity file also installs a root certificate, modifies the system registry, and tells Windows Defender not to scan the file. Watson said the Krebsonsecurity file will attempt to open up an encrypted connection between the Exchange server and the above-mentioned IP address, and send a small amount of traffic to it each minute. Continue reading

Phish Leads to Breach at Calif. State Controller

March 23, 2021

A phishing attack last week gave attackers access to email and files at the California State Controller’s Office (SCO), an agency responsible for handling more than $100 billion in public funds each year. The phishers had access for more than 24 hours, and sources tell KrebsOnSecurity the intruders used that time to steal Social Security numbers and sensitive files on thousands of state workers, and to send targeted phishing messages to at least 9,000 other workers and their contacts.

A notice of breach posted by the California State Controller’s Office.

In a “Notice of Data Breach” message posted on Saturday, Mar. 20, the Controller’s Office said that for more than 24 hours starting on the afternoon of March 18 attackers had access to the email records of an employee in its Unclaimed Property Division after the employee clicked a phishing link and then entered their email ID and password.

“The SCO has reason to believe the compromised email account had personal identifying information contained in Unclaimed Property Holder Reports,” the agency said, urging state employees contacted by the agency to place fraud alerts on their credit files with the major consumer bureaus.  “The unauthorized user also sent potentially malicious emails to some of the SCO employee’s contacts.”

The SCO responded in an email that no state employee data was compromised.

“A single employee email account was briefly compromised by a spear phishing attack and promptly disabled,” SCO spokesperson Jennifer Hanson said. “SCO has notified the employee’s contacts who may have received a potentially malicious email from the unauthorized user. SCO team members have identified all personal information included in the compromised email account and begun the process of notifying affected parties. The Controller is going over and beyond the notification requirements in law by providing both actual mailed notification and substitute notification in an effort to ensure the broadest possible notification.”

A source in an adjacent California state agency who’s been tracking the incident internally with other employees says the SCO forgot to mention the intruders also had access to the phished employee’s Microsoft Office 365 files — and potentially any files shared with that account across the state network.

“This isn’t even the full extent of the breach,” said the California state employee, who spoke on condition of anonymity. Continue reading


RedTorch Formed from Ashes of Norse Corp.

March 22, 2021

Remember Norse Corp., the company behind the interactive “pew-pew” cyber attack map shown in the image below? Norse imploded rather suddenly in 2016 following a series of managerial missteps and funding debacles. Now, the founders of Norse have launched a new company with a somewhat different vision: RedTorch, which for the past two years has marketed a mix of services to high end celebrity clients, including spying and anti-spying tools and services.

A snapshot of Norse’s semi-live attack map, circa Jan. 2016.

Norse’s attack map was everywhere for several years, and even became a common sight in the “brains” of corporate security operations centers worldwide. Even if the data that fueled the maps was not particularly useful, the images never failed to enthrall visitors viewing them on room-sized screens.

“In the tech-heavy, geek-speak world of cybersecurity, these sorts of infographics and maps are popular because they promise to make complicated and boring subjects accessible and sexy,” I wrote in a January 2016 story about Norse’s implosion. “And Norse’s much-vaunted interactive attack map was indeed some serious eye candy: It purported to track the source and destination of countless Internet attacks in near real-time, and showed what appeared to be multicolored fireballs continuously arcing across the globe.”

That story showed the core Norse team had a history of ambitious but ultimately failed or re-branded companies. One company proclaimed it was poised to spawn a network of cyber-related firms, but instead ended up selling cigarettes online. That company, which later came under investigation by state regulators concerned about underage smokers, later rebranded to another start-up that tried to be an online copyright cop.

Flushed with venture capital funding in 2012, Norse’s founders started hiring dozens of talented cybersecurity professionals. By 2014 it was throwing lavish parties at top  Internet security conferences. It spent quite a bit of money on marketing gimmicks and costly advertising stunts, burning through millions in investment funding. In 2016, financial reality once again would catch up with the company’s leadership when Norse abruptly ceased operations and was forced to lay off most of its staff.

Now the top executives behind Norse Corp. are working on a new venture: A corporate security and investigations company called RedTorch that’s based in Woodland Hills, Calif, the home of many Hollywood celebrities.

