List of All CVEs and IOCs Used by HAFNIUM to Target Microsoft Exchange Servers
Targeted Attacks • Mar 3, 2021
We use cookies to improve your experience. Do you accept?
Targeted Attacks • Mar 3, 2021
In a major revelation on March 2, 2021, Microsoft published a blog detailing the detection of multiple zero-day exploits being used by the HAFNIUM threat actor group to attack on-premises versions of the Microsoft Exchange Server in limited and targeted attacks. Researchers from Volexity and Dubex also contributed to the discovery of this attack chain.
Also being tracked as Operation Exchange Marauder, the threat actor group used the vulnerabilities to access on-premises Exchange servers which, in turn, enabled them to access email accounts and install additional malware to gain long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributed the attack campaign with high confidence to HAFNIUM, which is believed to be a state-sponsored group operating out of China, based on observed victimology, tactics, and procedures.
Microsoft has released new security updated to address the vulnerabilities. In this blog, we dive into the indicators of compromise (IOCs), tools used in the attacks, methodology, detection mechanisms, and more.
The affected systems show tendencies of an automated scan and hack, which prompt that the threat actor group Hafnium, likely used an automation script to exploit vulnerable devices at scale. By implanting a web shell, the threat actors were able to create a backdoor on the vulnerable exchange servers, which allowed them further exploitation.
The affected networks seem to be more of small and medium-sized organizations rather than larger enterprises, the reason for which can be that the larger enterprises often use email systems based out of the cloud. In a press conference, White House press secretary Jen Psaki urged that everyone running the vulnerable Exchange servers should immediately patch them.
Microsoft: HAFNIUM targeting Exchange Servers with 0-day exploits
DHS Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
US-CERT: Mitigate Microsoft Exchange Server Vulnerabilities
Wired: Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims
AlienVault: Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
Cyware: Operation Exchange Marauder - An aggregated view for Defenders
These are the CVE IDs of the vulnerabilities exploited by Hafnium in the Microsoft Exchange Server attack:
ASP Web shells
MiniDump
Procdump
7-Zip
PsExec
Exchange PowerShell snap-ins
Nishang
Powercat
ASP web shells to initially exploit and perform additional malicious actions
Procdump to dump the LSASS process memory
7-Zip to compress stolen data into ZIP files for exfiltration
Exchange PowerShell snap-ins to export mailbox data
Nishang Invoke-PowerShellTcpOneLine reverse shell
PowerCat from GitHub, then using it to open a connection to a remote server
CVE-2021-26855: Exploitation can be detected via the following Exchange HttpProxy logs.
These logs are located in the following directory:
“%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy”
Exploitation can be identified by searching for log entries where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of “ServerInfo~/”
Here is an example PowerShell command to find these log entries:
Import-Csv -Path (Get-ChildItem -Recurse -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy” -Filter ‘*.log’).FullName | Where-Object { $.AuthenticatedUser -eq ” -and $_.AnchorMailbox -like ‘ServerInfo~/’ } | select DateTime, AnchorMailbox _
If activity is detected, the logs specific to the application specified in the AnchorMailbox path can be used to help determine what actions were taken.
These logs are located in the “%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging” directory.
CVE-2021-26858: Exploitation can be detected via the Exchange log files:
These logs are located in the following directory:
“C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog”
Files should only be downloaded to the “%PROGRAMFILES%\Microsoft\Exchange Server\V15\ClientAccess\OAB\Temp” directory and in case of exploitation, files are downloaded to other directories (UNC or local paths)
Windows command to search for potential exploitation:
_findstr /snip /c:”Download failed and temporary file” “%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log” _
CVE-2021-26857: Exploitation can be detected via the Windows Application event logs
The exploitation of this deserialization bug will create Application events with the following properties:
Source: MSExchange Unified Messaging
EntryType: Error
Event Message Contains: System.InvalidCastException
Below is a PowerShell command to query the Application Event Log for these log entries:
Get-EventLog -LogName Application -Source “MSExchange Unified Messaging” -EntryType Error | Where-Object { $.Message -like “System.InvalidCastException” } _
CVE-2021-27065: Exploitation can be detected via the following Exchange log files.
These logs are located in the following directory:
_“C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server” _
All Set-<AppName>VirtualDirectory properties should never contain script and InternalUrl and ExternalUrl should only be valid Uris.
