Blogs

HAFNIUM Exploits Four Zero-Day Vulnerabilities

03/03/2021

Luke Ager, CTO Enterprise Cyber

Summary

Information has been disclosed for the first time detailing activities of a suspected nation-state actor dubbed HAFNIUM. The group have been attributed with the targeting of Microsoft Exchange Servers using zero-day exploits and are thought to have done so in order to access emails and deploy malware for long term access to the victim network. HAFNIUM is reported to have exploited four zero-day vulnerabilities to gain access to on-premises Exchange servers (on port 443); CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. This campaign affects MS Exchange Server which is primarily used by business customers, there is no evidence that the group’s activities are targeting individuals or that these exploits impact other MS products.

Description

Previously the group have been observed targeting entities in the United States for the purpose of exfiltrating information, these attacks have been aimed towards multiple sectors including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks and NGOs. The group have been seen conducting operations primarily from leased VPN’s within the US.

The attacks included three distinct steps. Initially the threat actor gains access to an Exchange Server via abusing stolen passwords or using the Zero-Day vulnerabilities to disguise itself as someone who should have access. Secondly, the group creates a web shell in order to control the compromised server remotely. Then thirdly, it uses the remote access which is run from the US based VPN’s in order to exfiltrate data from the victim’s network.

The four Zero-Days observed being exploited include a server-side request forgery (SSRF) vulnerability in Exchange, which allows attackers to send arbitrary HTTP requests and authenticate as the Exchange server (CVE-2021-26855). Also an insecure deserialisation vulnerability in the Unified Messaging service that would allow attackers to run code as SYSTEM on Exchange Server. This would require an additional vulnerability or an administrator’s permission to run (CVE-2021-26857). Post-authentication arbitrary file write vulnerability, which allows attackers that can authenticate with the Exchange server, to write a file to any path on the server (CVE-2021-26858). Authentication can be achieved by exploiting the previously mentioned CVE-2021-26855 or by compromising a legitimate admin’s credentials. Post-authentication arbitrary file write vulnerability in Exchange, with details similar to CVE-2021-26858 (CVE-2021-27065).

The groups operations are likely to be in order to conduct information gathering. It should also be noted that the group has also previously used open-source frameworks, such as Covenant, for command-and-control, and file-sharing sites, such as MEGA, to exfiltrate data.

Detection and Mitigation

To identify possible historical activity related to the remote code execution exploit, security analysts can search ECP Server logs for the following/or similar string:

S:CMD=Set-OabVirtualDirectory.ExternalUrl=‘

Also for detection of historical activity relating to the authentication bypass and RCE activity. IIS logs from Exchange servers can be examined for the following:

POST /owa/auth/Current/

POST /ecp/default.flt

POST /ecp/main.css

POST /ecp/<single char>.js

Researchers have observed the attacker adding webshell code to otherwise legitimate ASPX files in an attempt to elude network defenders. Indicators that are consistent with web server breaches that can be used to look on disk and in web logs for access to or the presence of ASPX files at the following paths:

\inetpub\wwwroot\aspnet_client\ (any .aspx file under this folder or sub folders)

\<exchange install path>\FrontEnd\HttpProxy\ecp\auth\ (any file besides TimeoutLogoff.aspx)

\<exchange install path>\FrontEnd\HttpProxy\owa\auth\ (any file or modified file that is not part of a standard install)

\<exchange install path>\FrontEnd\HttpProxy\owa\auth\Current\<any aspx file in this folder or subfolders>

\<exchange install path>\FrontEnd\HttpProxy\owa\auth\<folder with version number>\<any aspx file in this folder or subfolders>

MS advise to apply the security updates available, which can be found here. These will protect customers running Exchange Server.

Mitre Att&CK and IOC Mapping
Mitre Att&Ck Indicators of Compromise
Tactic Technique Sub-Technique IOC Type IOC Observation during Attack
Reconnaissance          
Resource Development          
Initial Access T1133 – External Remote Services       The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access.
Execution T1059 – Command and Scripting Interpreter T1059.001 - Powershell     Threat Actors used tools PowerCat and Nishang which are both powershell functions.
Windows Sysinternals tool was used to dump process memory
T1203 – Exploitationfor Client Execution   IP Addresses 103.77.192.219
104.140.114.110
104.250.191.110
108.61.246.56
149.28.14.163
157.230.221.198
167.99.168.251
185.250.151.72
192.81.208.169
203.160.69.66
211.56.98.146
5.254.43.18
80.92.205.81
Threat Actors used a remote code execution (RCE) exploit
Persistence T1505 – Server Software Component T1505.003 – Web Shell File names   Web Shell observed in various paths:
C:\inetpub\wwwroot\aspnet_client\
C:\inetpub\wwwroot\aspnet_client\system_web\
And in Microsoft Exchange Server installation paths
T1505 – Server Software Component T1505.003 – Web Shell     Webshell ASPXSpy and PHP was used to allow command execution or network proxying via external websites
T1136 – Create Account T1136.002 – Domain Account     Threat Actors added their own user account and grant it privileges to provide access in the future
Privilege Escalation          
Defence Evasion T1211 – Exploitation for Defence Evasion       The threat actor exploited vulnerabilities to bypass authentication
T1059 – Command and Scripting Interpreter   File Paths \inetpub\wwwroot\aspnet_client\ (any .aspx file under this folder or sub folders)
\<exchange install path>\FrontEnd\HttpProxy\ecp\auth\ (any file besides TimeoutLogoff.aspx)
\<exchange install path>\FrontEnd\HttpProxy\owa\auth\ (any file or modified file that is not part of a standard install)
\<exchange install path>\FrontEnd\HttpProxy\owa\auth\Current\<any aspx file in this folder or subfolders>
\<exchange install path>\FrontEnd\HttpProxy\owa\auth\<folder with version number>\<any aspx file in this folder or subfolders>
The threat actors added webshell code to legitimate ASPX files in an attempt to blend in and hide from defenders.
Credential Access T1003 – OS Credential Dumping T1003.001 – LSASS Memory     ProcDump was used by the threat actors to dump process memory
Rundll32 used to dump process memory of lsass.exe to obtain credentials
(C:\windows\system32\comsvcs.dll MiniDump lsass.dmp)
Discovery          
Lateral Movement T1021 – RemoteServices T1021.002 – SMB/Windows Admin Shares     PsExec can be used as a Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
Windows Sysinternals tool used to execute commands on remote systems
Collection T1560 – Archive Collected Data T1560.001 – Archive via Utility     WinRar Command Line Utility was used to archive data exfiltration
Command & Control