RedTorch’s website currently displays a “We’re coming soon” placeholder page. But a version of the site that ran for two years beginning in 2018 explained what clients can expect from the company’s services:

  • “Frigg Mobile Intelligence,” for helping celebrities and other wealthy clients do background checks on the people in their lives;
  • “Cheetah Counter Surveillance” tools/services to help deter others from being able to spy on clients electronically;
  • A “Centurion Research” tool for documenting said snooping on others.

An ad for RedTorch’s “Cheetah” counter-surveillance tech. The Guy Fawkes mask/Anonymous threat featured prominently and often on RedTorch’s website.

The closest thing to eye candy for RedTorch is its Cheetah Counter Surveillance product line, a suite of hardware and software meant to be integrated into other security products which — according to RedTorch — constantly sweeps the client’s network and physical office space with proprietary technology designed to detect remote listening bugs and other spying devices.

Frigg, another core RedTorch offering, is…well, friggin’ spooky:

“Frigg is the easiest way to do a full background check and behavioral analysis on people,” the product pitch reads. “Frigg not only shows background checks, but social profiles and a person’s entire internet footprint, too. This allows one to evaluate a person’s moral fiber and ethics. Frigg employs machine learning and analytics on all known data from a subject’s footprint, delivering instant insight so you can make safer decisions, instantly.”

The background checking service from RedTorch, called Frigg, says it’s building “one of the world’s largest facial recognition databases and a very accurate facial recognition match standard.”

Frigg promises to include “elements that stems [sic] from major data hacks of known systems like Ashley Madison, LinkedIn, Dropbox,, AdultFriendFinder and hundreds more. Victims of those breaches lost a lot of private data including passwords, and Frigg will help them secure their private data in the future. The matching that is shown will use email, phone and full name correlation.”

From the rest of Frigg:

Frigg references sanction lists such as OFAC, INTERPOL wanted persons, and many more international and domestic lists. Known locations results are based on social media profiles and metadata where, for example, there was an image posted that showed GPS location, or the profile mentions locations among its comments.

Frigg provides the option of continuous monitoring on searched background reports. Notification will be sent or shown once an important update or change has been detected

The flagship version of Frigg will allow a user to upload a picture of a face and get a full background check instantly. RedTorch is working to develop one of the world’s largest facial recognition databases and a very accurate facial recognition match standard.


The co-founders of Norse Networks, “Mr. White” (left) Norse Corp. co-founder and RedTorch CEO Henry Marx;, and “Mr. Grey,” CTO and Norse Corp. co-founder Tommy Stiansen.

RedTorch claims it is building a huge facial recognition database, so it’s perhaps no surprise that its founders prefer to obscure theirs. The contact email on RedTorch says henry @redtorch dot com. That address belongs to RedTorch Inc. CEO Henry Marx, a former music industry executive and co-founder of Norse Networks.

Marx did not respond to requests for comment. Nor did any of the other former Norse Corp. executives mentioned throughout this story. So I should emphasize that it’s not even clear whether the above-mentioned products and services from RedTorch actually exist.

One executive at Red Torch told this author privately that the company had plenty of high-paying clients, although that person declined to be more specific about what RedTorch might do for those clients or why the company’s site was currently in transition.

Now a cadre of former Norse Corp. employees who have been tracking the company’s past executives say they’ve peered through the playful subterfuge in the anonymous corporate identities on the archived RedTorch website.

Marx appears to be the “Mr. White” referenced in the screenshot above, taken from an archived Aug. 2020 version of He is wearing a Guy Fawkes mask, a symbol favored by the Anonymous hacker collective, the doomed man behind the failed Gunpowder plot of 1604 in England, and by possibly the most annoying costumes that darken your front door each Halloween.

Mr. White says he has “over 30 years in the entertainment industry; built numerous brands and controlled several areas of the entertainment business side,” and that he’s “accomplished over 200 million sold artist performances.”

Pictured beside Mr. White is RedTorch’s co-founder, “Mr. Grey.” Norse watchers say that would be Tommy Stiansen, the Norwegian former co-founder of Norse Corp. whose LinkedIn profile says is now chief technology officer at RedTorch. One of his earliest companies provided “operational billing solutions for telecom networks.”

