In detail
Cyber Investigation

Investigating the Hafnium-related Microsoft Exchange vulnerabilities

Tom Priest
Published 
Tuesday
 
25
 
May 2021
RSSLinkedIn
A detailed walk-through of a recent cyber investigation
Four zero-day vulnerabilities in Microsoft’s Exchange application exposed more than 400,000 email servers to the threat of take-over by malicious threat actors. Early attacks reported in December 2020 were attributed to the Chinese state-sponsored group, Hafnium, and publicly available proof of concept code facilitated an influx of attacks by less-sophisticated and opportunistic actors in March 2021. In this article, we walk through an investigation performed by the incident response team at Asceris. We’ll discuss the methodology we used to discover the presence of five web shells on an Exchange server and offer guidance to help protect organisations against this threat. Certain key details have been changed to protect client confidentiality.

Background

On 2 March 2021, Microsoft released security patches for four vulnerabilities in their Exchange Server application, affecting more than 400,000 on-premise servers running versions 2013, 2016 and 2019. This announcement came two months after an incident response firm discovered the Chinese advanced persistent threat group (APT), Hafnium, exploiting these security weaknesses and allowing complete, remote control of a vulnerable Exchange server.

Official sources state that from January 2021 the Hafnium group launched attacks exploiting the vulnerabilities in an attack chain dubbed ProxyLogon, but this activity could have started as early as November 2020. In early 2021, the threat group dropped web shells onto target systems, gaining SYSTEM level access to facilitate reconnaissance and data exfiltration. Exploiting these web shells would allow a threat actor to access and harvest mailboxes storing sensitive files and credentials, compromising trust and identity relationships across the network.

The public nature of these vulnerabilities meant that the longer organisations delayed patching, the more backdoors could potentially be installed by different threat groups. The exploitation of these vulnerabilities became a new vector for ransomware campaigns including Black Kingdom and DearCry. Operators behind the Lemon Duck malware targeted unpatched Exchange servers to mine cryptocurrency. It is estimated that more than 30,000 US organisations have been affected by the exploitation of these security flaws by various threat groups.

Introduction to the case

Our investigation focused on an email server running Microsoft Exchange version 2019.

At the time of our analysis in March 2021, a U.S. government agency had scanned the client's Exchange server and identified a file that matched a signature for the attack framework, Cobalt Strike. Given a copy of the virtual hard drive providing a snapshot of the system taken on 2021-03-12, we were informed that the security patches had not yet been applied. The mail server was therefore vulnerable to the ProxyLogon attack.

Overview of the ProxyLogon attack

Prior to analysis, we sought to understand the sequence of events involved in this attack. As with all publicly-disclosed computer vulnerabilities, a common vulnerabilities and exposure (CVE) ID number was given to each of the four security flaws.

The chain of attack covers three distinct stages. In the first stage, the threat actor exploits CVE-2021-26855 to gain illegitimate access to a vulnerable Exchange server and exfiltrate mailboxes. During the second stage, the threat actor deploys a web shell or another payload onto the server, exploiting either CVE-2021-26858 or CVE-2021-27065. Finally, the threat actor escalates their privileges to gain SYSTEM level access, exploiting CVE-2021-26857. If all three stages of the attack are successfully exploited, the threat actor gains unfettered access to the Exchange server.

Analysis

To begin our investigation, we manually checked directories that Microsoft has identified as common destinations for web shell installation as reported by Microsoft.

During this initial check, we identified and isolated three Active Server Page Extended (APSX) files on the server, which had been modified between 2021-03-03 and 2021-03-05: supp0rt.aspx; OutlookEN.aspx; and RedirSuiteServerProxy.aspx. The modification dates of these files was of particular interest, as Microsoft’s public disclosure of the vulnerabilities on 2021-03-02 led to their widespread exploitation.

With evidence suggesting that web shells had been installed, we used recently released Microsoft mitigation and remediation tools to confirm our findings. We used one of the PowerShell scripts provided by Microsoft, Test-ProxyLogon, to identify additional indicators of compromise on the Exchange server.

The Test-ProxyLogon script collects logs for each CVE and provides evidence of exploitation of the four vulnerabilities, as shown below.

Results of the Test-ProxyLogon script

Two of the four vulnerabilities were being exploited on the Exchange server (CVE-2021-27065 and CVE-2021-26855), suggesting successful authentication to the server and a dropped web shell or payload onto the system.

