Late on Tuesday, March 2, 2021, Microsoft warned of a Chinese state-sponsored group actively exploiting four zero-day vulnerabilities in targeted campaigns. Along with the warning Microsoft has also released out-of-band patches to help prevent further exploitation by the state-sponsored hacking group believed to be behind the campaign. The vulnerabilities were used to access on-premises Exchange servers which enabled access to email accounts and allowed the installation of additional malware to guarantee the long-term presence of the attackers on the target's network.
The Microsoft Threat Intelligence Center (MSTIC) has attributed the attack to HAFNIUM which is described by researchers as a new state-sponsored group that operates in China and believed to have links to the Chinese government. In a subsequent blog post, written by Tom Burt, Microsoft’s Corporate Vice President for Customer Security & Trust, Burt noted that this is the first time the Redmond tech giant is discussing the group and believes the group to be both highly skilled and sophisticated. Summarizing the group's tactics and methods Burt noted,
“Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. To date, Hafnium is the primary actor we’ve seen use these exploits... The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.”
Microsoft strongly recommends that all customers that make use of an Exchange Server make it a priority to ensure all the new updates are downloaded and installed.
To further help those tasked with defending corporate networks Microsoft released additional details regarding the patches as well as answering potential questions administrators might have. It was also stated that the activities surrounding the recent campaign are in no way linked to the recent SolarWinds hack. As to the zero-day vulnerabilities exploited, all have been classified and detailed. They include:
- CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
- CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
- CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
Once the attackers had successfully used the above zero-days successfully initial access to the target could be gained. Once this was achieved the attackers would deploy web shells on the compromised server so that data could be stolen and other malicious activities, like installing other malware, can be done. Other post-exploitation activities by the attackers included opening remote server connections and stealing the Exchange offline address book from compromised systems. The address book could be deemed valuable as it contains information about an organization and its users.
Operation Exchange Marauder
While it was Microsoft that broke the news, a lot of the important work including the campaign's discovery was done by security firm Volexity. In a blog post published by the firm on the same day as Microsoft’s announcement, the blog post goes into much greater detail as to how the attack was carried out. The attack campaign was discovered in January 2021, when the firm detected odd activity on two of its customers’ Microsoft Exchange servers.
It was soon discovered that a large amount of data being sent to IP addresses that did not seem to be legitimate users, this was then followed by the discovery that the way initial access was gained by the malicious attacker was through the above-mentioned zero-days. CVE-2021-26855 was used by the attacker to steal the entire contents of several mailboxes, this was done without the need of any prior knowledge of the victim and did not require any authentication on the part of the attacker. All that was needed by the attacker was to know which server was running.
The blog post goes into greater detail as to how any form of authentication was successfully bypassed. The security firm notes that it has not released any exact details or proof-of-concept code to prevent other threat actors from attempting the same thing. Rather, than releasing such dangerous information researchers released a demo video of themselves replicating the authentication bypass. Researchers were able to replicate the stealing on email data on single server configurations and multiple server configurations.
In the case of the single servers, researchers believe that the attacker needs to know the victim's domain security identifier (SID) in order to access their mailbox. These are static values but do require the attacker to have first compromised a system to get their hands on the value. In multiple server configurations, the servers are required to be configured in a Database Availability Group (DAG). The only information required by the attacker is the e-mail address of the user they wish to target.
Volexity’s research revealed that the discovered post-exploitation activity mirrored that seen by Microsoft. Volexity concluded,
“Highly skilled attackers continue to innovate in order to bypass defenses and gain access to their targets, all in support of their mission and goals. These particular vulnerabilities in Microsoft Exchange are no exception. These attackers are conducting novel attacks to bypass authentication, including two-factor authentication, allowing them to access e-mail accounts of interest within targeted organizations and remotely execute code on vulnerable Microsoft Exchange servers…Due to the ongoing observed exploitation of the discussed vulnerabilities, Volexity urges organizations to immediately apply the available patches or temporarily disabling external access to Microsoft Exchange until a patch can be applied.”
The above attack campaign is in line with recent trends discovered by Microsoft detailing a rise in web shell attacks. A web shell can typically be seen as malicious code written in a specific web development programming language. The code is designed to implant web servers onto networks without being detected. These can then be leveraged for data exfiltration to for remote code execution of other malware strains under the attacker’s control. Attackers typically use web shells as an entry point for further attacks or to remain persistent on the victims’ network. It is important to note that this is not a strict either-or scenario and in practice, attackers will use a web shell for both objectives.
One of the reasons there has been a rise in web shell based attacks is the challenges in detecting such an attack. The code used is typically simple and lightweight, making them easily overlooked. As researchers noted,
“Because of their simplicity, they are difficult to detect and can be dismissed as benign, and so they are often used by attackers for persistence or for early stages of exploitation…attackers are known to hide web shells in non-executable file formats, such as media files. Web servers configured to execute server-side code create additional challenges for detecting web shells, because on a web server, a media file is scanned for server-side execution instructions. Attackers can hide web shell scripts within a photo and upload it to a web server. When this file is loaded and analyzed on a workstation, the photo is harmless. But when a web browser asks a server for this file, malicious code executes server side.”