“Extensive experience from Telecom industry as executive and engineer,” reads Mr. Grey’s profile at RedTorch. “Decades of Cyber security experience, entrepreneurship and growing companies; from single employee to hundreds of employees. Been active on computers since 7 years old, back in mid-80’s and have pioneered many facets of the internet and cyber security market we know today. Extensive government work experience from working with federal governments.” Continue reading

Fintech Giant Fiserv Used Unclaimed Domain

March 17, 2021

If you sell Web-based software for a living and ship code that references an unregistered domain name, you are asking for trouble. But when the same mistake is made by a Fortune 500 company, the results can range from costly to disastrous. Here’s the story of one such goof committed by Fiserv [NASDAQ:FISV], a $15 billion firm that provides online banking software and other technology solutions to thousands of financial institutions.

In November 2020, KrebsOnSecurity heard from security researcher Abraham Vegh, who noticed something odd while inspecting an email from his financial institution.

Vegh could see the message from his bank referenced a curious domain: A quick search of WHOIS registration records showed the domain was unregistered. Wondering whether he might receive email communications to that address if he registered the domain, Vegh snapped it up for a few dollars, set up a catch-all email account for it, and waited.

“It appears that the domain is provided as a default, and customer bank IT departments are either assuming they don’t need to change it, or are not aware that they could/should,” Vegh said, noting that a malicious person who stumbled on his discovery earlier could have had a powerful, trusted domain from which to launch email phishing attacks.

At first, only a few wayward emails arrived. Ironically enough, one was from a “quality assurance” manager at Fiserv. The automatic reply message stated that the employee was out of the office “on R&R” and would be back to work on Dec. 14.

Many other emails poured in, including numerous “bounced” messages delivered in reply to missives from, a money transfer service that Fiserv acquired in 2011.

Emails get bounced — or returned to the sender — when they are sent to an address that doesn’t exist or that is no longer active. The messages had been sent to an email address for a former client solutions director at Fiserv; the “reply-to:” address in those missives was “”.

The messages were informing customers of CashEdge’s main service Popmoney — which lets users send, request and receive money directly from bank accounts — that Popmoney was being replaced with Zelle, a more modern bank-to-bank transfer service.

Each CashEdge missive included information about recurring transfers that were being canceled, such as the plan ID, send date, amount to be transferred, the name and last four digits of the account number the money was coming from, and the email address of the recipient account.

Incredibly, at the bottom of every message to CashEdge/Popmoney customers was a boilerplate text: “This email was sent to [recipient name here]. If you have received this email in error, please send an e-mail to”

Continue reading

Can We Stop Pretending SMS Is Secure Now?

March 16, 2021

SMS text messages were already the weakest link securing just about anything online, mainly because there are tens of thousands of employees at mobile stores who can be tricked or bribed into swapping control over a mobile phone number to someone else. Now we’re learning about an entire ecosystem of companies that anyone could use to silently intercept text messages intended for other mobile users.

Security researcher “Lucky225” worked with’s Joseph Cox to intercept Cox’s incoming text messages with his permission. Lucky225 showed how anyone could do the same after creating an account at a service called Sakari, a company that helps celebrities and businesses do SMS marketing and mass messaging.

The “how they did it” was sickeningly simple. It cost just $16, and there was precious little to prevent someone from stealing your text messages without your knowledge. Cox writes:

Sakari offers a free trial to anyone wishing to see what the company’s dashboard looks like. The cheapest plan, which allows customers to add a phone number they want to send and receive texts as, is where the $16 goes. Lucky225 provided Motherboard with screenshots of Sakari’s interface, which show a red “+” symbol where users can add a number.

While adding a number, Sakari provides the Letter of Authorization for the user to sign. Sakari’s LOA says that the user should not conduct any unlawful, harassing, or inappropriate behavior with the text messaging service and phone number.

But as Lucky225 showed, a user can just sign up with someone else’s number and receive their text messages instead.

Lucky225, who is chief information officer for Okey Systems, told KrebsOnSecurity that Sakari has since taken steps to block its service for being used with mobile telephone numbers. He said Sakari is just one part of a much larger, unregulated industry that can be used to hijack SMS messages for many phone numbers.

“It’s not a Sakari thing,” Lucky225 replied when first approached for more details. “It’s an industry-wide thing. There are many of these ‘SMS enablement’ providers.”

The most common way thieves hijack SMS messages these days involves “sim swapping,” a crime that entails bribing or tricking employees at wireless phone companies into modifying customer account information.

In a SIM swap, the attackers redirect the target’s phone number to a device they control, and then can intercept the target’s incoming SMS messages and phone calls. From there, the attacker can reset the password of any account which uses that phone number for password reset links.

But the attacks Lucky225 has been demonstrating merely require customers of any number of firms to sign a sworn “letter of authorization” or LOA stating that they indeed do have the authority to act on behalf of the owner of the targeted number.

Allison Nixon is chief research officer at Unit221B, a New York City-based cyber investigations firm. An expert on SIM-swapping attacks who’s been quoted quite a bit on this blog, Nixon said she also had Lucky225 test his interception tricks on her mobile phone, only to watch her incoming SMS messages show up on his burner phone.

“This basically means the only thing standing between anyone and the equivalent of a SIM swap is a forged LOA,” Nixon said. “And the ‘fix’ put in seems to be temporary in nature.”

The interception method that Lucky225 described is still dangerously exposed by a number of systemic weaknesses in the global SMS network, he said.

Most large and legacy telecommunications providers validate transfer requests related to their customers by consulting NPAC, or the Number Portability Administration Center. When customers want to move their phone numbers — mobile or otherwise — that request is routed through NPAC to the customer’s carrier.

That change request carries what’s known as an ALT-SPID, which is a four-digit number that enables NPAC to identify the telecommunications company currently providing service to the customer. More importantly, as part of this process no changes can happen unless the customer’s carrier has verified the changes with the existing customer.

But Lucky225 said the class of SMS interception he’s been testing targets a series of authentication weaknesses tied to a system developed by NetNumber, a private company in Lowell, Mass. NetNumber developed its own proprietary system for mapping telecommunications providers that is used by Sakari and an entire industry of similar firms.

NetNumber developed its six-digit ALT SPIDs (NetNumber IDs) to better organize and track communications service providers that were all using other numbering systems (and differing numbers of digits). But NetNumber also works directly with dozens of voice-over-IP or Internet-based phone companies which do not play by the same regulatory rules that apply to legacy telecommunications providers.

“There are many VoIP providers that offer ‘off net’ ‘text enablement’,” Lucky225 explained. “Companies such as ZipWhip that promise to let you ‘Text enable your existing business phone number’ so that customers can text your main business line whether it be VoIP, toll-free or a landline number.”

As Lucky225 wrote in his comprehensive Medium article, there are a plethora of wholesale VoIP providers that let you become a reseller with little to no verification, many of them allow blanket Letters of Authorization (LOAs), where you as the reseller promise that you have an LOA on file for any number you want to text enable for your resellers or end-users.

“In essence, once you have a reseller account with these VoIP wholesalers you can change the Net Number ID of any phone number to your wholesale provider’s NNID and begin receiving SMS text messages with virtually no authentication whatsoever. No SIM Swap, SS7 attacks, or port outs needed — just type the target’s phone number in a text box and hit submit and within minutes you can start receiving SMS text messages for them. They won’t even be alerted that anything has happened as their voice & data services will continue to work as usual. Surprisingly, despite the fact that I publicly disclosed this in 2018, nothing has been done to stop this relatively unsophisticated attack.”

Continue reading

WeLeakInfo Leaked Customer Payment Info

March 15, 2021

A little over a year ago, the FBI and law enforcement partners overseas seized WeLeakInfo[.]com, a wildly popular service that sold access to more than 12 billion usernames and passwords stolen from thousands of hacked websites. In an ironic turn of events, a lapsed domain registration tied to WeLeakInfo let someone plunder and publish account data on 24,000 customers who paid to access the service with a credit card.

For several years, WeLeakInfo was the largest of several services selling access to hacked passwords. Prosecutors said it had indexed, searchable information from more than 10,000 data breaches containing over 12 billion indexed records — including names, email addresses, usernames, phone numbers, and passwords for online accounts.

