Microsoft reported on March 2, 2021 that the state-sponsored group known as HAFNIUM has actively exploited four zero-day vulnerabilities to attack on-premises versions of their Exchange Server products. First detected as early as the start of this year by Washington D.C-based security firm, Volexity, the attack campaign is still undergoing investigation with more information being reported as events unfold.

The exploitation of these vulnerabilities has so far allowed the group to exfiltrate email communications, compromise client networks with malware, and perform actions to secure long-term access to their victims’ environments. Their exploits were uncovered when Volexity’s network security monitoring service detected irregular activity from two of their customers’ Microsoft Exchange Servers.

After kicking off multiple incident response efforts, including acquiring system memory and other disk artifacts, Volexity has confirmed that the vulnerabilities exist in Microsoft Exchange 2013, 2016, and 2019. Currently, the vulnerability does not appear to impact Office 365 nor Exchange Online. Microsoft is urging users with Exchange Server installations to apply patches to the following four critical vulnerabilities:

How Did the Attack Occur?

The ongoing investigations through analysis of system memory and other disk artifacts have revealed that the attacker exploited four different vulnerabilities within Microsoft Exchange to steal the contents of several user mailboxes and deploy web shells on the victim’s servers allowing the group to perform additional malicious actions leading to further damage.

As Volexity continues to monitor the threat and work with all impacted organizations, they note that the zero-day vulnerabilities utilized in this attack campaign may have been complex to develop, but do not require any kind of authentication or special knowledge to access the targeted environments. All the attacker needed was to know the server running Exchange and the account from which they wanted to exfiltrate email data.

To break down the attack, HAFNIUM first leveraged CVE-2021-26855, a server-side request forgery (SSRF) that enables them to have the server run commands that it is usually not permitted to run. Then, CVE-2021-26857 was used to run code of their choice as “System” on the targeted Exchange servers. Finally, both CVE-2021-26858 and CVE-2021-27065 vulnerabilities allowed the group to write a file to any path on the server.

What Does This Mean to Our Partners?

While this attack campaign was executed by a prolific state-sponsored hack group, they actively exploited existing zero-day security vulnerabilities to attain their goal. Initial investigations by Volexity state that the vulnerabilities used here required very little technical know-how and any less-sophisticated attacker could have used them to easily gain access to an organization’s emails if their Exchange Servers were directly exposed to the internet.  

Further, HAFNIUM managed to chain the SSRF flaw together with three others that allow remote code execution (RCE) on the target’s servers. In all cases of RCE, companies like Volexity have seen attackers write web shells (ASPX files) to disk and then conduct further operations to masquerade as users with legitimate credentials, add new user accounts, steal copies of victims’ Active Directory databases (NTDS.DIT), and finally, move laterally to other systems and environments. From that point on, the damage done increases exponentially.

A list of vulnerable Microsoft Exchange versions can be found at the Microsoft Exchange Teams blog:  https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901

Indicators of Compromise (IOCs)

SHA256 Web Sell Hashes

  • b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
  • 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
  • 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
  • 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
  • 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
  • 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
  • 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
  • 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944

Paths to scan for Web Shells and suspicious files ending in .aspx

  • C:\inetpub\wwwroot\aspnet_client\
  • C:\inetpub\wwwroot\aspnet_client\system_web\
  • In Microsoft Exchange Server installation paths such as:
  • %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
  • C:\Exchange\FrontEnd\HttpProxy\owa\auth\

How to Protect Yourself and Your Clients

Don’t allow a single compromise to devastate your operations. When an attack occurs, detection and response times are crucial and often determine whether the actors succeed in their efforts. With attackers acting faster than ever, investing in an around-the-clock true Managed Detection and Response (MDR) service means that you can fight back within minutes and hours, not days and weeks.

Combine both prevention and advanced tradecraft detection technologies to monitor your account activity and behavior in real-time. 24/7 active threat hunting and response service provided by experienced security analysts can detect reconnaissance activities at their earliest stages. Once detected, analysts can respond quickly to stop hackers from moving laterally in your networks, isolate compromised devices, and incapacitate any attempts at encrypting or stealing sensitive information.

Learn more about such capabilities at Blackpoint Cyber. Rest easy knowing that our team keeps you and your clients safe.

Want something new to listen to?

Check out our podcast, The Unfair Fight, where you can hear industry insights from Blackpoint Cyber leadership and our special guests firsthand.