Hafnium Leveraging Multiple Zero-Days to Attack Microsoft Exchange
On March 2nd Microsoft publicly announced it has detected several actively exploited zero-day vulnerabilities which were recently used in-the-wild by a threat actor dubbed HAFNIUM, which is believed to be operating from China. The vulnerabilities were used to gain access and subsequently exfiltrate data from accounts hosted on affected MS-Exchange server versions, install web shells for persistence, and steal additional data. Microsoft released an out-of-band security update addressing these vulnerabilities and several others on March 3rd. It is important to note that the vulnerabilities affect only on-prem installations of MS-Exchange servers.
Given the enormous popularity of Exchange, the number of server versions affected, and the diverse list of industry sectors HAFNIUM are interested in, the current reported number of 30,000 affected victims will likely grow.
A Chain of Zero-Days
To successfully perform its attacks, the HAFNIUM team used four zero-day exploits. All four vulnerabilities require the exposed Exchange server to be able to receive untrusted connections on port 443.
The vulnerability,
CVE-2021-26855, originally discovered by the security company DEVCORE and named ProxyLogon, allowed the attackers to establish an authenticated connection with the Exchange server and steal the content of mailboxes stored on it. This specific vulnerability does not require any user interaction, prior privileges, or previously acquired credentials, but only an Exchange server that is willing to accept untrusted connections on port 443.
The remaining three vulnerabilities were discovered and observed in an ongoing attack in January 2021 by the security firm Volexity. These vulnerabilities require the attackers to be authenticated with the Exchange server, which is easily acquired by using the previous vulnerability.
- CVE-2021-26857
– Allowed the attackers to execute code on the server with the highly privileged SYSTEM account
- CVE-2021-26858
and
CVE-2021-27065– Both of these vulnerabilities were exploited by HAFNIUM in order write files to any path on the server
Combining these previously unknown vulnerabilities allowed the attackers to gain access to their victims’ servers.
Post-Exploitation Actions
Once a server is exploited, HAFNIUM used several tools and techniques to exfiltrate data from the server and gain persistence on the infected machine.
First, a web shell was installed to gain persistence and backdoor access to the compromised servers. Open-source PowerShell tools such as Nishang and PowerCat were used to open reverse shells and communicate to remote servers owned by the attackers.
Additionally, Microsoft’s own Procdump tool found in the SysInternals suite was used to dump the memory of the LSSAS process, which can later be used to crack the passwords of the users on the server.
HAFNIUM Victims
HAFNIUM is a threat actor with alleged Chinese origins that finds great interest in targets from the United States such as universities, research facilities, NGOs, and defense contractors.
The hacking group has a history of compromising its victims by exploiting vulnerabilities in exposed servers while utilizing open-source projects for command and control and further exploitation.
They also seem to be very fond of PowerShell-based tools and US-based VPS (Virtual Private Server) servers as their attacking machines.
How to Protect Yourself
Companies must make sure their systems are patched as quickly as security updates are available. Once the information regarding these attacks became public, it seems attackers from HAFNIUM group and others intensified their attacks targeted at unpatched servers.
Deep Instinct urges its customers (and every reader) to update relevant MS-Exchange servers with the latest updates released by Microsoft ASAP. In addition to patching the vulnerabilities, Microsoft released guidance and ways for organizations to check if they have been compromised by this attack.
The Deep Instinct product includes several layers of protection, such as zero-day threat protection and protection against malicious Powershell activity. This is done using several components, including a deep learning-based Powershell scanning mechanism. Powershell components, which are known to have been used in the attack, are prevented by Deep Instinct. In addition, Deep Instinct’s deep learning-based static analysis protection scans and protects customers from potentially abused dual-use tools which can be exploited by attackers as they attempt to remain under the radar.
Deep Instinct is always on the lookout for new attacks of this kind and does everything in its power to ensure our customers are protected from any threat they might face. We are focused on expanding and monitoring all relevant IoCs and making sure Deep Instinct’s cybersecurity product line protects against them. Customers and prospects are invited to contact us for any help needed, or for any questions that arise.
Web Shell SHA256 Hashes
b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944