March 2021 saw the exploitation of Microsoft Exchange Servers utilising zero-day exploits. When successfully exploited, these allowed for an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers. This allows attackers to gain persistent system level access to the servers, mailbox accesses and credential level access on the Exchange server.
The attacks on Microsoft Exchange servers around the world by Chinese state-sponsored threat group Hafnium are believed to have affected over 21,000 organizations. The impact of these attacks is growing as the four zero-day vulnerabilities are getting picked up by new threat actors.
While the world was introduced to these critical vulnerabilities on March 2nd when Microsoft released security updates and mitigation guidance, the first known exploitation of this vulnerability occurred in early January. Although applying Microsoft’s advised updates protects organizations from continued or future exploitation of these known vulnerabilities, they don’t mitigate any compromises that have already happened. And because these Exchange vulnerabilities are exposed to the internet, cyber criminals continue to voraciously seek out unpatched systems to attack at unprecedented scale.
There are four specific techniques highlighted by Microsoft as being utilised as part of the exploitation of these vulnerabilities:
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability. This allows for an arbitrary HTTP request and authenticate as the Exchange server.
CVE-2021-26857 is an insecure deserialisation vulnerability in the Unified Messaging service. Insecure deserialisation is where untrusted user-controllable data is deserialised by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
The recent HAFNIUM attacks hit tens of thousands of organizations’ around the globe. Now, an array of other threat actors are leveraging the residual webshells on victim systems to launch new attacks against organizations who thought patching the Microsoft vulnerabilities would have been enough to be protected.
How to Determine if you Have Been Compromised?
Microsoft have released several scripts within their GitHub page which can be found here. The script called Test-ProxyLogon.ps1 scans for known ind indicators of compromise (IoC) and highlights any potential exploitation, allowing for you to get a quick indicator whether a compromise has taken place.
One of the biggest indicators of compromise (IOCs) is the presence of an ASPX file that doesn’t look like it should be there. Organizations can look for these web shell files by checking this path C:\inetpub\wwwroot\aspnet_client\system_web.
Microsoft also released a check for Hafnium IOCs across different folders and file names to look for. Once the ASPX file is located, it doesn’t matter if an organization has patched its server. If the ASPX file is there, it means that the web shell has already been installed and that an attacker has access to the vulnerable systems.
Mitigation
Microsoft has released several out of band security updates which can be found here.
It is recommend these are applied as soon as possible, Microsoft has also released page http-vuln-cve2021-26855.nse on their GitHub. This script works with the nmap application to determine whether the Exchange servers are vulnerable to exploit CVE-2021-26855.
Microsoft also provided a script called BackendCookieMitigation.ps1. This script provides mitigation against requests that contain X-AnonResource-Backend and malformed X-BEResource cookies which are used within SSRF attacks.
References
https://secrutiny.com/hafnium-targeting-exchange-servers-with-zero-day-exploits/
https://securityboulevard.com/2021/05/timeline-of-a-hafnium-attack/