Cisco’s Talos team said 35% of incidents led back to Microsoft Exchange Server vulnerabilities reported early in 2021, but new ransomware families have been appearing to fill the Emotet hole, too.
Cisco’s Talos Intelligence Group has released its incident response trends report for spring 2021, and found that Microsoft Exchange Server vulnerabilities reported in early 2021 were the most detected incident over the past three months.
Talos said the four Exchange Server vulnerabilities, which now have a patch, comprised 35% of all incident investigations. “When a vulnerability is recently disclosed, severe, and widespread, [we] will often see a corresponding rise in engagements in which the vulnerabilities in question are involved.”
In addition to widespread Exchange Server attacks, Talos said it also noticed a “persistent and growing” ransomware threat despite the January takedown of the Emotet botnet, which was often used to launch ransomware-as-a-service attacks.
SEE: Security incident response policy (TechRepublic Premium)
Ransomware families MountLocker, Zeppelin and Avaddon were all newly detected in spring 2021, Talos said, and all fit the ransomware-as-a-service model used by Emotet. In short, the threat of easily deployed and quickly available ransomware isn’t going away.
A laundry list of industries have been targeted by ransomware, but the healthcare sector led in the spring with nearly four times as many incidents as the next most targeted, education and technology. This continues an unfortunate trend noticed in the previous quarter of 2021, Talos said, and suggests that cybercriminals continue to target healthcare because the COVID-19 pandemic makes it essential that they restore services as quickly as possible, thus increasing the chances that a healthcare organization pays out.
Talos said that most of its energy was committed to working on Microsoft Exchange Server vulnerabilities, but it also reports that the majority only resulted in scanning attempts and HTTP POST requests without any post-exploitation evidence.
The reason for the lack of successful attacks, Talos said, is the nature of one of the exploits, which requires the attacker to use a valid administrator account to successfully leverage the exploit, and in most cases the addresses attempted were not valid.
In the cases that they were valid, evidence “of probable post-exploitation activity, including the creation and writing of web shells, use of utilities such as ProcDump associated with possible credential harvesting, and compressing and archiving data with utilities such as MakeCab (makecab.exe) or WinRAR to stage for potential exfiltration,” Talos said.
The low level of post-exploitation activity led Talos to conclude that attackers were trying quickly and indiscriminately to obtain access to a large number of networks before vulnerable Exchange Servers were patched.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Organizations with Microsoft Exchange Servers should take several steps to protect themselves against exploitation of these vulnerabilities, including installing the patches that address the four exploits. It’s also important to not use default administrator names on admin accounts, as those are easy to guess for exploit purposes.
Talos also recommends keeping all Exchange Server logs. The majority of cases used unknown initial vectors due to insufficient logging.