Microsoft has spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.
The attacks are “limited and targeted,” according to Microsoft, spurring it to release out-of-band patches this week. The exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.
However, other researchers have reported seeing the activity compromising mass swathes of victim organizations.
“The team is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses,” a spokesperson at Huntress told Threatpost.
The culprit is believed to be an advanced persistent threat (APT) group known as Hafnium (also the name of a chemical element), which has a history of targeting assets in the United States with cyber-espionage campaigns. Targets in the past have included defense contractors, infectious disease researchers, law firms, non-governmental organizations (NGOs), policy think tanks and universities.
“Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures,” according to an announcement this week from Microsoft on the attacks.
Zero-Day Security Bugs in Exchange Server
“The fact that Microsoft chose to patch these flaws out-of-band rather than include them as part of next week’s Patch Tuesday release leads us to believe the flaws are quite severe even if we don’t know the full scope of those attacks,” Satnam Narang, staff research engineer at Tenable, said via email.
Microsoft patched following bugs this week, and admins should update accordingly:
- CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability that allows authentication bypass: A remote attacker can simply send arbitrary HTTP requests to the Exchange server and be able to authenticate to it. From there, an attacker can steal the full contents of multiple user mailboxes.
- CVE-2021-26857 is an insecure-deserialization vulnerability in the Unified Messaging service, where untrusted user-controllable data is deserialized by a program. An exploit allows remote attackers with administrator permissions to run code as SYSTEM on the Exchange server.
- CVE-2021-26858 and CVE-2021-27065 are both post-authentication arbitrary file-write vulnerabilities in Exchange. Once authenticated with an Exchange server (using CVE-2021-26855 or with compromised admin credentials), an attacker could write a file to any path on the server – thus achieving remote code execution (RCE).
Researchers at Volexity originally uncovered the SSRF bug as part of an incident response and noted, “This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract email.”
They also observed the SSRF bug being chained with CVE-2021-27065 to accomplish RCE in multiple attacks.
In addition to Volexity, Microsoft credited security researchers at Dubex with uncovering the recent activity, which was first observed in January.
“Based on what we know so far, exploitation of one of the four vulnerabilities requires no authentication whatsoever and can be used to potentially download messages from a targeted user’s mailbox,” said Tenable’s Narang. “The other vulnerabilities can be chained together by a determined threat actor to facilitate a further compromise of the targeted organization’s network.”
What Happened in the Hafnium Attacks?
In the observed campaigns, the four zero-day bugs were used to gain initial access to targeted Exchange servers and achieve RCE. Hafnium operators then deployed web shells on the compromised servers, which were used to steal data and expand the attack, according to researchers.
“In all cases of RCE, Volexity has observed the attacker writing webshells (ASPX files) to disk and conducting further operations to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT) and move laterally to other systems and environments,” according to Volexity’s writeup.
Following web shell deployment, Microsoft found that Hafnium operators performed a range of post-exploitation activity:
- Using Procdump to dump the LSASS process memory;
- Using 7-Zip to compress stolen data into ZIP files for exfiltration;
- Adding and using Exchange PowerShell snap-ins to export mailbox data;
- Using the Nishang Invoke-PowerShellTcpOneLine reverse shell;
- And downloading PowerCat from GitHub, then using it to open a connection to a remote server.
The attackers were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users, according to the analysis.
“The good news for defenders is that the post-exploitation activity is very detectable,” said Katie Nickels, director of intelligence at Red Canary, via email, adding her firm has detected numerous attacks as well. “Some of the activity we observed uses the China Chopper web shell, which has been around for more than eight years, giving defenders ample time to develop detection logic for it.”
Who is the Hafnium APT?
Hafnium has been tracked by Microsoft before, but the company has only just released a few details on the APT.
In terms of its tactics, “Hafnium has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control,” according to Microsoft. “Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.”
Hafnium operates primarily from leased virtual private servers in the United States, and primarily goes after U.S. targets, but is linked to the Chinese government, according to Microsoft. It characterizes the APT as “a highly skilled and sophisticated actor.”
Time to Patch: Expect More Attacks Soon
It should be noted that other researchers say they have seen these vulnerabilities being exploited by different threat actors targeting other regions, according to Narang.
“We expect other threat actors to begin leveraging these vulnerabilities in the coming days and weeks, which is why it is critically important for organizations that use Exchange Server to apply these patches immediately,” he added.
And indeed, researchers at Huntress said they have discovered more than 100 web shells deployed across roughly 1,500 vulnerable servers (with antivirus and endpoint detection/recovery installed) and expect this number to keep rising.
They’re not alone.
“FireEye has observed these vulnerabilities being exploited in the wild and we are actively working with several impacted organizations,” Charles Carmakal, senior vice president and CTO at FireEye Mandiant, said via email. “In addition to patching as soon as possible, we recommend organizations also review their systems for evidence of exploitation that may have occurred prior to the deployment of the patches.”