For a small fee, you could enter an email address and see every password ever associated with that address in a previous breach. Or the reverse — show me all the email accounts that ever used a specific password (see screenshot above). It was a fantastic tool for launching targeted attacks against people, and that’s exactly how the service was viewed by many of its customers.

Now, nearly 24,000 WeLeakInfo’s customers are finding that the personal and payment data they shared with WeLeakInfo over its five-year-run has been leaked online.

WeLeakInfo’s service fees.

In a post on the database leaking forum Raidforums, a regular contributor using the handle “pompompurin” said he stole the WeLeakInfo payment logs and other data after noticing the domain wli[.]design was no longer listed as registered.

“Long story short: FBI let one of weleakinfo’s domains expire that they used for the emails/payments,” pompompurin wrote. “I registered that domain, & was able to [password] reset the account & get all the Data. [It’s] only from people that used to checkout. If you used paypal or [bitcoin] ur all good.”

Cyber threat intelligence firm Flashpoint obtained a copy of the data leaked by pompompurin, and said it includes partial credit card data, email addresses, full names, IP addresses, browser user agent string data, physical addresses, phone numbers, and amount paid. One forum member commented that they found their own payment data in the logs.

How WeLeakInfo stacked up against its competitors (according to WLI).

According to DomainTools [an advertiser on this site] Wli[.]design was registered on Aug. 24, 2016 with Dynadot, the domain registrar which also was used to register On March 12, wli[.]design was moved to another registrar — Namecheap.

Pompompurin released several screenshots of himself logged in to the WeLeakInfo account at, an online payment processor. Under “management and ownership” was listed a Gerald Murphy from Fintona, U.K.

Shortly after WeLeakInfo’s domain was seized by authorities in Jan. 2020, the U.K.’s National Crime Agency (NCA) arrested two individuals in connection with the service, including a 22-year-old from Fintona.

Continue reading

Microsoft Patch Tuesday, March 2021 Edition

March 9, 2021

On the off chance you were looking for more security to-dos from Microsoft today…the company released software updates to plug more than 82 security flaws in Windows and other supported software. Ten of these earned Microsoft’s “critical” rating, meaning they can be exploited by malware or miscreants with little or no help from users.

Top of the heap this month (apart from the ongoing, global Exchange Server mass-compromise) is a patch for an Internet Explorer bug that is seeing active exploitation. The IE weakness — CVE-2021-26411 — affects both IE11 and newer EdgeHTML-based versions, and it allows attackers to run a file of their choice by getting you to view a hacked or malicious website in IE.

The IE flaw is tied to a vulnerability that was publicly disclosed in early February by researchers at ENKI who claim it was one of those used in a recent campaign by nation-state actors to target security researchers. In the ENKI blog post, the researchers said they will publish proof-of-concept (PoC) details after the bug has been patched.

“As we’ve seen in the past, once PoC details become publicly available, attackers quickly incorporate those PoCs into their attack toolkits,” said Satnam Narang, staff research engineer at Tenable. “We strongly encourage all organizations that rely on Internet Explorer and Microsoft Edge (EdgeHTML-Based) to apply these patches as soon as possible.”

This is probably a good place to quote’s Martin Brinkman: This is the last patch hurrah for the legacy Microsoft Edge web browser, which is being retired by Microsoft.

For the second month in a row, Microsoft has patched scary flaws in the DNS servers on Windows Server 2008 through 2019 versions that could be used to remotely install software of the attacker’s choice. All five of the DNS bugs quashed in today’s patch batch earned a CVSS Score (danger metric) of 9.8 — almost as bad as it gets.

“There is the outside chance this could be wormable between DNS servers,” warned Trend Micro’s Dustin Childs. Continue reading

Warning the World of a Ticking Time Bomb

March 9, 2021

Globally, hundreds of thousand of organizations running Exchange email servers from Microsoft just got mass-hacked, including at least 30,000 victims in the United States. Each hacked server has been retrofitted with a “web shell” backdoor that gives the bad guys total, remote control, the ability to read all email, and easy access to the victim’s other computers. Researchers are now racing to identify, alert and help victims, and hopefully prevent further mayhem.

