Threat Advisory: Multiple 0-day exploits targeting Microsoft Exchange | updated 15.03

Background

Microsoft released an emergency update for Microsoft Exchange on the 2nd of March 2021 that addresses seven vulnerabilities [2]. Four of these enable remote code execution (RCE) and are currently being used in targeted attacks. Security researchers at Volexity were credited with reporting the vulnerabilities that were discovered being exploited in the wild since the 6th of January 2021.

The following vulnerabilities are currently being exploited:

  • CVE-2021-26855 (CVSS 9.1) is a server-side request forgery (SSRF) vulnerability in Exchange that allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857 (CVSS 7.8) is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gives the treat actor the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858 (CVSS 7.8) is a post-authentication arbitrary file write vulnerability in Exchange. If the threat actor first authenticates with the Exchange server they could then use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
  • CVE-2021-27065 (CVSS 7.8) is a post-authentication arbitrary file write vulnerability in Exchange. If the threat actor first authenticates with the Exchange server they could then use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Threat Intelligence Assessment

Microsoft is tracking the threat actor currently using these vulnerabilities as "HAFNIUM", and believes the threat actor is a state-sponsored group operating out of China, based on observed victimology, tactics, and procedures. Microsoft also states that the threat actor mainly targets entities in the United States across multiple industry sectors. Including, but not limited to:

  • Infectious disease researchers
  • Law firms
  • Higher education institutions
  • Defense contractors
  • Policy think tanks
  • NGO's

The Danish security company Dubex has reported that they have responded to an incident in Denmark with a Danish customer that they claim is related to the HAFNIUM threat actor [5, 6]. This support Microsoft's statement that targets are also seen outside of the United States.

The HAFNIUM threat group has been observed to use webshells including SIMPLESEESHARP, SPORTSBALL, ASPXSPY and China Chopper variants. A more detailed overview of all known techniques and tools is seen in the MITRE ATT&CK mapping below.

Although no proof-of-concept code has been observed for any of the vulnerabilities yet, mnemonic Threat Intelligence believes that exploitation code will become publicly available within short time. We believe this will lead to a significant increase in threat actors scanning for and exploiting the vulnerabilities. One must expect that both state-sponsored and criminal threat actors will be amongst these, including threat actors that are known to deploy ransomware.

(Updated 2021-03-08): Since the publication of these vulnerabilities we have seen wide-spread exploitation. The larger scale scans and webshell exploits started around 27th of February with more than 100.000 organizations as victims world-wide, according to media reports. According to ESET, at least one of the vulnerabilities is being targeted by multiple cyber-espionage groups (tracked by ESET as "LuckyMouse," "Tick," and "Calypso"). FireEye has identified several preliminary clusters of activity exploiting this vulnerability chain, and currently tracks this activity in three clusters: UNC2639, UNC2640, and UNC2643. US CISA issued an emergency directive warning about the active exploitation and ordering all US government departments and agencies to either patch their vulnerable exchange servers, or disconnect them from the Internet. NCSC NO released an advisory stating that any exposed Exchange server not updated within the end of the 3rd of March should be considered as likely compromised. US CISA further recommends investigating for signs of a compromise from at least September 1, 2020 through present.

(Updated 2021-03-13): The first proof-of-concept exploit code was made publicly available on the 9th of March and since then we have observed a significant increase in opportunistic threat actors scanning for- and exploiting vulnerable servers world-wide. The exploitation has predominantly been in the form of semi-automatic installation of webshells that seems to leave backdoors for future access, or more manual by using tools to first gather credentials and system information followed by lateral movement and further compromise. The RCE requires chaining of two vulnerabilities; POST towards static resource (e.g. JavaScript / font-files) followed by POST traffic towards DDIService / SetOabVirtualDirectory. Palo Alto reported their observations of wide-spread installations of the China Chopper webshell, and Red Canary reported on multiple activity clusters where the threat actors are dropping multiple webshells on victims at different times, with follow-up activity taking place days later. It has also been reports of threat actors installing cryptomining malware and ransomware as part of the vulnerabilities explotations.

The DEVCORE team of security researchers that first reported CVE-2021-26855 ("ProxyLogon") to Microsoft on the 5th of January, have released an updated timeline of the vulnerability disclosure. The timeline shows that they started their research into Microsoft Exchange server vulnerabilities in October 2020 and discovered the ProxyLogon vulnerability in December 2020. However, as Domaintools points out, multiple sources have reported that the first Exchange server compromises were discovered as early as November 2020. This means that the vulnerabilities may have been discovered in parallel by HAFNIUM or other threat groups, or that the research details were leaked early on in the vulnerability research process.

Affected Systems

The following versions of Microsoft Exchange are considered vulnerable:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

Exchange Online is NOT affected according to Microsoft.

Recommendations

mnemonic recommends the following:

  • Install the security update for Exchange server as soon as possible for Internet-exposed Exchange servers.
  • Scan Exchange server log files for indicators of compromise released by Microsoft [1] and Volexity [4]. Microsoft has also published a PowerShell-script [11] that can be used to investigate relevant log files.
  • Check publicly accessible paths on the Exchange server for unknown files.
  • Initiate threat hunting activities for all indicators of compromise and techniques used by the threat actor. This is especially important for organisations not covered by mnemonics MDR service.
  • Validate patch and mitigation state of all exposed servers. Microsoft has released a Nmap scanning script that can be used for this purpose [8].
  • Consider taking exposed Exchange servers offline until the patches can be applied.
  • If you are unable to patch affected Exchange Servers, apply the following interim mitigations as recommended by Microsoft [7]: Implement an IIS Re-Write Rule and disable Unified Messaging (UM), Exchange Control Panel (ECP) VDir, and Offline Address Book (OAB) VDir Services.
  • Implement additional logging, monitoring and detection capabilities for exposed Exchange servers.

 

What if I find signs of compromise?

Investigating this threat consists of confirming either of scenarios:

  1. Unsuccessful attempts at compromising Exchange. The threat actor may have attempted compromise, but have run into some type of security mechanisms preventing them from being successful.
  2. Successful compromise of Exchange but NO lateral movement or data exfiltration. The threat actor have successfully compromised the Exchange server and deployed webshells, but not utilized them for further activities. In order to close the investigation with this conclusion it is important to examine the server logs in detail (listed later), and perform a forensics analysis to attain a "high" level of certainty.
  3. Successful compromise of Exchange AND CONFIRMED lateral movement or data exfiltration. The threat actor may have deployed tools on the server or are extensively using their webshells. Tools discovered may be pentest-utilities, for tunneling (SOCKS or other), reconnaissance scanners, exploitation code, reverse shells, malware loaders or trojans. The tools ProcdumpNishang and Powercat have been reported to be used by the HAFNIUM threat actor group according to Microsoft. In this scenario a full incident response operation should be initiated.

The data to investigate for each scenario should be reflected by its scope and environment, but in particular for all scenarios: the IIS logs, Exchange HttpProxy logs, Exchange OABGenerator logs, Windows Application Event logs and checking for suspicious ASP/ASPX files in c:\Inetpub\wwwroot\aspnet_client\* and \FrontEnd\HttpProxy\*

Detection coverage for Argus customers and Argus Continuous Vulnerability Monitoring coverage (CVM)

mnemonic is carrying out threat hunting activities for our customers and we are alerting customers where we find indications of this threat and associated threat groups. We are monitoring the situation and continuously reviewing and updating our detection mechanisms:

  • e.g. Web-communication for Argus Log and Network Analyser customers
  • e.g. Process coverage for Argus Endpoint Detection and Response customers
  • e.g. Detection for Microsoft Exchange assets missing the out-of-band update for Argus Continuous Vulnerability Monitoring customers

References

 

MITRE ATT&CK Techniques and Tools mapping for HAFNIUM

Technique ID and name

Description

T1588.002 - Obtain Capabilities: Tool
HAFNIUM has obtained Nishang and PowerCat [1]
T1003.001 - OS Credential Dumping: LSASS Memory
HAFNIUM uses Procdump to dump the LSASS process memory [1]
T1190 - Exploit Public-Facing Application
HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers [1]
T1560.001 - Archive Collected Data: Archive via Utility
HAFNIUM uses 7-Zip and WinRar to compress stolen data prior to exfiltration [,4]
T1583.003 - Acquire Infrastructure: Virtual Private Server
HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States [1]
T1071.001 - Application Layer Protocol: Web Protocols
HAFNIUM operators deployed web shells on a compromised server [1]
T1114.002 - Email Collection: Remote Email Collection
HAFNIUM uses Exchange PowerShell snap-ins to export mailbox data [1]
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
HAFNIUM typically exfiltrates data to file sharing sites like MEGA [1]
T1136.002 - Create Account: Domain Account
HAFNIUM has added their own domain user account and granted it privileges to provide access in the future [4]
T1021.002 - Remote Services: SMB/Windows Admin Shares
HAFNIUM has used PsExec to execute commands on remote systems [4]
T1505.003 - Server Software Component: Web Shell
HAFNIUM operators deployed web shells on a compromised server [1]

 

 

Software ID and name

Description

S0029 - PsExec
HAFNIUM uses PsExec to execute commands on remote systems [4]
Procdump
HAFNIUM uses Procdump to dump the LSASS process memory [1]
7-Zip
HAFNIUM uses 7-Zip to compress stolen data into ZIP files for exfiltration [1]
Nishang
HAFNIUM uses the Nishang Invoke-PowerShellTcpOneLine reverse shell [1]
PowerCat
HAFNIUM downloads PowerCat from GitHub, then uses it to open a connection to a remote server [1]
WinRar
HAFNIUM uses Winrar to archive data prior to exfiltration [4]
SIMPLESEESHARP
HAFNIUM uses a simple backdoor, which Volexity has named SIMPLESEESHARP [4]
SPORTSBALL
HAFNIUM uses a a larger webshell, which Volexity has named SPORTSBALL [4]
S0020 - China Chopper
HAFNIUM has used China Chopper variants [4]
S0073 - ASPXSPY
HAFNIUM has used the ASPXSPY webshell [4]
Covenant
HAFNIUM has used legitimate open-source frameworks, like Covenant, for command and control [1]