Published by The Lawfare Institute
in Cooperation With
As I write this, the world is probably days away from the “Great Email Robbery,” where a large number of threat actors around the globe are going to pillage and ransom the email servers of tens of thousands of businesses and local governments. Or at least pillage those that the purported Chinese actors haven’t already pillaged.
On Mar. 5, the investigative journalist Brian Krebs reported that an “unusually aggressive Chinese cyber espionage unit” had gained access to more than 30,000 U.S. organizations. The New York Times detailed on Mar. 6 that “The number of victims is estimated to be in the tens of thousands and could rise.” How did the attackers breach the companies? The Chinese actors developed a way to hack Microsoft Exchange and then attacked the organizations from there. And many of those attacked are still vulnerable to follow-on attacks not just by the Chinese but numerous criminals. The impact of the Exchange hack will certainly be greater than SolarWinds and researchers aren’t even close to the end of the story. But it’s a complicated story, with a lot to untangle.
What is Microsoft Exchange?
If you send an email, your computer contacts an email server. This server both stores your email and communicates with other email servers. A large number of companies outsource their mail servers to cloud-service companies like Microsoft or Google, commonly spending $6-12 per user per month. Your email account—[email protected]—may well rely on these Google or Microsoft servers.
Running a mail server is often difficult, so fraught with peril that many professional computing institutions (such as both the University of California Berkeley and the International Computer Science Institute, where I work) outsource our email to Google, others outsource it to Microsoft. Yet it is hard to argue with economics, so many companies will just run their own mail server, either buying the software from Microsoft or some other company. This can save $100,000 a year for a 1,000-person business.
Microsoft Exchange is one of the most popular mail servers because it works very well within a Windows environment. It also includes substantial features such as integration with voicemail, a webmail interface, and is practically guaranteed to work with Microsoft Outlook and Office.
Exchange centralizes all of a company’s emails. This means that if you compromise a company’s Microsoft Exchange server you can now see every email sent or received. This makes the mail server a very very tempting target for attackers. On Mar. 2, Microsoft released a series of patches for four exploits that were under active targeting by Chinese threat actors. Microsoft released the patches earlier than expected, opting not to wait for the traditional “Patch Tuesday.” Microsoft made the decision to go forward with the early release because the vulnerabilities were actively exploited; the early and unexpected release of the patch was an attempt to stop future exploitation.
What are the vulnerabilities?
The Chinese actors were not using a single vulnerability but actually a sequence of four “zero-day” exploits. The first allowed an unauthorized user to basically tell the server “let me in, I’m the server” by tricking the server into contacting itself. After the unauthorized user gained entry, the hacker could use the second vulnerability, which used a malformed voicemail that, when interpreted by the server, allowed them to execute arbitrary commands. Two further vulnerabilities allow the attacker to write new files, which is a common primitive that attackers use to increase their access: An attacker uses a vulnerability to write a file and then uses the arbitrary command execution vulnerability to execute that file.
Using this access, the attackers could read anybody’s email or indeed take over the mail server completely. Critically, they would almost always do more, introducing a “web shell,” a program that would enable further remote exploitation even if the vulnerabilities are patched.
What is the timeline?
The investigative journalist Brian Krebs has produced a handy timeline of events and a few things stand out from the chronology. The attacker was first detected by one group on Jan. 5 and another on Jan. 6, and Microsoft acknowledged the problem immediately. During this time the attacker appeared to be relatively subtle, exploiting particular targets (although we generally lack insight into who was targeted). Microsoft determined on Feb. 18 that it would patch these vulnerabilities on the March 9th “Patch Tuesday” release of fixes.
Somehow, the threat actor either knew that the exploits would soon become worthless or simply guessed that they would. So, in late February, the attacker changed strategy. Instead of simply exploiting targeted Exchange servers, the attackers stepped up their pace considerably by targeting tens of thousands of servers to install the web shell, an exploit that allows attackers to have remote access to a system. Microsoft then released the patch with very little warning on Mar. 2, at which point the attacker simply sought to compromise almost every vulnerable Exchange server on the Internet. The result? Virtually every vulnerable mail server received the web shell as a backdoor for further exploitation, making the patch effectively useless against the Chinese attackers; almost all of the vulnerable systems were exploited before they were patched.
This is a rational strategy for any actor who doesn’t care about consequences. When a zero-day is confidential and undiscovered, the attacker tries to be careful, only using it on attackers of sufficient value. But if the attacker knows or has reason to believe their vulnerabilities may be patched, they will increase the pace of exploits and, once a patch is released, there is no reason to not try to exploit everything possible.
So what is next?
Unfortunately these vulnerabilities are reportedly easy to exploit. To make matters worse, the patches that fix this problem provide a guide to reproducing the exploit. I would expect these exploits to be in criminal toolkits shortly and that the world is, at most, days away from ransomware gangs mass-exploiting Exchange servers, encrypting the contents, and offering the victims a choice: pay up, or your emails will be published for everyone else and deleted from your own servers.
Even patched servers aren’t out of the woods: There’s a very high probability that they were already compromised and a web shell installed before administrators applied the patches. Since the web shell is a backdoor into the server not removed by patches, the resulting systems remain vulnerable. This web shell can be used by the original installer or, possibly, by the same ransomware gangs about to mass-exploit the still unpatched servers.
So any company running an Exchange server, whether or not they might be a target of Chinese espionage, needs to look for and remove such backdoors. And those companies whose Exchange servers give way to even a remote chance for spying should probably rebuild their mail-servers completely. The web shell is simply the first of many possible backdoors the attacker might have installed.
And now the Biden administration has a real hard policy problem: What now? The SolarWinds hack may have been significant, but this will affect far more institutions. The SolarWinds hackers stayed subtle. They targeted traditional intelligence targets and never transitioned to a “pillage everything” model, which made that attack more of a “Spies Gonna Spy” operation. The Exchange attack showed complete disregard for possible consequences on behalf of those responsible for the breach.
Without consequences, such broad attacks will simply continue. There are currently no reasons why an attacker who has access to a zero-day shouldn’t simply press a button and exploit every possible target at the moment when they know their exploit is about to lose value. I don’t know how to change this calculus, but the U.S. must do so somehow.