Skip to content

Cyber Incident Response Manager, Mark Cunningham-Dickie, discusses the recent reports of exploited vulnerabilities affecting Microsoft.

There are some actively exploited vulnerabilities which are affecting Microsoft on-premise Exchange (email) servers.  The exploits are sufficiently serious that Microsoft have released patches outwith their normal schedule to mitigate the vulnerability.

Late (UK time) on the 2nd March 2021, Microsoft released a patch to address four previously undisclosed vulnerabilities (zero-day vulnerability) that had been detected being actively exploited (zero-day exploit). 

Microsoft usually release patches and updates on the second Tuesday of every month, dubbed “patch Tuesday”, so this out-of-band release is notable, especially given it couldn’t wait a week and that these vulnerabilities are being actively exploited.

The vulnerabilities and exploits pertain to several versions of on-premise Microsoft Exchange servers.  While Office 365 Exchange is not vulnerable, organisations with hybrid on-premise or in-cloud setups are. 

The same group responsible for the exploit have been identified interacting with victim Office 365 tenants in order to identify information about the target’s environment.  Though, these attempts are not believed to have been successful in compromising the tenancies and may be unrelated to these exploits.

On Tuesday, Microsoft said in a blog:

“We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem.”

The threat actor in this case has been identified as HAFNIUM, a Chinese state sponsored hacker collective that typically targets U.S. institutions such as government organisations, NGOs research institutions, law firms, educational establishments, defence contractors and public policy think tanks.

Although this has been their main focus in the past, other nations are not immune, and the group has been linked with attacks against infectious disease research establishments.

It’s not unimaginable therefore that desirable targets within Scotland could include organisations in the public sector, oil and gas, law firms, defence firms, critical national infrastructure as well as educational and research institutions.

In the technical post (below) I have provided details regarding remediation, indicators of compromise, links to further information and resources to help SMEs and third sector organisations combat this theat.

Even if your organisation does not work in any of the above sectors it is very highly advisable to apply the patches. 

You may be targeted in order to compromise clients and suppliers within your supply chain.  Once these things are released, there is often a very rapid take-up of the exploit by criminal enterprises and code to achieve the exploits is already circulating on the internet. 

My advice: patch now.

If you are worried your organisation may have fallen victim to an attack, you can contact the SBRC cyber incident response helpline for free on: 01786 447 441

Update (04/03/21):

Initial indications were that this was a targeted and limited attack.  However, that doesn’t appear to be the case.  Since the release of the Indicators of Compromise (IoC’s) many security research firms have been analysing their client’s environments and have identified it as being far more widespread than expected.  While the bulk of the targets are in the US, increasing numbers are being identified in EMEA with targets including governments, law firms, medical research facilities and some private firms.

As with any patchable vulnerability and active exploit the advice remains, patch your systems and, if you have the capability, configure monitoring in your environments to detect and alert based on the IoC’s.

Technical update for IT departments and System Administrators

Threat Actor

The exploits have been attributed to Chinese state sponsored hacking group HAFNIUM.

Vulnerabilities

There are four exploits associated with the following four vulnerabilities:

  • CVE-2021-26855: Server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857: Insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858: Post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
  • CVE-2021-27065: Post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Attack Details

After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.

Detection

CVE-2021-26855 exploitation can be detected via the following Exchange HttpProxy logs:

  • These logs are located in the following directory: %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy
  • Exploitation can be identified by searching for log entries where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of ServerInfo~*/*

Here is an example PowerShell command to find these log entries:

Import-Csv -Path (Get-ChildItem -Recurse -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy” -Filter ‘*.log’).FullName | Where-Object {  $_.AuthenticatedUser -eq ” -and $_.AnchorMailbox -like ‘ServerInfo~*/*’ } | select DateTime, AnchorMailbox

If activity is detected, the logs specific to the application specified in the AnchorMailbox path can be used to help determine what actions were taken.

These logs are located in the %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging directory.

CVE-2021-26858 exploitation can be detected via the Exchange log files:

  • C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog
  • Files should only be downloaded to the %PROGRAMFILES%\Microsoft\Exchange Server\V15\ClientAccess\OAB\Temp directory

In case of exploitation, files are downloaded to other directories (UNC or local paths)

Windows command to search for potential exploitation:

findstr /snip /c:”Download failed and temporary file” “%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log”

CVE-2021-26857 exploitation can be detected via the Windows Application event logs

  • Exploitation of this deserialization bug will create Application events with the following properties:

Source: MSExchange Unified Messaging

EntryType: Error

Event Message Contains: System.InvalidCastException

Following is PowerShell command to query the Application Event Log for these log entries:

Get-EventLog -LogName Application -Source “MSExchange Unified Messaging” -EntryType Error | Where-Object { $_.Message -like “*System.InvalidCastException*” }

CVE-2021-27065 exploitation can be detected via the following Exchange log files:

  • C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server

All Set-<AppName>VirtualDirectory properties should never contain script. InternalUrl and ExternalUrl should only be valid Uris.

Following is a PowerShell command to search for potential exploitation:

Select-String -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\ECP\Server\*.log” -Pattern ‘Set-.+VirtualDirectory’

IOC’s

Web shell hashes:

b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0

097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e

2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1

65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5

511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1

4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea

811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d

1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944

Web shells have been observed in the following paths:

C:\inetpub\wwwroot\aspnet_client\

C:\inetpub\wwwroot\aspnet_client\system_web\

In Microsoft Exchange Server installation paths such as:

%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\

C:\Exchange\FrontEnd\HttpProxy\owa\auth\

Detected web shells had the following file names:

web.aspx

help.aspx

document.aspx

errorEE.aspx

errorEEE.aspx

errorEW.aspx

errorFF.aspx

healthcheck.aspx

aspnet_www.aspx

aspnet_client.aspx

xx.aspx

shell.aspx

aspnet_iisstart.aspx

one.aspx

Check for suspicious .zip, .rar, and .7z files in C:\ProgramData\, which may indicate possible data exfiltration.

Customers should monitor these paths for LSASS dumps:

C:\windows\temp\

C:\root\

Additional resources for detection of compromise using various different SOC tools can be found at: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Mitigation/Remediation

Microsoft have released out-of-band patches to counter this.

The Microsoft Exchange team have published a blog post on the new security patches as well as providing a scripts to assist with answering some key questions around the deployment of the patches.

Patches are available for the different versions of exchange:

Sources & Further Information: