Full dumps of email boxes, lateral movement & backdoors characterise sophisticated attacks by a Chinese APT – while other incidents spread rapidly.
Microsoft has discovered multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server.
Adversaries have been able to access email accounts, steal a raft of data drop malware on target machines for long-term remote access, according to the computing giant.
The attacks are “limited & targeted,” according to Microsoft, spurring it to release out-of-band patches this week. The exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 & CVE-2021-27065.
However, other researchers have reported seeing the activity compromising many victim organisations.
“The team is seeing organisations of all shapes & sizes affected, including electricity companies, local/county governments, healthcare providers & banks/financial institutions, as well as small hotels, multiple senior citizen communities & other mid-market businesses,” a spokesperson at Huntress explained.
The culprit is believed to be an advanced persistent threat (APT) group known as Hafnium (as the name of a rare chemical element), which has a history of targeting assets in the US with cyber-espionage campaigns.
Microsoft Threat Intelligence Center
Targets historically have included defence contractors, infectious disease researchers, law firms, non-governmental organisations (NGOs), policy think tanks & universities.
“Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored & operating out of China, based on observed victimology, tactics procedures,” according to an announcement this week from Microsoft on the attacks.
“The fact that Microsoft chose to patch these flaws out-of-band rather than include them as part of next week’s Patch Tuesday release leads us to believe the flaws are quite severe even if we don’t know the full scope of those attacks,” Satnam Narang, Staff Research Engineer at Tenable, suggested..
Microsoft patched following bugs this week, & admins should update accordingly:
- CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability that allows authentication bypass: A remote attacker can simply send arbitrary HTTP requests to the Exchange server and be able to authenticate to it. From there, an attacker can steal the full contents of multiple user mailboxes.
- CVE-2021-26857 is an insecure-deserialization vulnerability in the Unified Messaging service, where untrusted user-controllable data is deserialized by a program. An exploit allows remote attackers with administrator permissions to run code as SYSTEM on the Exchange server.
- CVE-2021-26858 and CVE-2021-27065 are both post-authentication arbitrary file-write vulnerabilities in Exchange. Once authenticated with an Exchange server (using CVE-2021-26855 or with compromised admin credentials), an attacker could write a file to any path on the server – thus achieving remote code execution (RCE).
Researchers at Volexity originally uncovered the SSRF bug as part of an incident response & noted,
“This vulnerability is remotely exploitable & does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract email.”
No Authentication Whatsoever
They also observed the SSRF bug being chained with CVE-2021-27065 to accomplish RCE in multiple attacks.
In addition to Volexity, Microsoft credited security researchers at Dubex with uncovering the recent activity, which was 1st observed in Jan.
“Based on what we know so far, exploitation of one of the 4 vulnerabilities requires no authentication whatsoever & can be used to potentially download messages from a targeted user’s mailbox,” observed Tenable’s Narang.
“The other vulnerabilities can be chained together by a determined threat actor to facilitate a further compromise of the targeted organisation’s network.”
In the observed campaigns, the 4 zero-day bugs were used to gain initial access to targeted Exchange servers & achieve RCE. Hafnium operators then deployed web shells on the compromised servers, which were used to steal data & expand the attack, according to researchers.
“In all cases of RCE, Volexity has observed the attacker writing web shells (ASPX files) to disk & conducting further operations to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT) & move laterally to other systems & environments,” says Volexity’s writeup.
Following web shell deployment, Microsoft found that Hafnium operators performed this range of post-exploitation activity:
- Using Procdump to dump the LSASS process memory;
- Using 7-Zip to compress stolen data into ZIP files for exfiltration;
- Adding and using Exchange PowerShell snap-ins to export mailbox data;
- Using the Nishang Invoke-PowerShellTcpOneLine reverse shell;
- And downloading Power Cat from GitHub, then using it to open a connection to a remote server.
Offline Address Book
The attackers were also able to download the Exchange offline address book from compromised systems, which contains information about an organisation & its users, according to the analysis.
“The good news for defenders is that the post-exploitation activity is very detectable,” said Katie Nickels, director of intelligence at Red Canary, suggested, adding her firm has found many attacks as well. “Some of the activity we observed uses the China Chopper web shell, which has been around for more than 8 years, giving defenders ample time to develop detection logic for it.”
Hafnium has been tracked by Microsoft before, but the company has only just released a few details on the APT.
In terms of its tactics, “Hafnium has previously compromised victims by exploiting vulnerabilities in internet-facing servers, & has used legitimate open-source frameworks, like Covenant, for command & control,” according to Microsoft. “Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.”
Hafnium operates primarily from leased virtual private servers in the United States, and primarily goes after US targets, but is linked to the Chinese Govt., according to Microsoft. It characterises the APT as “a highly skilled & sophisticated actor.”
More Attacks Soon
It should be noted that other researchers say they have seen these vulnerabilities being exploited by different threat players targeting other regions, according to Narang.
“We expect other threat actors to begin leveraging these vulnerabilities in the coming days & weeks, which is why it is critically important for organisations that use Exchange Server to apply these patches immediately,” he added.
Indeed, researchers at Huntress explained they have discovered more than 100 web shells deployed across about 1,500 vulnerable servers (with antivirus & endpoint detection/recovery installed) & expect the number to increase.
Review their Systems
They are not alone.
“FireEye has observed these vulnerabilities being exploited in the wild & we are actively working with several impacted organisations,” Charles Carmakal, Senior VP & CTO at FireEye Mandiant observed. “In addition to patching as soon as possible, we recommend organisations also review their systems for evidence of exploitation that may have occurred prior to the deployment of the patches.”