“Hello CTU, we have been seeing multiple clients being targeted by a similar attack.”
Early Monday, March 1, Secureworks Security Operations Center (SOC) analysts sent this note to Secureworks® Counter Threat Unit™ (CTU) researchers. The night prior, Secureworks® Taegis™ XDR (Extended Detection and Response) detected malicious activity via our endpoint telemetry across several customers as Microsoft Exchange servers attempted to run a version of China Chopper web shell, all following a similar pattern of behaviors around the same time overnight in the United States and Europe.
Initial Response and FindingsThe SOC’s note initiated our routine response, engaging CTU researchers, Incident Response Teams, SOC analysts, and Taegis engineers to collect critical, relevant intelligence such as initial attack vector, attack failures and successes, impacted customers (by looking back over a year’s worth of event data), and importantly, understanding the intent. Secureworks Director of Intelligence Mike McLellan outlined our initial findings and hypotheses in the blog Government-Sponsored Campaign Targets Microsoft Exchange Vulnerabilities.
In this event, endpoint telemetry was critical to detecting and understanding the threat. By looking back across customers’ endpoint telemetry, we identified related intrusion activity across our customer base. Additionally, the CTU was able to add new threat indicators and Countermeasures to the existing detections that first triggered the initial alert.
Once we had a comprehensive understanding of the threat and credible recommendations to provide customers, we released CTU TIPS to inform customers of the targeted campaign and provide initial recommendations, and XDR notified all customers of the threat at log-in. Additionally, Microsoft released out-of-band patches for on-premises Microsoft Exchange Servers that organizations with vulnerable syste ..
Support the originator by clicking the read the rest link below.
