We sat down with @likethecoins, director of intelligence at Red Canary, to chat about the Microsoft Exchange activity happening and share what we’re seeing. Check out what she had to say in the thread. #RCintel 
Q1: What do we know about the adversaries exploiting the recent Exchange vulnerabilities? #RCintel
There’s a lot of confusion rn. Based on our visibility and that of researchers from Microsoft, FireEye, & others, there are at least 5 different clusters of activity that appear to be exploiting the vulnerabilities. -Katie Nickels #RCintel (1/2)
The challenge researchers have is that it’s unclear how those clusters may be related or not. -Katie Nickels #RCintel (2/2)
Q2: Are we able to pinpoint a specific group of actors exploiting these vulnerabilities? #RCintel
Microsoft reported HAFNIUM was one group exploiting the vulnerabilities. Simply b/c an org saw an adversary exploiting an Exchange vulnerability does not mean that adversary is HAFNIUM or Chinese state-sponsored actors. -Katie Nickels #RCintel (1/4)
While this is a small nuance, it’s an important one. We observed post-exploitation activity from a web shell on servers, and we assess it may be related to exploitation of the Exchange vulnerabilities. -Katie Nickels #RCintel (2/4)
However, the TTPs and infrastructure we observed differ significantly from what Microsoft reported as HAFNIUM. For that reason, our team chose to create a separate activity cluster. -Katie Nickels #RCintel (3/4)
FireEye has taken a similar approach and created at least three “uncategorized” (UNC) clusters to track adversaries exploiting these vulnerabilities, and they anticipate additional clusters. -Katie Nickels #RCintel (4/4)
Q3: Why are we observing different activity around exploitation of these vulnerabilities? #RCintel
One possibility is that HAFNIUM adversaries shared or sold exploit code, resulting in other groups being able to exploit these vulnerabilities. -Katie Nickels #RCintel (1/3)
Another is that adversaries could have reverse engineered the patches released by Microsoft to independently figure out how to exploit the vulns. -Katie Nickels #RCintel (2/3)
Trying to make assessments about the various adversaries and clusters exploiting these vulnerabilities is challenging for analysts and will require time and collaboration. -Katie Nickels #RCintel (3/3)
Q4: How many Exchange servers have been compromised? #RCintel
This is challenging to determine. Different orgs have different visibility. It’s highly unlikely that any one org knows about every victim. It’s possible that thousands of servers are compromised, but there is a lack of public evidence. -Katie Nickels #RCintel (1/3)
Another consideration is that there is a difference between an Exchange server being vulnerable and a server being compromised. Think of a vulnerable server as having an unlocked door - adversaries could get in, but it doesn’t mean they have. -Katie Nickels #RCintel (2/3)
Scripts such as the one from Kevin Beaumont [bit.ly/3bmKKcn] identify vulnerable servers rather than compromised ones. To determine if a server is compromised, additional forensic analysis is needed. -Katie Nickels #RCintel (3/3)
Q5: Should organizations be worried about these vulnerabilities? #RCintel
Regardless of how many servers are compromised, that doesn’t change the fact that these vulnerabilities are very serious due to the prevalence of Exchange and the active in-the-wild exploitation by adversaries. -Katie Nickels #RCintel (1/4)
Any organization hosting their own Exchange server should take this seriously and immediately patch as well as look for signs of possible exploitation. -Katie Nickels #RCintel (2/4)
We've shared detection opportunities [bit.ly/3kQOiXo] that have helped us identify this activity, and researchers throughout the community have done the same. The post-exploitation activity we and others have seen is very detectable. -Katie Nickels #RCintel (3/4)
We can never prevent all exploitation. Defenders CAN work to decrease the time it takes to identify post-exploitation activity. Catching it as quickly as possible can stop adversaries from gaining an addt'l foothold & causing significant damage. - Katie Nickels #RCintel (4/4)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
