Trends and observations in the cyberspace Q4 2020
Month of open servers? Serious vulnerabilities in MS Exchange software
On 2 March, Microsoft announced that it had identified and fixed four zero-day vulnerabilities in its Exchange Server e-mail server software that allowed attackers to gain access to e-mails, passwords, and administrator privileges on servers. The risk level of one of these vulnerabilities (CVE-2021-26855) was rated 9.1 on a scale of one to ten – it cannot get much worse than that. Until the disclosure, few knew about these vulnerabilities, but after that the situation changed – soon, all competent interested parties knew what to look for and how to exploit the vulnerabilities.
A large number of cyber groups and individual attackers began using automated tools to identify the vulnerable Exchange servers. Once they found them, the servers were compromised and infected with malware. This created a so-called backdoor, which allows them to return later and steal data. On 3 March, Microsoft announced that the number of victims was ‘limited’. On 5 March, however, there were at least 30,000 victims in the United States and on 8 March, more than 60,000 worldwide. This shows that the criminals acted quickly and attacked whoever they could.
Assessment by the Information System Authority
No one is protected from software with vulnerabilities, and it is in recent months that a number of high-impact cases have emerged in which components of widely used software have been compromised. In the case of Microsoft Exchange, the software manufacturer, along with the vulnerabilities, also released a critical security update to address them. Unfortunately, not all users have installed it, and it must be admitted that Estonian users have been among the slower ones here.
On 3 March, CERT-EE detected 80 mail servers with the mentioned vulnerabilities in Estonian cyberspace. We informed their owners both directly and through the communication service provider. In addition, we informed public sector security managers and vital and important service providers. When we repeated the monitoring on 10 March, two-thirds of these servers were still using the old software and therefore vulnerable to attacks. While on the day the vulnerabilities were discovered, about 400,000 vulnerable Exchange servers were connected to the Internet worldwide, a week later, the number had dropped to 100,000 thanks to software updates. In other words: while 75% of vulnerable servers were fixed worldwide in a week, only a third of those who received the alert in Estonia took the warning seriously.
Companies and institutions whose risks and regulations allow it should consider using some cloud-based e-mail services (these vulnerabilities did not affect Exchange Online). In this case, the service provider will have to update and fix the software.
However, if this cannot be done, the critical security updates must be taken seriously. Disclosure of vulnerabilities is a starting point for both attackers and defenders. After that, it depends on the speed of both parties whether the criminals can compromise the device first or the administrators fix the vulnerabilities with a software update.
Look at your services through the eyes of an attacker
The attacks on Estonia’s IT infrastructure announced in December did not end at the moment when we, together with the Ministry of Economic Affairs and Communications, the Ministry of Social Affairs, and the Ministry of Foreign Affairs, disclosed the attacks and data leaks. In the first months of the year, we have again seen similar attempts to attack, and on a few occasions they have been successful. What makes them similar is the fact that in both cases, the attacker scans a web server with publicly available tools, finds security vulnerabilities, uploads malicious code, and thus gains unauthorised access to the servers. In February, we were informed of a compromise by a company which provides cloud services and software to many public sector bodies (ministries and local governments), and another company which also provides remote access services to public sector bodies.
The affected companies responded professionally to the incidents: they fixed their services, informed customers, and cooperated with CERT-EE. As the attack vector was familiar, we decided to use the same tool ourselves and offer public authorities the opportunity to check their websites. The goal is to look at these websites through the eyes of an attacker: what security vulnerabilities stand out and whether it would be possible to make the attacker’s life more difficult.
At the end of November, CERT-EE informed the country’s information security managers how to protect themselves from such attacks (pay attention to the visible .git directories and update the software; see tips here). The same principles apply today, and we also reminded them to the management of public authorities in March.
Assessment by the Information System Authority
The attack vector and the tactics of the attacker can be broadly compared to the most common checking of door links: the attacker walks around the web, searches for unlocked or weakly locked doors, discovers a vulnerability, and walks in the door to see if there are any valuable items. Some servers do not have anything of use; some provide access to other services and important data. The attacker will figure our later what exactly to do with these accesses and data.
As the companies compromised at the beginning of the year offer services to several public sector institutions, it seems as if the attacker is still trying to break into the servers of Estonian state institutions. However, this conclusion may be premature. Servers visible on the public Internet are scanned with various tools every second of every hour of every day. Some services provide more efficient scanning than others. In-depth analysis tools are more expensive and it is not profitable for attackers to test them on small institutions.
In any case, we recommend that all service owners, as well as employees responsible for security, periodically look at their servers through the eyes of an attacker using scanners or ordering attack tests. Such services are provided by many private companies and provide a real picture of what a potential attacker sees. Remember that if an attacker scans a hundred web pages and 99 of them give the green light and only your site gives the red light, you are more likely to be targeted first.
DDoS extortion continues
In the previous quarterly review, we wrote about Distributed Denial of Service attacks (DDoS) that took place in the autumn and aimed to extort money from selected companies. The targets included several banks and technology companies that were subjected to a sample attack and blackmail letters were sent, demanding a ransom for ending the attack. If the ransom demand was ignored, the attackers threatened the victims with new and worse attacks, but nothing happened when the deadline fell.
