HAFNIUM and Microsoft Exchange Zero-Days
Microsoft released security updates on Tuesday, March 2, 2021, for multiple Zero-Day vulnerabilities impacting on-premises versions of the Microsoft Exchange Server. The vulnerabilities are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The attackers whom Microsoft named HAFNIUM has exploited CVE-2021-26855 for initial access, and then combined with the other three vulnerabilities enabled the threat actors to have complete control over the Exchange server including the ability to run code as SYSTEM and write to any path on the server[7]. According to a statement from Fortinet exploitation of these vulnerabilities also allowed attackers to install backdoors which remained active even after the server is patched [6].
Microsoft has stated that once threat actors gained initial access the attackers deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. In addition to these, the attackers were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users[2]. These vulnerabilities are being actively being exploited in the wild by attackers.
Fortinet has stated that more than 30,000 businesses and government agencies across the US have been targeted in this campaign by the cyber espionage organization HAFNIUM[6]. Millions of organizations around the globe use Microsoft Exchange Server for email and calendar. The exploits leveraged by the threat group require little technical know-how to use enabling attackers to easily gain access to the organization’s email.
Timeline of the Attack
Security researcher Brian Krebs has charted out a timeline of the attack on the Microsoft Exchange Zero-day Vulnerabilities[9].
January 5th: Microsoft was informed about two of the four Exchange flaws from a principal security researcher for security testing firm DEVCORE.
January 6th: Volexity had identified attacks on the flaws and saw the attack traffic going back to Jan. 3
January 27th: Dubex reports about attacks on a new Exchange flaw to Microsoft.
February 2nd: Volexity issues warnings to Microsoft about active attacks on previously unknown Exchange vulnerabilities.
February 8th: Microsoft informs Dubex it has escalated its report internally.
February 26th-27th: Attackers started to mass-scan for vulnerable servers.
March 2nd: Microsoft release out of band security updates for 4 zero-day flaws.
March 3rd: Attack is widespread with Tens of thousands of Exchange servers compromised worldwide, with thousands more servers being compromised every hour.
March 5th: Backdoors have been installed on at least 30,000 organizations in the U.S. and hundreds of thousands worldwide.
Technical Details:
CVE-2021-26855: This is an server-side request forgery (SSRF) vulnerability in Exchange which can enable an attacker to send arbitrary HTTP requests and authenticate as the Exchange server
CVE-2021-26857: This is an insecure deserialization vulnerability in the Unified Messaging service which can be exploited by an attacker to run code as SYSTEM on the Exchange server.
CVE-2021-26858: This is an post-authentication arbitrary file write vulnerability in Exchange which can be exploited by an attacker to write a file to any path on the server.
CVE-2021-27065: This is an post-authentication arbitrary file write vulnerability in Exchange which can be exploited by an attacker to write a file to any path on the server.
Solution and Mitigation:
Cloudflare has released mitigation strategies to protect against the remotely exploitable vulnerabilities affecting Microsoft Exchange Server.
Edge Mitigation (Cloudflare):
Cloudflare has enabled the Cloudflare Specials ruleset in the Cloudflare WAF to protect against these vulnerabilities. Cloudflare has immediately deployed these rules in “Block” mode given active attempted exploitation.
To disable rules in case of facing false positive mitigation:
- Login to the Cloudflare Dashboard and click on the Cloudflare Firewall tab and then Managed Rules.
- Click on the “Advanced” link at the bottom of the Cloudflare Managed Ruleset card and search for rule ID 100179. Select any appropriate action or disable the rule.
- Repeat step #2 for rule ID 100181.
Server Side Mitigation:
Apply the security patches immediately.
- For CVE-2021-26855: CVE-2021-26855 - Security Update Guide - Microsoft - Microsoft Exchange Server Remote Code Execution Vulnerability
- For CVE-2021-27065: CVE-2021-27065 - Security Update Guide - Microsoft - Microsoft Exchange Server Remote Code Execution Vulnerability
- For CVE-2021-26858: CVE-2021-26858 - Security Update Guide - Microsoft - Microsoft Exchange Server Remote Code Execution Vulnerability
- For CVE-2021-26857: CVE-2021-26857 - Security Update Guide - Microsoft - Microsoft Exchange Server Remote Code Execution Vulnerability
Restrict access to OWA, such as placing the OWA server behind a VPN to prevent external access[7].
Investigation Tips From FireEye :
- Child processes of C:\Windows\System32\inetsrv\w3wp.exe on Exchange Servers, particularly cmd.exe.
- Files written to the system by w3wp.exe or UMWorkerProcess.exe.
- ASPX files owned by the SYSTEM user.
- New, unexpected compiled ASPX files in the Temporary ASP.NET Files directory.
- Reconnaissance, vulnerability-testing requests to the following resources from an external IP address:
- /rpc/ directory
- /ecp/DDI/DDIService.svc/SetObject
- Non-existent resources
- With suspicious or spoofed HTTP User-Agents
- Unexpected or suspicious Exchange PowerShell SnapIn requests to export mailboxes.
Scan Exchange log files for indicators of compromise:
Microsoft has released a script to run a check for HAFNIUM IOCs to address performance and memory concerns.
- Download the script from https://github.com/microsoft/CSS-Exchange/tree/main/Security
NMAP Script:
Security researcher Kevin Beaumont has released a NMAP Script to determine if servers are vulnerable. Security researchers at DIVD are using this script to scan the internet for vulnerable systems with their initial focus on The Netherlands and are notifying administrators of vulnerable systems.
