{"id":20850,"date":"2021-08-30T18:13:56","date_gmt":"2021-08-30T16:13:56","guid":{"rendered":"https:\/\/blog.mi.hdm-stuttgart.de\/?p=20850"},"modified":"2023-08-06T21:41:01","modified_gmt":"2023-08-06T19:41:01","slug":"hafnium-exchange-server-attacks-what-happened-and-how-to-protect-yourself","status":"publish","type":"post","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2021\/08\/30\/hafnium-exchange-server-attacks-what-happened-and-how-to-protect-yourself\/","title":{"rendered":"HAFNIUM EXCHANGE SERVER ATTACKS – What happened and how to protect yourself"},"content":{"rendered":"\n

an article by Carina Szkudlarek, Niklas Schildhauer and Jannik Smidt<\/em><\/p>\n\n\n\n

This post is going to review the zero day exploit of the Microsoft Exchange Servers starting in January 2021.
It will look into the methods of SSRF and the exploitation of mistakes in the deserialization of input values to procure privileged code execution.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

INTRODUCTION<\/h2>\n\n\n\n

In early 2021, several vulnerabilities were discovered in the Microsoft Exchange server software of the 2010, 2013, 2016 and 2019 releases that could be used by attackers to gain access to such an Exchange server.<\/p>\n\n\n\n

With Exchange Server, Microsoft offers a service with which e-mail communication can be controlled in networks, but electronic communication can also be checked for harmful files such as viruses. All incoming and outgoing e-mails end up on the corresponding Exchange server. From there they are distributed to the recipients. Although there are alternatives, numerous state and private-sector institutions around the world rely on Microsoft Exchange servers.<\/p>\n\n\n\n

On January 6, 2021 the security company Volexity observed several attacks via a previously unpublished Exchange vulnerability. In the course of the following weeks there were additional individual attacks on selected Exchange servers.<\/p>\n\n\n\n

Microsoft instantly planned to release a security patch. However, the responsible attacker group Hafnium had already started a large amount of mass scans starting several months prior to january 6th when the attack was first exploited (see R[17]) . Exchange servers that were vulnerable were automatically infected with a webshell. Less than a week later, Microsoft published several security updates. However only a few hours after the publication of these unscheduled updates for the known vulnerabilities, the unprecedented infection of all unpatched Exchange servers accessible via the Internet began. As a result, administrators had little time and opportunity to react.<\/p>\n\n\n\n

Generally, the exploit of overall four known vulnerabilities can be used as a gateway to penetrate deeper into the corporate network, as the Exchange servers are often publicly accessible. Yet it only affects on-premise Microsoft Exchange Server and not Exchange Online or Microsoft 365.<\/p>\n\n\n\n

According to estimates, generally around 250,000 Exchange servers worldwide are open like a barn door to cyberattacks. 30,000 US customers have already been hacked, according to Heise [R1] tens of thousands of Exchange servers are affected in Germany alone, some of them in German federal authorities, according to the BSI [see: R2]<\/p>\n\n\n\n\n\n\n\n\n\n\n\n

WHY TARGET EXCHANGE SERVER?<\/h2>\n\n\n\n

Out of endless amounts of public targets, e-mail servers serve a promising choice for several reasons. For the most part, mail servers always keep confidential secrets. Especially Exchange Server is the most well-known mail solution for enterprises and governments worldwide. Also have public mail servers been the target for Nation-sponsored hackers for a long time already. More than 400,000 Exchange servers exposed on the Internet<\/span> [R16]. This also includes the assumption that all the data in the servers are stored unencrypted. The question arises on why an end-to-end encryption has been avoided all this time.<\/p>\n\n\n\n

\"\"<\/a>
Image Source<\/em> [R13]<\/figcaption><\/figure>\n\n\n\n

<\/p>\n\n\n\n

HAFNIUM<\/h2>\n\n\n\n

The attacks on Exchange Server were apparently started by a Chinese hacker group called Hafnium, which is said to have direct links with the Chinese government [R2]. The main intention of Hafnium seemed to tap into information primarily in the USA. The group aimed at a number of industries including infectious disease researchers, law firms, higher education institutions, defense companies, policy think tanks, and NGOs. As Hafnium is based in China it conducts its operations primarily from leased virtual private servers (VPS) in the United States [R2].<\/p>\n\n\n\n

In their report Microsoft states that prior to the Exchange Server attacks, Hafnium already compromised victims by exploiting security flaws in internet-connected servers and by using legitimate open source frameworks such as Covenant. The group aims to gain access to a victim network where then they filter data on file sharing sites like MEGA [R3]<\/p>\n\n\n\n

Additionally, in campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with the victim’s Office 365 tenants. While they often fail to compromise customer accounts, this intelligence activity helps the adversary to identify more details about the surroundings of their targets [R3].<\/p>\n\n\n\n

SEQUENCE OF EVENTS <\/h2>\n\n\n\n

January 3 2021:<\/strong> Cyber espionage operations against Microsoft Exchange Server begin using the Server-Side Request Forgery (SSRF) vulnerability CVE-2021-26855<\/p>\n\n\n\n