Following is a PowerShell command to search for potential exploitation:
Select-String -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\ECP\Server\*.log” -Pattern ‘Set-.+VirtualDirectory’
Exploit:Script/Exmann.A!dha
Behavior:Win32/Exmann.A
Backdoor:ASP/SecChecker.A
Backdoor:JS/Webshell (not unique)
Trojan:JS/Chopper!dha (not unique)
Behavior:Win32/DumpLsass.A!attk (not unique)
Backdoor:HTML/TwoFaceVar.B (not unique)
HAFNIUM Suspicious Exchange Request
HAFNIUM UM Service writing suspicious file
HAFNIUM New UM Service Child Process
HAFNIUM Suspicious UM Service Errors
HAFNIUM Suspicious File Downloads
Nishang Invoke-PowerShellTcpOneLine in Windows Event Logging:
SecurityEvent | where EventID == 4688 | where Process has_any ("powershell.exe", "PowerShell_ISE.exe") | where CommandLine has "$client = New-Object System.Net.Sockets.TCPClient"
Downloads of PowerCat in cmd and Powershell command line logging in Windows Event Logs:
SecurityEvent | where EventID == 4688 | where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe") | where CommandLine has "https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1"
Exchange PowerShell Snapin being loaded. This can be used to export mailbox data, subsequent command lines should be inspected to verify usage:
SecurityEvent | where EventID == 4688 | where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe") | where isnotempty(CommandLine) | where CommandLine contains "Add-PSSnapin Microsoft.Exchange.Powershell.Snapin" | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Computer, Account, CommandLine
103.77.192[.]219
104.140.114[.]110
104.250.191[.]110
108.61.246[.]56
149.28.14[.]163
157.230.221[.]198
167.99.168[.]251
185.250.151[.]72
192.81.208[.]169
203.160.69[.]66
211.56.98[.]146
5.254.43[.]18
5.2.69[.]14
80.92.205[.]81
91.192.103[.]43
These hashes indicate the presence of the ASP web shells used in the attack
b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944
These are the common paths used by Hafnium to download the web shells
In Microsoft Exchange Server installation paths such as:
%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
C:\Exchange\FrontEnd\HttpProxy\owa\auth\
C:\inetpub\wwwroot\aspnet_client\
C:\inetpub\wwwroot\aspnet_client\system_web\
\inetpub\wwwroot\aspnet_client\ (any .aspx file under this folder or sub folders)
<exchange install path>\FrontEnd\HttpProxy\ecp\auth\ (any file besides TimeoutLogoff.aspx)
<exchange install path>\FrontEnd\HttpProxy\owa\auth\ (any file or modified file that is not part of a standard install)
<exchange install path>\FrontEnd\HttpProxy\owa\auth\Current<any aspx file in this folder or subfolders>
<exchange install path>\FrontEnd\HttpProxy\owa\auth<folder with version number><any aspx file in this folder or subfolders>
The web shells were commonly named as the following:
web.aspx
help.aspx
document.aspx
errorEE.aspx
errorEEE.aspx
errorEW.aspx
errorFF.aspx
healthcheck.aspx
aspnet_www.aspx
aspnet_client.aspx
xx.aspx
shell.aspx
aspnet_iisstart.aspx
one.aspx
Rule 1: rule webshell_aspx_simpleseesharp : Webshell Unclassified
{
meta:
author = “threatintel@volexity.com” date = “2021-03-01” description = “A simple ASPX Webshell that allows an attacker to write further files to disk.” hash = “893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2”
strings:
$header = “<%@ Page Language=\”C#\” %>” $body = “<% HttpPostedFile thisFile = Request.Files[0];thisFile.SaveAs(Path.Combine”
condition:
$header at 0 and $body and filesize < 1KB
}
Rule 2: rule webshell_aspx_reGeorgTunnel : Webshell Commodity
{
meta:
author = “threatintel@volexity.com” date = “2021-03-01” description = “A variation on the reGeorg tunnel webshell” hash = “406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928” reference = “https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx”
strings:
$s1 = “System.Net.Sockets” $s2 = “System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get” // a bit more experimental $t1 = “.Split(‘|’)” $t2 = “Request.Headers.Get” $t3 = “.Substring(“ $t4 = “new Socket(“ $t5 = “IPAddress ip;”
condition:
all of ($s*) or all of ($t*)
}
Rule 3: rule webshell_aspx_sportsball : Webshell Unclassified
{
meta:
author = “threatintel@volexity.com” date = “2021-03-01” description = “The SPORTSBALL webshell allows attackers to upload files or execute commands on the system.” hash = “2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a”
strings:
$uniq1 = “HttpCookie newcook = new HttpCookie(\”fqrspt\”, HttpContext.Current.Request.Form” $uniq2 = “ZN2aDAB4rXsszEvCLrzgcvQ4oi5J1TuiRULlQbYwldE=” $var1 = “Result.InnerText = string.Empty;” $var2 = “newcook.Expires = DateTime.Now.AddDays(” $var3 = “System.Diagnostics.Process process = new System.Diagnostics.Process();” $var4 = “process.StandardInput.WriteLine(HttpContext.Current.Request.Form[\”” $var5 = “else if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form[\”” $var6 = “<input type=\”submit\” value=\”Upload\” />”
condition:
any of ($uniq*) or all of ($var*)
}
These were the user agents commonly used to make malicious requests:
DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)
facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)
Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)
Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)
Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html
Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)
Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)
Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)
Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36
antSword/v2.1
Googlebot/2.1+(+http://www.googlebot.com/bot.html)
Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)
ExchangeServicesClient/0.0.0.0
python-requests/2.19.1
python-requests/2.25.1