- Script can be found at https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange.nse
Exchange Webshell Detection
Cert Lv has released a script to check for malicious Webshell on the system
- Script can be found at https://github.com/cert-lv/exchange_webshell_detection/blob/main/detect_webshells.ps1
Indicators of Compromise:
Hashes
Web shell hashes
- b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
- 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
- 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
- 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
- 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
- 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
- 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
- 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944
File Paths
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\8Lw7tAhF9i1pJnRo.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookZH.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\authhead.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\bob.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\current\one1.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorPage.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorPages.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\fatal-erro.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\log.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logg.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logout.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\one.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\one1.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\shel.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\shel2.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\shel90.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\a.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\default.aspx
C:\inetpub\wwwroot\aspnet_client\shell.aspx
C:\inetpub\wwwroot\aspnet_client\Server.aspx
C:\inetpub\wwwroot\aspnet_client\aspnet_client.aspx
C:\inetpub\wwwroot\aspnet_client\aspnet_iisstart.aspx
C:\inetpub\wwwroot\aspnet_client\aspnet_pages.aspx
C:\inetpub\wwwroot\aspnet_client\aspnet_www.aspx
C:\inetpub\wwwroot\aspnet_client\default1.aspx
C:\inetpub\wwwroot\aspnet_client\errorcheck.aspx
C:\inetpub\wwwroot\aspnet_client\iispage.aspx
C:\inetpub\wwwroot\aspnet_client\s.aspx
C:\inetpub\wwwroot\aspnet_client\session.aspx
C:\inetpub\wwwroot\aspnet_client\shell.aspx
C:\inetpub\wwwroot\aspnet_client\system_web\log.aspx
C:\inetpub\wwwroot\aspnet_client\xclkmcfldfi948398430fdjkfdkj.aspx
C:\inetpub\wwwroot\aspnet_client\xx.aspx
C:\inetpub\wwwroot\aspnet_client\Server.aspx
C:\inetpub\wwwroot\aspnet_client\discover.aspx
C:\inetpub\wwwroot\aspnet_client\HttpProxy.aspx
C:\inetpub\wwwroot\aspnet_client\OutlookEN.aspx
C:\inetpub\wwwroot\aspnet_client\supp0rt.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\OAB\log.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\log.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logg.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logout.aspx
The web shells detected had the following file names:
- web.aspx
- help.aspx
- document.aspx
- errorEE.aspx
- errorEEE.aspx
- errorEW.aspx
- errorFF.aspx
- healthcheck.aspx
- aspnet_www.aspx
- aspnet_client.aspx
- xx.aspx
- shell.aspx
- aspnet_iisstart.aspx
- one.aspx
Microsoft had asked to
- Check for suspicious .zip, .rar, and .7z files in C:\ProgramData\, which may indicate possible data exfiltration.
- Monitor these paths for LSASS dumps:
- C:\windows\temp\
- C:\root\
Malicious IP:
103[.]77[.]192[.]219
104[.]140[.]114[.]110
104[.]250[.]191[.]110
108[.]61[.]246[.]56
149[.]28[.]14[.]163
157[.]230[.]221[.]198
167[.]99[.]168[.]251
185[.]250[.]151[.]72
192[.]81[.]208[.]169
203[.]160[.]69[.]66
211[.]56[.]98[.]146
5[.]254[.]43[.]18
80[.]92[.]205[.]81
Malicious HTTP Post Request:
/owa/auth/Current/themes/resources/logon.css
/owa/auth/Current/themes/resources/owafont_ja.css
/owa/auth/Current/themes/resources/lgnbotl.gif
/owa/auth/Current/themes/resources/owafont_ko.css
/owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot
/owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf
/owa/auth/Current/themes/resources/lgnbotl.gif
Remote Code Execution Indicators
Check ECP Server logs for the following string (or similar).
S:CMD=Set-OabVirtualDirectory.ExternalUrl='
ECP Server logs are typically located at <exchange install path>\Logging\ECP\Server\
Additional Auth Bypass and RCE Indicators
IIS logs from Exchange servers can be examined for the following:
POST /owa/auth/Current/
POST /ecp/default.flt
POST /ecp/main.css
POST /ecp/<single char>.js
References:
[1] HAFNIUM and Microsoft Exchange Zero-Day’s
https://www.vsintelli.com/portal/blog/77-hafnium-and-microsoft-exchange-zero-day-s
[2] HAFNIUM targeting Exchange Servers with 0-day exploits
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
[3] Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
[4] Protecting against recently disclosed Microsoft Exchange Server vulnerabilities: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
https://blog.cloudflare.com/protecting-against-microsoft-exchange-server-cves/
[5] Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities,
[6] Fortinet Addresses Latest Microsoft Exchange Server Exploits
[7] Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk
Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk | Splunk
[8] DIVD-2021-00001 - MICROSOFT ON-PREM EXCHANGE SERVERS,
https://csirt.divd.nl/cases/DIVD-2021-00001/
[9] A Basic Timeline of the Exchange Mass-Hack
https://krebsonsecurity.com/2021/03/a-basic-timeline-of-the-exchange-mass-hack/
Change Log:
10/03/2021-Updated with Timeline, Nmap script and investigation tips
08/03/2021-Updated with Cloudflare mitigation strategies
06/03/2021-Updated with Microsoft’s script to run a check for HAFNIUM IOCs
03/03/2021-Initial Threat Advisory Published
