HAFNIUM – Microsoft Exchange Server Vulnerability

Mar 14, 2021

Executive Summary

Microsoft have recently shared [1][2] details of active threats targeting on-premise Microsoft Exchange servers worldwide by exploiting chained vulnerabilities that lead to the threat actor gaining full control of the affected email server.

Vulnerable Microsoft Exchange servers are reportedly attacked via an initial untrusted connection being made to an exposed ‘Outlook on the Web’/’Outlook Web Access’ instance, typically accessible via the path /owa/ on TCP port 443, and then four chained vulnerabilities being exploited:

CVE-2021-26855 – Server-side request forgery (SSRF) vulnerability, also known as ‘ProxyLogon’, allowing threat actors to send arbitrary HTTP requests and authenticate as the Exchange server .
CVE-2021-26857 – Insecure deserialization vulnerability, allowing untrusted data to be processed, in the Exchange Unified Messaging Service leading to code execution with SYSTEM privileges.
CVE-2021-26858 – Post-authentication arbitrary file write vulnerability allowing files to be written to any path on the Exchange Server.
CVE-2021-27065 – Another post-authentication authenticated arbitrary file write vulnerability.

Whilst CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 require administrative privileges to exploit, chaining these with CVE-2021-26855 or obtained credentials through some other means would allow exploitation.

These vulnerabilities have been identified as exploited through the use of ‘in-the-wild’ zero-day exploits (‘0days’) in attacks believed to have been orchestrated by the APT group dubbed ‘HAFNIUM’. The Microsoft Threat Intelligence Center (MSTIC) attributes this activity to the group with high confidence and, based on observed tactics, techniques and procedures (TTP) assesses the group as being a Chinese-nexus nation state threat actor.

Successful attacks against vulnerable on-premise Microsoft Exchange servers could allow a threat actor to gain full control of the server including the ability to execute additional payloads, access user email accounts and redirect emails to external entities. Furthermore, it is possible that a threat actor could use a compromised host to move laterally across a victim network, pivoting internally for more impactful persistency, as well as install additional threats such as a ‘web-shell’ to provide backdoor access.

Reports suggest that malicious campaigns exploiting the initial SSRF vulnerability have been active since at least 3 January 2021 with multiple semi-functioning proof-of-concept (PoC) exploits being available as of 11 March 2021.

Furthermore, as of 12 March 2021, reports suggest that threat actors are taking advantage of these vulnerabilities in order to deploy a ransomware payload called ‘DearCry’ on affected Microsoft Exchange servers. As such, those that have not already taken action should do so now as a matter of urgency.

Finally, readers are reminded that these vulnerabilities only impact on-premise installations of Microsoft Exchange and therefore Microsoft Exchange Online or Office 365 (cloud services) are not believed to be affected.

Impact

The impact of these chained vulnerabilities is deemed CRITICAL and is reported as affecting the following Microsoft Exchange versions:

Microsoft Exchange 2010: Version 14.03.0513.000 and older
- Including Exchange SP3 Update Rollup 32 and older
Microsoft Exchange 2013: Version 15.00.1497.012 and older
- Including Cumulative Update 23 (15.00.1497.002) and older
Microsoft Exchange 2016: Version 15.01.2242.004 and older
- Including Cumulative Update 19 (15.01.2176.002) and older
Microsoft Exchange 2019: Versions 15.02.0858.005 and older
- Including Cumulative Update 8 (15.02.0792.003) and older

Additionally, the following ‘end-of-life’ products are potentially vulnerable:

Microsoft Exchange 2003
Microsoft Exchange 2007

As exploits for these vulnerabilities are now publicly available, the number of vulnerable Exchange servers being attacked is estimated by various sources to be in the region of one thousand servers per second.

CVE-2021-26855 – ProxyLogin

Dubbed ‘ProxyLogin’, CVE-2021-26855 is exploited by crafting a HTTP request that performs a server-side request forgery (SSRF) by modified the HTTP Cookie header to impersonate a request as originating from the Exchange server itself, localhost (Figure 1).

Figure 1 – Example ‘ProxyLogon’ HTTP request

This in turn bypasses the authentication protocols, such as Kerberos, and allows a threat actor to perform high-privilege actions without the need for valid credentials.

Post-Exploitation

In order to maintain access, and presumably for ease of management, HAFNIUM have taken to installing web-shells on compromised servers. Web-shells are developed using various web technologies, in this case ASP and HTML, to provide an easy to use interface with common functionality including remote file and shell access to allow both the download and upload of data as well as the execution of various processes.

Reported post-exploitation activity, following the Microsoft Exchange server compromise and the potential installation of a web-shell, includes the use of legitimate processes and tools to gather additional intelligence:

Microsoft Sysinternals ‘ProcDump’ command-line utility, prcodump64.exe, used to dump the process memory for the Local Security Authority Subsystem Service (LSASS), presumably in an attempt to gather credentials.
7-Zip, a third-party compression utility, used to Zip-compress data for exfiltration.
Exchange PowerShell snap-ins installed and utilized to export user mailboxes.
Installation of a PowerShell reverse shell.

Additionally it is reported that ‘offline address books’ have been downloaded from compromised hosts which would likely prove useful for intelligence and reconnaissance efforts against the victim organization.

Recommendations

Given the initial need for unauthenticated access to an Outlook Web Access instance, one potential mitigation is to ensure that vulnerable Exchange servers are protected from direct-internet access such as requiring users to access via a virtual private network (VPN).
Organizations using vulnerable versions of on-premise Microsoft Exchange are advised to monitor the regularly updated Microsoft article [3] as well as implement security updates and/or mitigations as directed by Microsoft as a matter of urgency.
Microsoft have released PowerShell scripts [4] to scan and detect potential Indicators of Compromise (IOC) on affected Microsoft Exchange servers, those with vulnerable versions are advised to utilize these to determine the status of their servers.
Administrators should consider reviewing their Microsoft Exchange logs for suspicious entries such as those contained within <Exhange_Installation_Path>\Logging\ECP\Server\ and specifically the string S:CMD=Set-OabVirtualDirectory.ExternalUrl='.