We ran the antimalware tool, Microsoft Support Emergency Response Tool (MSERT), recently updated with signatures to detect web shells on vulnerable Exchange servers. This tool automatically deletes any web shells or other payloads detected by default; however, the command line argument ‘msert.exe /N /F’ performs a full scan without any remediation, allowing us to preserve evidence.

The output for the MSERT tool was stored in a log file located in the path C:\Windows\Debug\msert.log.

Scan results of the MSERT tool

The tool identified two additional suspicious dynamic-link library files, ‘App_Web_yroudy35.dll’ and ‘App_Web_deuxc2qd.dll’, along with the .aspx files discussed previously. We reviewed the five files for web shell code with a particular focus on Exchange Offline Address Book (OAB) configuration files. The ExternalUrl field matched a signature for the China Chopper web shell in two of these files, pointing to successful exploitation of the vulnerability CVE-2021-26858 and/or CVE-2021-27065, as the script shows below.

ASPX file with China Chopper signature

Finally, we sought to determine whether CVE-2021-26857 had been exploited and to identify any post-exploitation activity.

We reviewed files written to the Exchange server by two processes, UMWorkerProcess.exe, associated with Microsoft Exchange Server’s Unified Messaging service and w3wp.exe, the IIS web server worker process. Threat actors have commonly used both of these processes to drop web shells and additional payloads on the Exchange server. The review ensures that any suspicious files not caught by the scripts and our investigation are found.

Post-exploitation analysis

Reports of similar attacks indicated threat actors attempted to delete the administrator user from the Exchange administrators group. We found no evidence of the command ‘net group "Exchange Organization administrators" administrator /del /domain’ being run against the Exchange server to suggest this activity.

Microsoft’s blog identified additional post-exploitation activity involving the threat actors utilising 7-zip to exfiltrate data, stealing credentials by dumping LSASS process memory, using Exchange PowerShell Snap-ins to export mailboxes and downloading additional offensive security tools such as Nishang and PowerCat to establish remote channels. Our analysis found no evidence of this activity on the Exchange server.

Our findings  

Our investigation concluded that a threat actor (or group of actors) gained unauthorised access to the Exchange server, dropping five web shells on the system between 2021-03-03 and 2021-03-05. The presence of these files on the system indicated that the first two stages of the ProxyLogon attack chain were successfully exploited.

The publicly available proof of concept code for the initial stages of attacks facilitated execution by not only sophisticated state-sponsored threat groups but also less skilled adversaries. Although the threat actors were able to drop web shells onto the Exchange server, we found no indicators to suggest exploitation of the more challenging third stage of the attack for post-exploitation activity.

Our recommendations

Many organisations responded to the Hafnium-related vulnerabilities by patching their systems and checking for any signs of suspicious activity. The FBI took the decision to proactively remove web shells from private Exchange servers. But as of May 2021, it is estimated that approximately 6% of Exchange servers have yet to be patched and are therefore still vulnerable to the ProxyLogon attack chain.

To limit the threat of illegitimate mail server access, organisations should establish a security baseline, rapidly update and patch their servers, and capture and retain detailed logging information. The initial stage of an attack requires the threat actor to initiate an untrusted connection to an internet-accessible, on-premise Exchange server. Organisations can protect against these connections by placing the mail server behind a VPN concentrator or configuring a controlled list of IP addresses able to access the system. If the server is suspected of being compromised, we strongly recommend that the remediation steps described in Microsoft’s Security Response Center Blog and CISA's guidance on Remediating Microsoft Exchange Vulnerabilities should be followed.

Find out more

If you are currently experiencing a cyber attack, please request emergency assistance immediately.

To find out more about any of our services, please contact us. To start a conversation or to report any errors or omissions, please feel free to contact the author directly.

Tom Priest
envelope by Bluetip Design from the Noun Project
Tom is a cyber security analyst at Asceris specialising in incident response, network forensics, business email compromise investigations and ransomware investigations.

About Asceris

Our mission at Asceris is to reduce the financial and business impact of cyber incidents and other adverse events. By understanding the cost drivers of claims and addressing these proactively through automation and continuous process refinement, we are able to deliver high quality incident response services in close collaboration with our industry partners.

Other recent insights