We use cookies to improve your experience. Do you accept?

Skip to main content

List of All CVEs and IOCs Used by HAFNIUM to Target Microsoft Exchange Servers

List of All CVEs and IOCs Used by HAFNIUM to Target Microsoft Exchange Servers - Featured Image

Targeted Attacks Mar 3, 2021

Introduction

In a major revelation on March 2, 2021, Microsoft published a blog detailing the detection of multiple zero-day exploits being used by the HAFNIUM threat actor group to attack on-premises versions of the Microsoft Exchange Server in limited and targeted attacks. Researchers from Volexity and Dubex also contributed to the discovery of this attack chain.

Also being tracked as Operation Exchange Marauder, the threat actor group used the vulnerabilities to access on-premises Exchange servers which, in turn, enabled them to access email accounts and install additional malware to gain long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributed the attack campaign with high confidence to HAFNIUM, which is believed to be a state-sponsored group operating out of China, based on observed victimology, tactics, and procedures.

Microsoft has released new security updated to address the vulnerabilities. In this blog, we dive into the indicators of compromise (IOCs), tools used in the attacks, methodology, detection mechanisms, and more.

The affected systems show tendencies of an automated scan and hack, which prompt that the threat actor group Hafnium, likely used an automation script to exploit vulnerable devices at scale. By implanting a web shell, the threat actors were able to create a backdoor on the vulnerable exchange servers, which allowed them further exploitation.

The affected networks seem to be more of small and medium-sized organizations rather than larger enterprises, the reason for which can be that the larger enterprises often use email systems based out of the cloud. In a press conference, White House press secretary Jen Psaki urged that everyone running the vulnerable Exchange servers should immediately patch them.

Advisories, Analysis, and Countermeasures

Microsoft: HAFNIUM targeting Exchange Servers with 0-day exploits

Volexity:Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities

DHS Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities

US-CERT: Mitigate Microsoft Exchange Server Vulnerabilities

Wired: Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims

AlienVault: Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities

Cyware: Operation Exchange Marauder - An aggregated view for Defenders

CVEs Exploited by HAFNIUM

These are the CVE IDs of the vulnerabilities exploited by Hafnium in the Microsoft Exchange Server attack:

Tools Used in the Attack

  • ASP Web shells

  • MiniDump

  • Procdump

  • 7-Zip

  • PsExec

  • Exchange PowerShell snap-ins

  • Nishang

  • Powercat

Methodology of Attack

  • ASP web shells to initially exploit and perform additional malicious actions

  • Procdump to dump the LSASS process memory

  • 7-Zip to compress stolen data into ZIP files for exfiltration

  • Exchange PowerShell snap-ins to export mailbox data

  • Nishang Invoke-PowerShellTcpOneLine reverse shell

  • PowerCat from GitHub, then using it to open a connection to a remote server

Detection Mechanisms

CVE Detections

CVE-2021-26855: Exploitation can be detected via the following Exchange HttpProxy logs.

These logs are located in the following directory:

“%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy”

Exploitation can be identified by searching for log entries where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of “ServerInfo~/

Here is an example PowerShell command to find these log entries:

Import-Csv -Path (Get-ChildItem -Recurse -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy” -Filter ‘*.log’).FullName | Where-Object { $.AuthenticatedUser -eq ” -and $_.AnchorMailbox -like ‘ServerInfo~/’ } | select DateTime, AnchorMailbox _

If activity is detected, the logs specific to the application specified in the AnchorMailbox path can be used to help determine what actions were taken.

These logs are located in the “%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging” directory.

CVE-2021-26858: Exploitation can be detected via the Exchange log files:

These logs are located in the following directory:

“C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog”

Files should only be downloaded to the “%PROGRAMFILES%\Microsoft\Exchange Server\V15\ClientAccess\OAB\Temp” directory and in case of exploitation, files are downloaded to other directories (UNC or local paths)

Windows command to search for potential exploitation:

_findstr /snip /c:”Download failed and temporary file” “%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log” _

CVE-2021-26857: Exploitation can be detected via the Windows Application event logs

The exploitation of this deserialization bug will create Application events with the following properties:

  • Source: MSExchange Unified Messaging

  • EntryType: Error

  • Event Message Contains: System.InvalidCastException

Below is a PowerShell command to query the Application Event Log for these log entries:

Get-EventLog -LogName Application -Source “MSExchange Unified Messaging” -EntryType Error | Where-Object { $.Message -like “System.InvalidCastException” } _

CVE-2021-27065: Exploitation can be detected via the following Exchange log files.

These logs are located in the following directory:

_“C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server” _

All Set-<AppName>VirtualDirectory properties should never contain script and InternalUrl and ExternalUrl should only be valid Uris.

