Microsoft has seen multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor use these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center( MSTIC) attributes education campaigns with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on find victimology, tactics and procedures.
The vulnerabilities recently being exploited were CVE-2 021 -2 6855, CVE-2 021 -2 6857, CVE-2 021 -2 6858, and CVE-2 021 -2 7065, all of which were addressed in today’s Microsoft Security Response Center( MSRC) liberate- Multiple Security Updates Released for Exchange Server. We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected.
We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem. This blog also continues our mission to shine a light on malicious performers and elevate awareness of the sophisticated tactics and techniques used to target our customers. The related IOCs, Azure Sentinel advanced hunting queries, and Microsoft Defender for Endpoint product detectings and queries shared in this blog will help SOCs proactively hunt for pertained activity in their environments and elevate any alerts for remediation.
Microsoft would like to thank our industry colleagues at Volexity and Dubex for reporting different parts of the attack chain and their collaboration in the investigation. Volexity has also published a blog post with their analysis. It is this degree of proactive communication and intelligence sharing that allows the community to come together to get ahead of assaults before they spread and improve security for all.
Who is HAFNIUM?
HAFNIUM principally targets entities in the United State across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tank, and NGOs.
HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has applied legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing websites like MEGA.
In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 renters. While they are often unsuccessful in compromising customer reports, this reconnaissance activity helps the adversary recognize more details about their targets’ environments.
HAFNIUM operates primarily from leased virtual private servers( VPS) in the United States.
Microsoft is providing the following details to help our customers understand the method used used by HAFNIUM to exploit these vulnerabilities and enable more effective defense against any future assaults against unpatched systems.
CVE-2 021 -2 6857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2 021 -2 6858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any track on the server. They could authenticate by exploit the CVE-2 021 -2 6855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
CVE-2 021 -2 7065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any route on the server. They could authenticate by exploit the CVE-2 021 -2 6855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially let attackers to steal data and perform additional malicious acts that lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP, is below 😛 TAGEND
Following web shell deployment, HAFNIUM operators performed the following post-exploitation activity 😛 TAGEND
Using Procdump to dump the LSASS process memory:
Using 7-Zip to compress pilfer data into ZIP files for exfiltration:
Adding and using Exchange PowerShell snap-ins to export mailbox data:
Using the Nishang Invoke-PowerShellTcpOneLine reversal shell:
Downloading PowerCat from GitHub, then employing it to open a connection to a remote server:
Our blog, Defending Exchange servers under assault, offers advice for improving defenses against Exchange server compromise. Patrons can also find additional guidance about web shell strikes in our blog Web shell attacks continue to rise .
Can I determine if I have been compromised by project activities?
The below sections provide indicators of compromise( IOCs ), detection guidance, and advanced hunting queries to help customers investigate project activities using Exchange server logs, Azure Sentinel, Microsoft Defender for Endpoint, and Microsoft 365 Defender. We encourage our customers to conduct investigations and implement proactive detections to identify possible prior campaigns and avoid future campaigns that may target their systems.
Check spot levels of Exchange Server
The Microsoft Exchange Server team has published a blog post on these new Security Updates providing a script to get a quick inventory of the patch-level status of on-premises Exchange servers and answer some basic questions around installing of these patches.
Scan Exchange log files for indicators of compromise
CVE-2 021 -2 6855 exploitation is likely to be detected via the following Exchange HttpProxy logs:
These logs are located in the following directory:% PROGRAMFILES %\ Microsoft \ Exchange Server \ V15 \ Logging \ HttpProxy Exploitation can be identified by sought for log enterings where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of ServerInfo ~*/*
Here is an example PowerShell command to find these log enterings:
Import-Csv -Path( Get-ChildItem -Recurse -Path “$ env 😛 ROGRAMFILES \ Microsoft \ Exchange Server \ V15 \ Logging \ HttpProxy” -Filter ‘*. log ‘). FullName | Where-Object$ _.AuthenticatedUser -eq” -and$ _.AnchorMailbox -like’ ServerInfo ~*/*’ | select DateTime, AnchorMailbox
CVE-2 021 -2 6858 exploitation can be detected via the Exchange log files:
C :\ Program Files \ Microsoft \ Exchange Server \ V15 \ Logging \ OABGeneratorLog Files should only be downloaded to the% PROGRAMFILES %\ Microsoft \ Exchange Server \ V15 \ ClientAccess \ OAB \ Temp directory
In case of exploitation, files are downloaded to other directories( UNC or local tracks)
Windows command to search for potential exploitation:
CVE-2 021 -2 6857 exploitation is likely to be detected via the Windows Application event logs
Exploitation of this deserialization flaw will create Application events with the following properties:
Source: MSExchange Unified Messaging EntryType: Error Event Message Contains: System.InvalidCastException
Following is PowerShell command to query the Application Event Log for these log enters:
Get-EventLog -LogName Application -Source” MSExchange Unified Messaging” -EntryType Error | Where-Object$ _.Message -like “* System.InvalidCastException *”
CVE-2 021 -2 7065 exploitation is likely to be saw via the following Exchange log files:
Following is a PowerShell command to search for potential exploitation:
Select-String -Path “$ env 😛 ROGRAMFILES \ Microsoft \ Exchange Server \ V15 \ Logging \ ECP \ Server \*. log” -Pattern’ Set- .+ VirtualDirectory’
Host IOCs Hashes
Web shell hashes
b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5 511 df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea 811157 f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944 Paths
We find web shells in the following routes 😛 TAGEND
C :\ inetpub \ wwwroot \ aspnet_client \ C:\inetpub\wwwroot\aspnet_client\system_web\ In Microsoft Exchange Server installation tracks such as:
% PROGRAMFILES %\ Microsoft \ Exchange Server \ V15 \ FrontEnd \ HttpProxy \ owa \ auth \ C:\Exchange\FrontEnd\HttpProxy\owa\auth\
The web shells we saw had the following file epithets 😛 TAGEND
web.aspx help.aspx document.aspx errorEE.aspx errorEEE.aspx errorEW.aspx errorFF.aspx healthcheck.aspx aspnet_www.aspx aspnet_client.aspx xx.aspx shell.aspx aspnet_iisstart.aspx one.aspx
Check for suspicious. zip,. rar, and. 7z files in C :\ ProgramData \, which may indicate possible data exfiltration.
Customers should monitor these paths for LSASS dumps 😛 TAGEND
C :\ windows \ temp \ C:\root\ Tools
Many of the following detections are for post-breach techniques used by HAFNIUM. So while these help see some of the specific current attacks that Microsoft has observed it remains very important to apply the recently released updates for CVE-2 021 -2 6855, CVE-2 021 -2 6857, CVE-2 021 -2 7065 and CVE-2 021 -2 6858.
Microsoft Defender Antivirus detections
Exploit: Script/ Exmann.A! dha Behavior:Win32/Exmann.A Backdoor: ASP/ SecChecker.A Backdoor:JS/Webshell( not unique) Trojan:JS/Chopper!dha( not unique) Behavior:Win32/DumpLsass.A!attk( not unique) Backdoor:HTML/TwoFaceVar.B( not unique)
Microsoft Defender for Endpoint detectings
Suspicious Exchange UM process initiation Suspicious Exchange UM file initiation Possible web shell installation( not unique) Process remembrance dump( not unique)
Azure Sentinel detectings
Advanced hunting queries
To locate possible exploitation activity related to the contents of this blog, you can run the following advanced hunting queries via Microsoft Defender for Endpoint and Azure Sentinel 😛 TAGEND Microsoft Defender for Endpoint advanced hunting queries
Microsoft 365 Defender clients can find pertained hunting queries below or at this GitHub location: https :// github.com/ microsoft/ Microsoft-3 65 -Defender-Hunting-Queries/
UMWorkerProcess.exe in Exchange creating abnormal content
Look for Microsoft Exchange Server’s Unified Messaging service creating non-standard content on disk, which could indicate web shells or other malicious content, recommending exploitation of CVE-2 021 -2 6858 vulnerability 😛 TAGEND DeviceFileEvents | where InitiatingProcessFileName == “UMWorkerProcess.exe” | where FileName != “CacheCleanup.bin” | where FileName! endswith “.txt” | where FileName! endswith “.LOG” | where FileName! endswith “.cfg” | where FileName != “cleanup.bin”
Look for Microsoft Exchange Server’s Unified Messaging service spawning abnormal subprocesses, indicating exploitation of CVE-2 021 -2 6857 vulnerability 😛 TAGEND DeviceProcessEvents | where InitiatingProcessFileName == “UMWorkerProcess.exe” | where FileName != “wermgr.exe” | where FileName != “WerFault.exe”
Please note excessive spawning of wermgr.exe and WerFault.exe could be an indicator of compromise due to the service crashing during deserialization.
Azure Sentinel advanced hunting queries
Azure Sentinel customers can find a Sentinel query containing these indicators in the Azure Sentinel Portal or at this GitHub location: https :// github.com/ Azure/ Azure-Sentinel/ tree/ master/ Detections/ MultipleDataSources /.
Look for Nishang Invoke-PowerShellTcpOneLine in Windows Event Logging 😛 TAGEND SecurityEvent | where EventID == 4688 | where Process has_any( “powershell.exe”, “PowerShell_ISE.exe”) | where CommandLine has “$ patron= New-Object System.Net.Sockets.TCPClient”
Look for downloads of PowerCat in cmd and Powershell command line logging in Windows Event Logs 😛 TAGEND SecurityEvent | where EventID == 4688 | where Process has_any( “cmd.exe”, “powershell.exe”, “PowerShell_ISE.exe”) | where CommandLine has “https :// raw.githubusercontent.com/ besimorhino/ powercat/ master/ powercat.ps1”
Look for Exchange PowerShell Snapin being loaded. This can be used to export mailbox data, subsequent command lines should be inspected to verify usage 😛 TAGEND SecurityEvent | where EventID == 4688 | where Process has_any( “cmd.exe”, “powershell.exe”, “PowerShell_ISE.exe”) | where isnotempty( CommandLine) | where CommandLine contains “Add-PSSnapin Microsoft.Exchange.Powershell.Snapin” | summarize FirstSeen= min( TimeGenerated ), LastSeen= max( TimeGenerated) by Computer, Account, CommandLine
The post HAFNIUM targeting Exchange Servers with 0-day exploits seemed first on Microsoft Security .
Read more: microsoft.com