On Mar. 5, KrebsOnSecurity broke the news that at least 30,000 organizations and hundreds of thousands globally had been hacked. The same sources who shared those figures say the victim list has grown considerably since then, with many victims compromised by multiple cybercrime groups.

Security experts are now trying to alert and assist these victims before malicious hackers launch what many refer to with a mix of dread and anticipation as “Stage 2,” when the bad guys revisit all these hacked servers and seed them with ransomware or else additional hacking tools for crawling even deeper into victim networks.

But that rescue effort has been stymied by the sheer volume of attacks on these Exchange vulnerabilities, and by the number of apparently distinct hacking groups that are vying for control over vulnerable systems.

A security expert who has briefed federal and military advisors on the threat says many victims appear to have more than one type of backdoor installed. Some victims had three of these web shells installed. One was pelted with eight distinct backdoors. This initially caused a major overcount of potential victims, and required a great deal of de-duping various victim lists.

The source, who spoke on condition of anonymity, said many in the cybersecurity community recently saw a large spike in attacks on thousands of Exchange servers that was later linked to a profit-motivated cybercriminal group.

“What we thought was Stage 2 actually was one criminal group hijacking like 10,000 exchange servers,” said one source who’s briefed U.S. national security advisors on the outbreak.

On Mar. 2, when Microsoft released updates to plug the four Exchange flaws being attacked, it attributed the hacking activity to a previously unidentified Chinese cyber espionage group it called “Hafnium.” Microsoft said Hafnium had been using the Exchange flaws to conduct a series of low-and-slow attacks against specific strategic targets, such as non-governmental organization (NGOs) and think tanks.

But by Feb. 26, that relatively stealthy activity was morphing into the indiscriminate mass-exploitation of all vulnerable Exchange servers. That means even Exchange users that patched the same day Microsoft released security updates may have had servers seeded with backdoors.

Many experts who spoke to KrebsOnSecurity said they believe different cybercriminal groups somehow learned of Microsoft’s plans to ship fixes for the Exchange flaws a week earlier than they’d hoped (Microsoft originally targeted today, Patch Tuesday, as the release date).

The vulnerability scanning activity also ramped up markedly after Microsoft released its updates on Mar. 2. Security researchers love to tear apart patches for clues about the underlying security holes, and one major concern is that various cybercriminal groups may have already worked out how to exploit the flaws independently.


Security experts now are desperately trying to reach tens of thousands of victim organizations with a single message: Whether you have patched yet or have been hacked, backup any data stored on those servers immediately.

Every source I’ve spoken with about this incident says they fully expect profit-motivated cybercriminals to pounce on victims by mass-deploying ransomware. Given that so many groups now have backdoor web shells installed, it would be trivial to unleash ransomware on the lot of them in one go. Also, compromised Exchange servers can be a virtual doorway into the rest of the victim’s network.

“With the number of different threat actors dropping [web] shells on servers increasing, ransomware is inevitable,” said Allison Nixon, chief research officer at Unit221B, a New York City-based cyber investigations firm.

So far there are no signs of victims of this mass-hack being ransomed. But that may well change if the exploit code used to break into these vulnerable Exchange servers goes public. And nobody I’ve interviewed seems to think working exploit code is going to stay unpublished for much longer.

When that happens, the exploits will get folded into publicly available exploit testing kits, effectively making it simple for any attacker to find and compromise a decent number of victims who haven’t already patched. Continue reading

A Basic Timeline of the Exchange Mass-Hack

March 8, 2021

Sometimes when a complex story takes us by surprise or knocks us back on our heels, it pays to revisit the events in a somewhat linear fashion. Here’s a brief timeline of what we know leading up to last week’s mass-hack, when hundreds of thousands of Microsoft Exchange Server systems got compromised and seeded with a powerful backdoor Trojan horse program.

When did Microsoft find out about attacks on previously unknown vulnerabilities in Exchange?

Pressed for a date when it first became aware of the problem, Microsoft told KrebsOnSecurity it was initially notified “in early January.” So far the earliest known report came on Jan. 5, from a principal security researcher for security testing firm DEVCORE who goes by the handle “Orange Tsai.” DEVCORE is credited with reporting two of the four Exchange flaws that Microsoft patched on Mar. 2.

