Microsoft has spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.
The attacks are “limited and targeted,” according to Microsoft, spurring it to release out-of-band patches this week. The exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.
However, other researchers have reported seeing the activity compromising mass swathes of victim organizations.
“The team is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses,” a spokesperson at Huntress told Threatpost.
The culprit is believed to be an advanced persistent threat (APT) group known as Hafnium (also the name of a chemical element), which has a history of targeting assets in the United States with cyber-espionage campaigns. Targets in the past have included defense contractors, infectious disease researchers, law firms, non-governmental organizations (NGOs), policy think tanks and universities.
“Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures,” according to an announcement this week from Microsoft on the attacks.
“The fact that Microsoft chose to patch these flaws out-of-band rather than include them as part of next week’s Patch Tuesday release leads us to believe the flaws are quite severe even if we don’t know the full scope of those attacks,” Satnam Narang, staff research engineer at Tenable, said via email.
Microsoft patched following bugs this week, and admins should update accordingly:
Researchers at Volexity originally uncovered the SSRF bug as part of an incident response and noted, “This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract email.”
They also observed the SSRF bug being chained with CVE-2021-27065 to accomplish RCE in multiple attacks.
In addition to Volexity, Microsoft credited security researchers at Dubex with uncovering the recent activity, which was first observed in January.
“Based on what we know so far, exploitation of one of the four vulnerabilities requires no authentication whatsoever and can be used to potentially download messages from a targeted user’s mailbox,” said Tenable’s Narang. “The other vulnerabilities can be chained together by a determined threat actor to facilitate a further compromise of the targeted organization’s network.”
In the observed campaigns, the four zero-day bugs were used to gain initial access to targeted Exchange servers and achieve RCE. Hafnium operators then deployed web shells on the compromised servers, which were used to steal data and expand the attack, according to researchers.
“In all cases of RCE, Volexity has observed the attacker writing webshells (ASPX files) to disk and conducting further operations to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT) and move laterally to other systems and environments,” according to Volexity’s writeup.
Following web shell deployment, Microsoft found that Hafnium operators performed a range of post-exploitation activity:
The attackers were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users, according to the analysis.
“The good news for defenders is that the post-exploitation activity is very detectable,” said Katie Nickels, director of intelligence at Red Canary, via email, adding her firm has detected numerous attacks as well. “Some of the activity we observed uses the China Chopper web shell, which has been around for more than eight years, giving defenders ample time to develop detection logic for it.”
Hafnium has been tracked by Microsoft before, but the company has only just released a few details on the APT.
In terms of its tactics, “Hafnium has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control,” according to Microsoft. “Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.”
Hafnium operates primarily from leased virtual private servers in the United States, and primarily goes after U.S. targets, but is linked to the Chinese government, according to Microsoft. It characterizes the APT as “a highly skilled and sophisticated actor.”
It should be noted that other researchers say they have seen these vulnerabilities being exploited by different threat actors targeting other regions, according to Narang.
“We expect other threat actors to begin leveraging these vulnerabilities in the coming days and weeks, which is why it is critically important for organizations that use Exchange Server to apply these patches immediately,” he added.
And indeed, researchers at Huntress said they have discovered more than 100 web shells deployed across roughly 1,500 vulnerable servers (with antivirus and endpoint detection/recovery installed) and expect this number to keep rising.
They’re not alone.
“FireEye has observed these vulnerabilities being exploited in the wild and we are actively working with several impacted organizations,” Charles Carmakal, senior vice president and CTO at FireEye Mandiant, said via email. “In addition to patching as soon as possible, we recommend organizations also review their systems for evidence of exploitation that may have occurred prior to the deployment of the patches.”