It's been a busy week
If you’ve been keeping up with the news, you know it’s been a busy week. We have a lot to cover, so let’s get right into it.
Operation Exchange Marauder
Earlier this week, we reported on a few Microsoft Exchange zero-day exploits that were reportedly being used by the Chinese state-backed group known as Hafnium. On that same day, Perch released signatures for detection and has been assisting several affected partners.
Microsoft released emergency patches on the same day this information was disclosed for CVE-2021-26855, a Server-Side Request Forgery that allows unauthenticated users to gain access to users’ mailboxes, as well CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, which allow for remote code execution (RCE).
According to multiple reports, as well as behavior witnessed by the Perch SOC, the Hafnium group combined these exploits and were able to upload various web shells to impacted systems. They then stole any data they could access, including the contents of users’ mailboxes.
Perch already has multiple IDS signatures in place, and our SOC has been diligently hunting for any new targets. We’ve worked with our colleagues at StratoZen (another ConnectWise company) to develop some Perchybana queries that are useful for identifying some of the indicators disclosed by Volexity and Microsoft.
Feel free to use this information to do some threat hunting of your own, but even if you don’t have the time, rest assured that Perch has your back and is already hunting for these indicators for you.
http.url:("/owa/auth/Current*” OR “/ecp/default.flt*” OR “/ecp/main.css*” OR “/owa/auth/current/themes/resources*") AND http.http_method:“POST”
winlog.channel:“Security” AND winlog.event_id:“4663” AND process.executable:(“UMWorkerProcess.exe” OR “UMService.exe”) AND winlog.event_data.ObjectName:(".php” OR “.jsp” OR “.js” OR “.aspx” OR “.asmx” OR “.asax” OR “.cfm” OR “.shtml”) AND winlog.event_data.AccessMask:(“0x2” OR “0x100” OR “0x10” OR “0x4”)
A detailed breakdown of observed behavior, as well as additional indicators to hunt for, are included in the CISA report released on March 3.
So far, the Hafnium group seems to only be collecting data. If they follow the same pattern that we’ve seen from other groups, there is a high chance of this data being used in the future for extortion.
Qualys confirms Accellion FTA hack
Speaking of data leaks, early on the morning of Wednesday, March 3, PerchLabs observed alleged leaked data from Qualys, a cybersecurity and compliance provider, on the Clop ransom leaks site.
The Clop ransomware group began a wave of attacks targeting Accellion FTA devices beginning mid-December 2020 and continuing into January 2021. Accellion FTA is a 20-year-old secure file transfer solution nearing end-of-life. Since January, Clop has been extorting multiple companies with the threat of leaking data stolen during these attacks.
The initial zero-day exploit was patched within 72 hours of detection on December 21, 2020; however, a pattern of new exploits and new patches continued for the next month. Initial investigations after the Qualys leak was posted on Clop’s leaks site revealed an Accellion FTA device hosted at fts-na[.]qualys[.]com that has since been decommissioned, with the last active date of February 18, 2021, according to Shodan.
Samples of leaked data included customer quotes, invoices, tax documents, and scan results such as the one shown below:
After much speculation and worry on Twitter regarding the extent of the compromise, Qualys released an official statement near the end of the business day. They report that the compromise did, in fact, involve an Accellion FTA device as suspected. They also reported that the device in question was in a segmented DMZ that did not have access to their production environment and that there was “no impact on the Qualys production environments (shared platforms and private platforms), codebase, customer data hosted on the Qualys Cloud Platform, Qualys Agents or Scanners.”
According to the official statement, the FTA device that was targeted was used as a tool for transferring information as part of their customer support system. The Qualys IT team applied relevant patches to their FTA system on December 22, but then received an alert on December 24. At that time, the FTA server was isolated and investigated. Qualys, along with Accellion and with assistance from Mandiant, has been investigating this incident since it occurred and notified any customers that have were affected.
CompuCom MSP attacked
CompuCom is a large MSP that provides remote support and other services for several well-known names such as Home Depot, Target, Citibank, and Wells Fargo. Over the weekend, several CompuCom customers reported that they were unable to access the company’s customer portal. The web interface simply responded with the general error message, “An error has occurred while processing your request.”
It was later revealed that CompuCom had suffered from a “malware incident,” and they promptly responded by disconnecting customers from infected systems in order to prevent the infection from spreading to their customers’ systems in what Perch refers to as a Buffalo Jump.
According to a statement released by CompuCom, the investigation is still in its early stages, but there is no indication that customers’ systems were directly impacted. Details are still sparse, but there has been some speculation that this will turn out to be another ransomware incident.
Major Russian cybercrime forum hacked
Mazafak (Maza) is one of the oldest and most important communities in the Russian cybercriminal underground. Registering for the forum requires several members with good standing to vouch for the applicant, as well as a large up-front fee. As a result, this forum consisted of only senior, well-established individuals in the cybercrime underworld.
The forum was mostly used to coordinate activities related to carding and other types of financial fraud. It was not uncommon to see multi-million dollar laundering activities being discussed.
On March 3, 2021, the Tor domain and the server hosting registration data were compromised. Unidentified attackers took over the domain and leaked usernames, emails, passwords, and other details of individuals registered on the forum.
This is the second major attack on the cybercriminal community in Eastern Europe. In February, the forum Verified suffered a similar breach that exposed its full database and source code.
That’s all for this week.
- Bryson Medlock, the Dungeon Master