Following is a PowerShell command to search for potential exploitation:

Select-String -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\ECP\Server\*.log” -Pattern ‘Set-.+VirtualDirectory’

Microsoft Defender AV Queries

  • Exploit:Script/Exmann.A!dha

  • Behavior:Win32/Exmann.A

  • Backdoor:ASP/SecChecker.A

Generic Microsoft Defender AV Queries

  • Backdoor:JS/Webshell (not unique)

  • Trojan:JS/Chopper!dha (not unique)

  • Behavior:Win32/DumpLsass.A!attk (not unique)

  • Backdoor:HTML/TwoFaceVar.B (not unique)

Azure Sentinel Detections

HAFNIUM Suspicious Exchange Request

HAFNIUM UM Service writing suspicious file

HAFNIUM New UM Service Child Process

HAFNIUM Suspicious UM Service Errors

HAFNIUM Suspicious File Downloads

Sentinel Queries

Nishang Invoke-PowerShellTcpOneLine in Windows Event Logging:

SecurityEvent | where EventID == 4688 | where Process has_any ("powershell.exe", "PowerShell_ISE.exe") | where CommandLine has "$client = New-Object System.Net.Sockets.TCPClient"

Downloads of PowerCat in cmd and Powershell command line logging in Windows Event Logs:

SecurityEvent | where EventID == 4688 | where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe") | where CommandLine has "https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1"

Exchange PowerShell Snapin being loaded. This can be used to export mailbox data, subsequent command lines should be inspected to verify usage:

SecurityEvent | where EventID == 4688 | where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe") | where isnotempty(CommandLine) | where CommandLine contains "Add-PSSnapin Microsoft.Exchange.Powershell.Snapin" | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Computer, Account, CommandLine

Indicators of Compromise (IOCs)

Attacker IP Addresses

103.77.192[.]219

104.140.114[.]110

104.250.191[.]110

108.61.246[.]56

149.28.14[.]163

157.230.221[.]198

167.99.168[.]251

185.250.151[.]72

192.81.208[.]169

203.160.69[.]66

211.56.98[.]146

5.254.43[.]18

5.2.69[.]14

80.92.205[.]81

91.192.103[.]43

Web Shell Hashes

These hashes indicate the presence of the ASP web shells used in the attack

b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0

097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e

2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1

65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5

511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1

4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea

811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d

1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944

Web Shell Paths

These are the common paths used by Hafnium to download the web shells

In Microsoft Exchange Server installation paths such as:

%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\

C:\Exchange\FrontEnd\HttpProxy\owa\auth\

C:\inetpub\wwwroot\aspnet_client\

C:\inetpub\wwwroot\aspnet_client\system_web\

\inetpub\wwwroot\aspnet_client\ (any .aspx file under this folder or sub folders)

<exchange install path>\FrontEnd\HttpProxy\ecp\auth\ (any file besides TimeoutLogoff.aspx)

<exchange install path>\FrontEnd\HttpProxy\owa\auth\ (any file or modified file that is not part of a standard install)

<exchange install path>\FrontEnd\HttpProxy\owa\auth\Current<any aspx file in this folder or subfolders>

<exchange install path>\FrontEnd\HttpProxy\owa\auth<folder with version number><any aspx file in this folder or subfolders>

Web Shell Names

The web shells were commonly named as the following:

web.aspx

help.aspx

document.aspx

errorEE.aspx

errorEEE.aspx

errorEW.aspx

errorFF.aspx

healthcheck.aspx

aspnet_www.aspx

aspnet_client.aspx

xx.aspx

shell.aspx

aspnet_iisstart.aspx

one.aspx

YARA Rules by Volexity

Rule 1: rule webshell_aspx_simpleseesharp : Webshell Unclassified

{

meta:

author = “threatintel@volexity.com”

date = “2021-03-01”

description = “A simple ASPX Webshell that allows an attacker to write further files to disk.”

hash = “893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2”

strings:

$header = “<%@ Page Language=\”C#\” %>”


$body = “<% HttpPostedFile thisFile = Request.Files[0];thisFile.SaveAs(Path.Combine”

condition:

$header at 0 and

$body and

filesize < 1KB

}

Rule 2: rule webshell_aspx_reGeorgTunnel : Webshell Commodity

{

meta:

author = “threatintel@volexity.com”

date = “2021-03-01”

description = “A variation on the reGeorg tunnel webshell”

hash = “406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928”

reference = “https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx”

strings:

$s1 = “System.Net.Sockets”

$s2 = “System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get”

// a bit more experimental

$t1 = “.Split(‘|’)”

$t2 = “Request.Headers.Get”

$t3 = “.Substring(“

$t4 = “new Socket(“

$t5 = “IPAddress ip;”

condition:

all of ($s*) or

all of ($t*)

}

Rule 3: rule webshell_aspx_sportsball : Webshell Unclassified

{

meta:

author = “threatintel@volexity.com”

date = “2021-03-01”

description = “The SPORTSBALL webshell allows attackers to upload files or execute commands on the system.”

hash = “2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a”

strings:

$uniq1 = “HttpCookie newcook = new HttpCookie(\”fqrspt\”, HttpContext.Current.Request.Form”

$uniq2 = “ZN2aDAB4rXsszEvCLrzgcvQ4oi5J1TuiRULlQbYwldE=”



$var1 = “Result.InnerText = string.Empty;”

$var2 = “newcook.Expires = DateTime.Now.AddDays(”

$var3 = “System.Diagnostics.Process process = new System.Diagnostics.Process();”

$var4 = “process.StandardInput.WriteLine(HttpContext.Current.Request.Form[\””

$var5 = “else if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form[\””

$var6 = “<input type=\”submit\” value=\”Upload\” />”

condition:

any of ($uniq*) or

all of ($var*)

}

User-Agents

These were the user agents commonly used to make malicious requests:

DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)

facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)

Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)

Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)

Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html

Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)

Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)

Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)

Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36

antSword/v2.1

Googlebot/2.1+(+http://www.googlebot.com/bot.html)

Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)

ExchangeServicesClient/0.0.0.0

python-requests/2.19.1

python-requests/2.25.1

Related Blogs

No related blogs found, but here are some other blogs you might like: