Hafnium Leveraging Multiple Zero-Days to Attack Microsoft Exchange
March 9, 2021 | Maxim Smoliansky
On March 2nd Microsoft publicly announced it has detected several actively exploited zero-day vulnerabilities which were recently used in-the-wild by a threat actor dubbed HAFNIUM, which is believed to be operating from China. The vulnerabilities were used to gain access and subsequently exfiltrate data from accounts hosted on affected MS-Exchange server versions, install web shells for persistence, and steal additional data. Microsoft released an out-of-band security update addressing these vulnerabilities and several others on March 3rd. It is important to note that the vulnerabilities affect only on-prem installations of MS-Exchange servers.
Given the enormous popularity of Exchange, the number of server versions affected, and the diverse list of industry sectors HAFNIUM are interested in, the current reported number of 30,000 affected victims will likely grow.
A Chain of Zero-Days
To successfully perform its attacks, the HAFNIUM team used four zero-day exploits. All four vulnerabilities require the exposed Exchange server to be able to receive untrusted connections on port 443.
The vulnerability, CVE-2021-26855, originally discovered by the security company DEVCORE and named ProxyLogon, allowed the attackers to establish an authenticated connection with the Exchange server and steal the content of mailboxes stored on it. This specific vulnerability does not require any user interaction, prior privileges, or previously acquired credentials, but only an Exchange server that is willing to accept untrusted connections on port 443.
The remaining three vulnerabilities were discovered and observed in an ongoing attack in January 2021 by the security firm Volexity. These vulnerabilities require the attackers to be authenticated with the Exchange server, which is easily acquired by using the previous vulnerability.
- CVE-2021-26857 – Allowed the attackers to execute code on the server with the highly privileged SYSTEM account
- CVE-2021-26858 and CVE-2021-27065 – Both of these vulnerabilities were exploited by HAFNIUM in order write files to any path on the server
Combining these previously unknown vulnerabilities allowed the attackers to gain access to their victims’ servers.
Once a server is exploited, HAFNIUM used several tools and techniques to exfiltrate data from the server and gain persistence on the infected machine.
First, a web shell was installed to gain persistence and backdoor access to the compromised servers. Open-source PowerShell tools such as Nishang and PowerCat were used to open reverse shells and communicate to remote servers owned by the attackers.
Additionally, Microsoft’s own Procdump tool found in the SysInternals suite was used to dump the memory of the LSSAS process, which can later be used to crack the passwords of the users on the server.
HAFNIUM is a threat actor with alleged Chinese origins that finds great interest in targets from the United States such as universities, research facilities, NGOs, and defense contractors.
The hacking group has a history of compromising its victims by exploiting vulnerabilities in exposed servers while utilizing open-source projects for command and control and further exploitation.
They also seem to be very fond of PowerShell-based tools and US-based VPS (Virtual Private Server) servers as their attacking machines.
How to Protect Yourself
Companies must make sure their systems are patched as quickly as security updates are available. Once the information regarding these attacks became public, it seems attackers from HAFNIUM group and others intensified their attacks targeted at unpatched servers.
Deep Instinct urges its customers (and every reader) to update relevant MS-Exchange servers with the latest updates released by Microsoft ASAP. In addition to patching the vulnerabilities, Microsoft released guidance and ways for organizations to check if they have been compromised by this attack.
The Deep Instinct product includes several layers of protection, including protection against malicious Powershell activity. This is done using several components, including a deep learning-based Powershell scanning mechanism. Powershell components, which are known to have been used in the attack, are prevented by Deep Instinct. In addition, Deep Instinct’s deep learning-based static analysis protection scans and protects customers from potentially abused dual-use tools which can be exploited by attackers as they attempt to remain under the radar.
Deep Instinct is always on the lookout for new attacks of this kind and does everything in its power to ensure our customers are protected from any threat they might face. We are focused on expanding and monitoring all relevant IoCs and making sure Deep Instinct’s cybersecurity product line protects against them. Customers and prospects are invited to contact us for any help needed, or for any questions that arise.
Web Shell SHA256 Hashes