Summary
Information has been disclosed for the first time detailing activities of a suspected nation-state actor dubbed HAFNIUM. The group have been attributed with the targeting of Microsoft Exchange Servers using zero-day exploits and are thought to have done so in order to access emails and deploy malware for long term access to the victim network. HAFNIUM is reported to have exploited four zero-day vulnerabilities to gain access to on-premises Exchange servers (on port 443); CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. This campaign affects MS Exchange Server which is primarily used by business customers, there is no evidence that the group’s activities are targeting individuals or that these exploits impact other MS products.
Description
Previously the group have been observed targeting entities in the United States for the purpose of exfiltrating information, these attacks have been aimed towards multiple sectors including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks and NGOs. The group have been seen conducting operations primarily from leased VPN’s within the US.
The attacks included three distinct steps. Initially the threat actor gains access to an Exchange Server via abusing stolen passwords or using the Zero-Day vulnerabilities to disguise itself as someone who should have access. Secondly, the group creates a web shell in order to control the compromised server remotely. Then thirdly, it uses the remote access which is run from the US based VPN’s in order to exfiltrate data from the victim’s network.
The four Zero-Days observed being exploited include a server-side request forgery (SSRF) vulnerability in Exchange, which allows attackers to send arbitrary HTTP requests and authenticate as the Exchange server (CVE-2021-26855). Also an insecure deserialisation vulnerability in the Unified Messaging service that would allow attackers to run code as SYSTEM on Exchange Server. This would require an additional vulnerability or an administrator’s permission to run (CVE-2021-26857). Post-authentication arbitrary file write vulnerability, which allows attackers that can authenticate with the Exchange server, to write a file to any path on the server (CVE-2021-26858). Authentication can be achieved by exploiting the previously mentioned CVE-2021-26855 or by compromising a legitimate admin’s credentials. Post-authentication arbitrary file write vulnerability in Exchange, with details similar to CVE-2021-26858 (CVE-2021-27065).
The groups operations are likely to be in order to conduct information gathering. It should also be noted that the group has also previously used open-source frameworks, such as Covenant, for command-and-control, and file-sharing sites, such as MEGA, to exfiltrate data.
Detection and Mitigation
To identify possible historical activity related to the remote code execution exploit, security analysts can search ECP Server logs for the following/or similar string:
S:CMD=Set-OabVirtualDirectory.ExternalUrl=‘
Also for detection of historical activity relating to the authentication bypass and RCE activity. IIS logs from Exchange servers can be examined for the following:
POST /owa/auth/Current/
POST /ecp/default.flt
POST /ecp/main.css
POST /ecp/<single char>.js
Researchers have observed the attacker adding webshell code to otherwise legitimate ASPX files in an attempt to elude network defenders. Indicators that are consistent with web server breaches that can be used to look on disk and in web logs for access to or the presence of ASPX files at the following paths:
\inetpub\wwwroot\aspnet_client\ (any .aspx file under this folder or sub folders)
\<exchange install path>\FrontEnd\HttpProxy\ecp\auth\ (any file besides TimeoutLogoff.aspx)
\<exchange install path>\FrontEnd\HttpProxy\owa\auth\ (any file or modified file that is not part of a standard install)
\<exchange install path>\FrontEnd\HttpProxy\owa\auth\Current\<any aspx file in this folder or subfolders>
\<exchange install path>\FrontEnd\HttpProxy\owa\auth\<folder with version number>\<any aspx file in this folder or subfolders>
MS advise to apply the security updates available, which can be found here. These will protect customers running Exchange Server.