Chinese state-sponsored hacker groups have used a set of vulnerabilities to exploit on premises Microsoft Exchange Servers, steal emails, and spread in networks. At the time of writing this targeting was limited to espionage targets and several hundred victims, but it is highly likely that exploitation will proliferate and financially motivated threat actors, including ransomware groups, will begin to use the exploits in the next four-to-eight weeks. Businesses are strongly urged to take preventative patching measures and conduct proactive hunting for existing evidence of prior compromise.
On 2 March 2021, Microsoft released patches for four critical vulnerabilities affecting Microsoft Exchange Servers. Successful exploitation had allowed attackers to remotely execute code on vulnerable servers and write to arbitrary filepaths. The vulnerabilities had already been exploited by a threat actor prior to the release of the patches.
At the time of release of the patches, the attacks were assessed to be “limited, targeted attacks” but we assess it highly likely that the techniques will be adopted by a wider set of threat actors and that this will include financially motivated groups in the short-to-medium term.
Organisations are advised to firstly apply the patches and secondly, examine their networks for evidence of compromise. We have provided guidance on these points under “Prevention” and “Detection” sections.
Are we vulnerable?
The vulnerabilities affect:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
- Microsoft Exchange Server 2010
We advise businesses to check which versions they are running and apply the patches as soon as practical.
The vulnerable versions are “on-premises” versions and Microsoft Online Exchange was not affected.
An Nmap script is freely available for businesses to assess quickly if they are vulnerable to the attack. This tool has been validated by a third party.
Who is using the exploits?
The threats actors associated with using the exploits were a suspected Chinese state-sponsored threat group, at the time of writing. The primary threat group was named HAFNIUM by Microsoft, but researchers have also observed attacks from the other espionage groups known as “Luckymouse”, “Tick” and “Calyspo”. It is almost certain that the motivation of these attackers is cyberespionage, rather than financial gain. However, we expect to see other cybercrime groups, including ransomware groups, begin to use these exploits in the next four-to-eight weeks.
Who is being attacked?
HAFNIUM’s targets were reportedly primarily in the US, although attacks have been reported in Europe, Asia, and the Middle East. The UK had not been highly targeted at the time of writing. HAFNIUM targeted victims across multiple sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, NGOs (Non-Governmental Organizations), and think tanks. Researchers have reported targeting against a much wider group of victims, including local government, healthcare providers, financial services, utilities, hospitality, retail, food, manufacturing, and small to medium businesses.
The scale of the attacks at the time of writing was limited to several hundred victims, although this number is expected to grow as long as businesses remain vulnerable.
What are the hallmarks of the attacks?
The vulnerabilities have been assigned the following CVE designations:
- CVE-2021-26855 - a server-side request forgery (SSRF) vulnerability which allows an attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857 - a remote code execution (RCE) vulnerability which allows a remote attacker to run code on a vulnerable Exchange server with SYSTEM privileges. Successful exploitation requires administrative privileges or execution of another vulnerability, such as CVE-2021-26855.
- CVE-2021-26858 - is a post-authentication arbitrary file write vulnerability which allows an attacker to write a file to any path on the server. An attacker could authenticate by successfully exploiting CVE-2021-26855 or using compromised credentials.
- CVE-2021-27065 - is a post-authentication arbitrary file write vulnerability similar to CVE-2021-26858. This vulnerability also requires authentication, such as by exploiting CVE-2021-26855 or using compromised credentials.
What do attackers do once they have gained initial access?
As three of the four vulnerabilities are post-authentication, the attackers reportedly chained them with CVE-2021-26855 to allow for successful exploitation. Following a successful compromise, the HAFNIUM group deployed webshells (PHP and aspx) on compromised servers to provide persistent remote access and allow the attackers to perform follow-on actions.
HAFNIUM attackers have been observed doing the following actions:
- Using the Microsoft utility “Procdump” to gather credentials form the LSASS process memory.
- Using 7-Zip and WinRar to compress stolen data for exfiltration.
- Adding and using Exchange PowerShell “snap-ins" (native utilities which provide additional functionality for managing Exchange servers) to export mailbox data.
- Using the freely available red-teaming tool Nishang to establish reverse shells using PowerShell.
- Downloading the freely available PowerCat tool and using it to open a connection to a remote server.
- Use of PSExec Windows Sysinternals tool to execute commands on remote systems.
- Domain Account User Addition to add their own user accounts with elevated privileges for use in future.
Evidence of these actions may assist in the detection of compromise (see “Detection” section for specific guidance on how to conduct this).
There was also evidence of the downloading of the Microsoft Exchange offline address book, which contains personal data and email addresses of businesses and employees.
The best prevention is to expedite patching to include updates on vulnerable externally facing Exchange Servers. However, restricting untrusted connections on port 443 will protect against the initial stages of the attack.
The attacks require the ability to make an untrusted connection to the Exchange server on port 443. Businesses can protect against the initial parts of the attack by restricting these connections or establishing a VPN to segregate the Exchange server from access via the open internet. Other steps in the chain can still be taken if an attacker has already gained initial access.
There are multiple other prevention options to prevent the post-exploitation stages of these attacks, which we have not referenced in this blog.
Volexity and Microsoft have both provided guidance on hunting for previous exploitation of these vulnerabilities and implementing rules to detect exploitation attempts in real time.
Both Volexity and Microsoft have also published lists of IP addresses used by the attackers to launch exploitation attempts. Inbound traffic from these addresses may be indicative of targeting, though as most are assigned to VPN and VPS providers they are almost certainly not exclusively used by HAFNIUM.
Attempts to exploit CVE-2021-26855 can be identified by searching Exchange HttpProxy logs for HTTP POST requests to specific URLs observed by Volexity in documented exploitation attempts. It should be noted that other URLs may be used and that these should only allow for reliable detection of historical exploitation attempts.
Exchange server IIS logs can also be searched for POST requests to the following URLs:
Attempts to exploit CVE-2021-26857 can be identified by searching Exchange ECP logs for a string like the one shown below.
Microsoft has published a set of PowerShell queries which can be used to search Exchange logs for potential evidence of compromise, which are available here.
Several options exist for identifying webshells deployed by HAFNIUM; Volexity has published a Yara rule for detecting the ChinaChopper webshell used by the attackers and Microsoft has published both hashes for observed malware and the filepaths at which they have been deployed in documented attacks. Defenders can use these to hunt for evidence of webshell deployment by this group.
In addition to detection of exploitation attempts and webshell deployment, Microsoft has published guidance for detecting post-exploitation techniques used by HAFNIUM using Windows Defender. Organisations may also consider using Microsoft Credential Guard to restrict and detect processes attempting to interact with LSASS memory. If capability exists to examine and alert of suspicious processes (e.g., through an EDR solution), organisations should explore tuning these tools to detect execution of suspicious PowerShell commands such as those which establish connections to remote hosts. This can also be achieved by enabling PowerShell transcription and forwarding these logs to a SIEM or another log aggregation platform.