Hafnium Targeting Exchange Servers

Priority: Critical

Summary

On 2nd March Microsoft released a number of fixes for vulnerabilities affecting on-premises installations of Exchange Server. The vulnerabilities are being actively exploited by an Advanced Persistent Threat Microsoft have dubbed ‘Hafnium’. ¹

Customers should apply these patches immediately and monitor their Exchange Server deployments for any sign of compromise. Exchange Online is not affected.

Background

In January this year, Volexity detected anomalous activity from two its customers’ Microsoft Exchange servers and initiated incident response procedures. During the investigation, Volexity’s analysts discovered that the Exchange servers had been compromised by exploiting previously unknown vulnerabilities. ²

The attack consists of a chain of exploits that begins by targeting CVE-2021-26855, which is a server-side request forgery (SSRF) vulnerability in Exchange that allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server. ³

The following vulnerabilities were also discovered during the collaborative investigation between Volexity and Microsoft:

• CVE-2021-26857 – an insecure deserialization vulnerability in the Unified Messaging service. ⁴
• CVE-2021-26858 – an arbitrary file write vulnerability in Exchange. ⁵
• CVE-2021-27065 – an arbitrary file write vulnerability in Exchange. ⁶

While the first stage of the attack chain can be mitigated by restricting untrusted connections to Exchange Server over port TCP/443, Microsoft recommend patching immediately because the remaining three vulnerabilities can be exploited if the Exchange server has been compromised through some other vector, or if an attacker can manipulate an administrator into running a malicious file.

Once the Exchange Server has been compromised, HAFNIUM typically uses open-source frameworks, such as Covenant, for command and control, and file sharing sites such as Mega for data exfiltration. HAFNIUM operates from leased servers based in the United States, but the group behind the campaign is believed to be based in China, based on observed tactics, techniques, and victims. ⁷

Affected Products

The affected versions of Exchange Server are:

• Exchange Server 2013
• Exchange Server 2016
• Exchange Server 2019

Prevention

Administrators of Exchange Servers should apply Microsoft’s security updates immediately. The security updates apply to the following specific versions:

• Exchange Server 2010 (RU 31 for Service Pack 3) – this has been released as a ‘defence in depth update’
• Exchange Server 2013 (CU 23)
• Exchange Server 2016 (CU 19, CU 18)
• Exchange Server 2019 (CU8, CU 7)

Administrators must bring their Exchange servers up to these patch levels before they can install the security updates to patch these latest vulnerabilities, and should plan for downtime during the process. ⁸

Detection

Microsoft have released indicators of compromise (IOCs) following their initial investigations and research. ITC has updated its SIEM detection capabilities accordingly, and customers of the ITC VI service will be monitored for these vulnerabilities as soon as Qualys has released its own detection logic.

To quickly check for signs of compromise, customers can search for the following indicators on affected Exchange servers:

• CVE-2021-26855 exploitation can be detected via the Exchange HttpProxy logs located in the following directory: %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy
  • Exploitation can be identified by searching for log entries where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of ServerInfo~*/*
  • Here is an example PowerShell command to find these log entries:

Import-Csv -Path (Get-ChildItem -Recurse -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy” -Filter ‘*.log’).FullName | Where-Object {  $_.AuthenticatedUser -eq ” -and $_.AnchorMailbox -like ‘ServerInfo~*/*’ } | select DateTime, AnchorMailbox

Web shells were detected at the following paths:

• C:\inetpub\wwwroot\aspnet_client\
• C:\inetpub\wwwroot\aspnet_client\system_web\
• In Microsoft Exchange Server installation paths such as:
  • %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
  • C:\Exchange\FrontEnd\HttpProxy\owa\auth\

The web shells had the following file names:

• web.aspx
• help.aspx
• document.aspx
• errorEE.aspx
• errorEEE.aspx
• errorEW.aspx
• errorFF.aspx
• healthcheck.aspx
• aspnet_www.aspx
• aspnet_client.aspx
• xx.aspx
• shell.aspx
• aspnet_iisstart.aspx
• one.aspx

Sources:

[1] https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

[2] https://volexity.com/blog/2021/03/03/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

[3] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855

[4] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857

[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858

[6] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065

[7] https://microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

[8] https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901