Earlier this year, criminals turned again to the companies that had already been attacked in the autumn. The new blackmail letter also referred to previous attacks, stating that ‘your payment has not reached us’ and ‘we are back now’ The letter was accompanied by several hours of attacks and once again, the criminals threatened to return in the future if the cryptocurrency (1–10 bitcoins depending on the company) is not paid. The incidents once again took place in a wave, taking place from mid-January to early February.
Assessment by the Information System Authority
Criminals have used denial-of-service attacks in the past, but it is uncommon to return to the same companies in a relatively short time. There is reason to believe that the attacks in the autumn and at the beginning of the year are by the same grouping (they used the same cryptocurrency wallet address and there were also other indications that this was a conscious repeated activity). At the same time, their scope is relatively wide – similar repeated attacks carried out and extortion letters sent in a similar time frame are known to CERT-EE in at least five other European countries. Both the scale of the attacks and the variety of methods point to a relatively good infrastructure of the criminals. They are probably motivated to try again by the fact that the monetary value of bitcoin has multiplied compared to autumn.
However, such blackmail is not very common in Estonia – about ten companies have been affected so far and the public sector has been left unharmed. At the same time, it is likely that companies that have already received a blackmail letter will sooner or later be approached again, and the grouping seems to have the resources to carry out its threats. According to our data, no Estonian company has paid the criminals, but many have improved their readiness to cope with blockade attacks after the initial attacks. This is very reasonable, because DDoS attacks with higher and lower impact take place in Estonian cyberspace every month and their number is on a slight growth trend.
Supply chain attacks in the world as lessons of basic hygiene
Over the past six months, a number of attacks have come to light, accessing the networks of various agencies through companies providing IT services. The most famous being the Sunburst supply chain attack in December 2019, during which criminals compromised the Office365 account of an employee of SolarWinds, through which the attacker first gained access to the systems of the enterprise and then installed malware to gain access to the systems of other companies using the SolarWinds service, and later to third-party institutions that did not use SolarWinds products, through a software update. The Accellion attack, unveiled in February, exploited a security vulnerability in the cloud file sharing protocol through which the attackers reached hundreds of other victims around the world. Another attack that came to light in February was against Stormshield, a company providing cyber security services to the French government sector – the company was attacked through web hosting providers using an outdated version of Centreon’s IT monitoring software that has not been supported for five years.
Assessment by the Information System Authority
Such supply chain attacks are not new. The NotPetya attack in 2017, which is one of the most damaging malware incidents in the world so far, also started when an upgrade of one accounting software was compromised. When using third-party software, supply chain risks must be taken into account. So far, however, there are no good mechanisms to verify the partner company’s overall attitude towards cyber security: whether it uses multi-level authentication throughout, or what its policy is if someone pays attention to a security vulnerability or data leak. These mechanisms are lacking not only in Estonia, but all over the world.
It is not sure whether better cyber hygiene in the company could have prevented an attack organised by another country, such as SolarWinds – it would be premature to make such an assessment.
In recent months, increased attention has also been paid to supply chain security from a legislative point of view – the new proposal for the EU’s Directive on security of network and information systems requires critical infrastructure companies to adopt rules to ensure supply chain security. The importance of the supply chain is also underlined by the new cyber security strategy of the EU. In addition, new EU horizontal legislation is expected this year, which will also place more responsibility on equipment and service manufacturers.
The direct impact of the above-mentioned attacks on Estonia is small – the software is not generally used here. At the same time, it is probably only a matter of time before we also have to start assessing the damage of some large-scale supply chain attacks in Estonia and be able to identify them. We encourage organisations to think about how to manage logs and monitor their networks so that intrusions and other malicious activity would leave a mark. It is also worth making sure that the security audits of the contract partners have been performed and cover areas that are important for the organisation.
In February, attentive employees of an Estonian construction company tracked down bill fraud which tried to defraud more than 900,000 euros. One of the company’s e-mail accounts had been hacked and criminals began monitoring communications with suppliers. By intervening at the right time and changing the account details of the bills, the criminals hoped to transfer the money to a bank account outside the European Union instead. However, this plan failed because the employees noticed the attempt at fraud and stopped making payments.
Could be better
Remote Desktop Protocol software, known as RDP, is often used to connect from a home office to a workplace information system, but is not always securely configured. An insecure setting means that network connections left open for RDP can be used to access a computer or server from all over the Internet. CERT-EE receives monthly reports of incidents where the attack has taken place through RDP vulnerabilities; a government agency was also attacked in this way in March.
Trends and challenges in the cyberspace Q1 2021 (1.18 MB, PDF)
More news on the same subject
The new yearbook of the Information System Authority (RIA) on cyber security summarises the most influential incidents in cyber space
28.04.2021 – In its most recent yearbook on cyber security, the Information System Authority (RIA) talks about the record number of phishing reports, denial-of-service attacks, and Emotet malware and cyber attacks against Estonian ministries that took place last year. In addition to incidents, you can read about the effect that COVID-19 had on Estonian cyber space, RIA’s larger role in elections, and the new information security standards of Estonia, as well as the most important developments in international cyber cooperation. The yearbook is available on the website of RIA (PDF).
13.04.2021 – According to the Information System Authority (RIA), in the first quarter, the security of the cyberspace was affected by the vulnerabilities of the Microsoft email server, attempts to access the servers of public authorities, and denial-of-service attacks and extortion in connection with those attacks.