Reston, Va.-based Volexity first identified attacks on the flaws on Jan. 6, and officially informed Microsoft about it on Feb. 2. Volexity now says it can see attack traffic going back to Jan. 3. Microsoft credits Volexity with reporting the same two Exchange flaws as DEVCORE.

Danish security firm Dubex says it first saw clients hit on Jan. 18, and reported their incident response findings to Microsoft on Jan. 27.

In a blog post on their discovery, Please Leave an Exploit After the Beep, Dubex said the victims it investigated in January had a “web shell” backdoor installed via the “unifying messaging” module, a component of Exchange that allows an organization to store voicemail and faxes along with emails, calendars, and contacts in users’ mailboxes.

“A unified messaging server also allows users access to voicemail features via smartphones, Microsoft Outlook and Outlook Web App,” Dubex wrote. “Most users and IT departments manage their voicemail separately from their email, and voicemail and email exist as separate inboxes hosted on separate servers. Unified Messaging offers an integrated store for all messages and access to content through the computer and the telephone.”

Dubex says Microsoft “escalated” their issue on Feb. 8, but never confirmed the zero-day with Dubex prior to the emergency patch plea on Mar. 2. “We never got a ‘real’ confirmation of the zero-day before the patch was released,” said Dubex’s Chief Technology Officer Jacob Herbst.

How long have the vulnerabilities exploited here been around?

On Mar. 2, Microsoft patched four flaws in Exchange Server 2013 through 2019. Exchange Server 2010 is no longer supported, but the software giant made a “defense in depth” exception and gave Server 2010 users a freebie patch, too. That means the vulnerabilities the attackers exploited have been in the Microsoft Exchange Server code base for more than ten years.

The timeline also means Microsoft had almost two months to push out the patch it ultimately shipped Mar. 2, or else help hundreds of thousands of Exchange customers mitigate the threat from this flaw before attackers started exploiting it indiscriminately.

Here’s a rough timeline as we know it so far: Continue reading

At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software

March 5, 2021

At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.

On March 2, Microsoft released emergency security updates to plug four security holes in Exchange Server versions 2013 through 2019 that hackers were actively using to siphon email communications from Internet-facing systems running Exchange.

Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed “Hafnium,” and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

In the three days since then, security experts say the same Chinese cyber espionage group has dramatically stepped up attacks on any vulnerable, unpatched Exchange servers worldwide.

In each incident, the intruders have left behind a “web shell,” an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers.

Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email.

Microsoft’s initial advisory about the Exchange flaws credited Reston, Va. based Volexity for reporting the vulnerabilities. Volexity President Steven Adair said the company first saw attackers quietly exploiting the Exchange bugs on Jan. 6, 2021, a day when most of the world was glued to television coverage of the riot at the U.S. Capitol.

But Adair said that over the past few days the hacking group has shifted into high gear, moving quickly to scan the Internet for Exchange servers that weren’t yet protected by the security updates Microsoft released Tuesday.

“We’ve worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today,” Adair said. “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”

Reached for comment, Microsoft said it is working closely with the U.S. Cybersecurity & Infrastructure Security Agency (CISA), other government agencies, and security companies, to ensure it is providing the best possible guidance and mitigation for its customers.

“The best protection is to apply updates as soon as possible across all impacted systems,” a Microsoft spokesperson said in a written statement. “We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources.”

Meanwhile, CISA has issued an emergency directive ordering all federal civilian departments and agencies running vulnerable Microsoft Exchange servers to either update the software or disconnect the products from their networks.

Adair said he’s fielded dozens of calls today from state and local government agencies that have identified the backdoors in their Exchange servers and are pleading for help. The trouble is, patching the flaws only blocks the four different ways the hackers are using to get in. But it does nothing to undo the damage that may already have been done.

A tweet from Chris Krebs, former director of the Cybersecurity & Infrastructure Security Agency, responding to a tweet from White House National Security Advisor Jake Sullivan.

White House press secretary Jen Psaki told reporters today the vulnerabilities found in Microsoft’s widely used Exchange servers were “significant,” and “could have far-reaching impacts.”

“We’re concerned that there are a large number of victims,” Psaki said.

Continue reading