{"id":92999,"date":"2021-03-02T13:07:53","date_gmt":"2021-03-02T21:07:53","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=92999"},"modified":"2023-09-14T13:21:10","modified_gmt":"2023-09-14T20:21:10","slug":"hafnium-targeting-exchange-servers","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/03\/02\/hafnium-targeting-exchange-servers\/","title":{"rendered":"HAFNIUM targeting Exchange Servers with 0-day exploits"},"content":{"rendered":"

Update [03\/16\/2021]<\/strong>: Microsoft released updated tools and investigation guidance to help IT Pros and incident response teams identify, remediate, defend against associated attacks: Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities<\/a>.<\/em><\/p>\n

Update [03\/15\/2021]<\/strong>: Microsoft released a new one-click mitigation tool, the Microsoft Exchange On-Premises Mitigation Tool<\/a>, to help customers who do not have dedicated security or IT teams to apply security updates for Microsoft Exchange\u202fServer.\u00a0<\/em><\/p>\n

Update [03\/08\/2021]<\/strong>: Microsoft continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Server. To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE: <\/em>CSV format<\/a> |\u00a0JSON format<\/a><\/p>\n

Update [03\/05\/2021]<\/strong>: Microsoft sees increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM. To aid customers in investigating these attacks, <\/em>Microsoft Security Response Center (MSRC) has provided additional resources, including new mitigation guidance: Microsoft Exchange Server Vulnerabilities Mitigations \u2013 March 2021<\/a><\/em><\/p>\n

Update [03\/04\/2021]<\/strong>: The Exchange Server team released a script for checking HAFNIUM indicators of compromise (IOCs). See Scan Exchange log files for indicators of compromise<\/a>.<\/em><\/p>\n

 <\/p>\n

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM<\/a>, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.<\/p>\n

The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in today\u2019s Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server<\/a>. We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected. We have established a resource center that is constantly updated as more information becomes available at https:\/\/aka.ms\/ExchangeVulns<\/a><\/strong>.<\/p>\n

We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem. This blog also continues our mission to shine a light on malicious actors and elevate awareness of the sophisticated tactics and techniques used to target our customers. The related IOCs, Azure Sentinel<\/a> advanced hunting queries, and\u00a0Microsoft Defender for Endpoint<\/a> product detections and queries shared in this blog will help SOCs proactively hunt for related activity in their environments and elevate any alerts for remediation.<\/p>\n

Microsoft would like to thank our industry colleagues at Volexity and Dubex for reporting different parts of the attack chain and their collaboration in the investigation. Volexity has also published a blog post<\/a> with their analysis. It is this level of proactive communication and intelligence sharing that allows the community to come together to get ahead of attacks before they spread and improve security for all.<\/p>\n

Who is HAFNIUM?<\/h2>\n

HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.<\/p>\n

HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant<\/a>, for command and control. Once they\u2019ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA<\/a>.<\/p>\n

In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets\u2019 environments.<\/p>\n

HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.<\/p>\n

Technical details<\/h2>\n

Microsoft is providing the following details to help our customers understand the techniques used by HAFNIUM to exploit these vulnerabilities and enable more effective defense against any future attacks against unpatched systems.<\/p>\n

CVE-2021-26855<\/a> is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.<\/p>\n

CVE-2021-26857<\/a> is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.<\/p>\n

CVE-2021-26858<\/a> is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.<\/p>\n

CVE-2021-27065<\/a> is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.<\/p>\n

Attack details<\/h2>\n

After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP, is below:<\/p>\n

\"Screenshot<\/p>\n

Following web shell deployment, HAFNIUM operators performed the following post-exploitation activity:<\/p>\n