January 5:<\/strong> Initial report to Microsoft of the four flaws by a principal security researcher for security testing firm DEVCORE.<\/p>\n\n\n\n


January 6: <\/strong>Identification of the attacks on the previously discovered flaws by Volexity<\/p>\n\n\n\n


Mach 2: <\/strong>Microsoft releases emergency security updates to plug the four zero-day flaws in Exchange version 2013-2019 to counter the Hafnium attack.<\/p>\n\n\n\n


March 3:<\/strong> The CISS issues an emergency directive for all federal agencies to disconnect from Microsoft Exchange on-premises servers and begin incident response procedures – Tens of thousands of Exchange servers have already been compromised worldwide, with thousands more servers getting freshly hacked each hour<\/p>\n\n\n\n


March 5-8:<\/strong> Microsoft assumes further attacks by actors beyond Hafnium, targeting the same vulnerabilities the Chinese group exploited.<\/p>\n\n\n\n


March 9:<\/strong> (\u201cPatch Tuesday” ) Original publish date for the security updates \u2794 Patch of 82 security holes in Windows and other software, including a zero-day vulnerability in its web browser software.<\/p>\n\n\n\n


March 10:<\/strong> At least 10 \u201cadvanced persistent threat\u201d (APT) cybercrime and espionage groups have been exploiting the Exchange flaws for their own purposes.<\/p>\n\n\n\n


March 13:<\/strong> The CISA adds seven Malware Analyst Reports to identify web shells associated with Exchange vulnerabilities.<\/p>\n\n\n\n


March 15:<\/strong> Microsoft releases a “one-click” On-Premises Mitigation Tool to assist customers who do not have dedicated IT security to apply updates to Exchange Server. <\/p>\n\n\n\n


March 18: <\/strong>Microsoft announces their Defender Antivirus and System Center Endpoint Protection now automatically mitigates CVE-2021-26855 on any vulnerable server. <\/p>\n\n\n\n


March 31: <\/strong>CISA releases supplemental direction on Emergency Directive for Exchange Server Vulnerabilities.<\/p>\n\n\n\n


April 13: <\/strong>The FBI is granted a search and seizure warrant by a Texas court that allows the agency to copy and remove web shells from hundreds of on-premises Microsoft Exchange servers owned by private organizations. <\/p>\n\n\n\n

Considering that the state has to aid in fixing those security issues shows how dramatic the situation and how underdeveloped many company infrastructures are in regards to such incidents.<\/p>\n\n\n\n

See: [R11][R12]<\/p>\n\n\n\n\n\n\n\n

VULNERABILITY<\/h2>\n\n\n\n

The current vulnerabilities in Exchange servers allows attackers to bypass regular authentication and log in as an administrator of an Exchange server. As part of the investigation, security researchers identified another vulnerability through which an attacker could place files for remote code execution in Exchange. From this they built a functional proof of concept exploit with which the Exchange authentication could be bypassed and the server therefore compromised.<\/p>\n\n\n\n


Since an Exchange server has high rights in the Active Directory, a successful attack on the e-mail system also gives the attacker the opportunity to attack the Active Directory and to access and change data as well as to attack other internal systems. Exploits for the proxy logon gap in Exchange Server are already circulating to where ransomware is also emerging following in several users reporting encrypted files.<\/p>\n\n\n\n

The four vulnerabilities form a chain of attacks (see [R3]):<\/p>\n\n\n\n

CVE-2021-26855<\/strong> is a server-side request forgery (SSRF) vulnerability. It can be used remotely without authentication and without user interaction. Any HTTP requests can be sent by an attacker and allow him to authenticate himself as an Exchange server (admin).<\/p>\n\n\n\n

CVE-2021-26857<\/strong> allows an attacker to run code as a SYSTEM on the Exchange server. This is a vulnerability related to insecure deserialization in the Unified Messaging service. In order to take advantage of this, administrator rights are required, which can be obtained via the aforementioned security gap or by compromising the access data of a legitimate administrator.<\/p>\n\n\n\n

CVE-2021-26858<\/strong> and CVE-2021-27065<\/strong> are a post-authentication arbitrary file write vulnerability in Exchange. They allow any file to be written after it has been authenticated in Exchange. If Hafnium could authenticate with the Exchange server, they could take advantage of this vulnerability to write a file to any path on the server such as they could authenticate themselves using the SSRF vulnerability CVE-2021-26855 or the credentials of a legitimate administrator<\/p>\n\n\n\n

ATTACK DETAILS<\/h2>\n\n\n\n

In their blog post [R3] , Microsoft is providing in depth details about the attack to help especially customers of Exchange but also individuals understand the techniques that were used by Hafnium. Therefore they desire to enable a more effective defense against any future attacks against unpatched systems. For those that are further interested in how the attack looked like, the following shall demonstrate one example of a web shell deployed by Hafnium. <\/p>\n\n\n\n

<%@ Page Language=\u201eJscript\u201c%><%System.IO.File.WriteAllText(Request.Item[\u201cp\u201c], Request.Item[\u201cc\u201c]);%><\/pre>\n\n\n\n
After providing the web shell, the Hafnium operators performed the following post-exploitation activities:<\/p>\n\n\n\n