Microsoft released patches for four vulnerabilities in Exchange Server on March 2, disclosing that these vulnerabilities were being exploited by a previously unknown threat actor, referred to as HAFNIUM.
The vulnerabilities in question — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 — affect Microsoft Exchange Server 2019, 2016, 2013 and the out-of-support Microsoft Exchange Server 2010. The patches for these vulnerabilities should be applied as soon as possible. Microsoft Exchange Online is not affected.
Patches for an additional three vulnerabilities in the same software have also been released: CVE-2021-26412, CVE-2021-26854 and CVE-2021-27078. It is believed that these vulnerabilities have not yet been exploited in the wild.
Threat activity details
The threat actor has been observed targeting an array of organizations, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and non-governmental organizations. Attacks exploiting these vulnerabilities are believed to date back to Jan. 6, 2021.
The attacks start by exploiting CVE-2021-26855, a server-side request forgery vulnerability, or by abusing stolen passwords. This vulnerability is exploited by sending a specially crafted XML SOAP payload to the Exchange Web Services API running on the Exchange Server. The threat actor has been observed using leased virtual private servers within the United States and connecting to TCP port 443 (HTTPS) on the vulnerable servers to carry out the attacks.
After the initial attack, the threat actor has bypassed authentication and can perform operations on the users’ mailboxes, such as downloading messages. The threat actor subsequently exploits additional vulnerabilities including the remote code execution vulnerability CVE-2021-26857 to execute instructions as SYSTEM, and the arbitrary file write vulnerabilities CVE-2021-26858 and CVE-2021-27065 to upload webshells to the compromised host. This allows the threat actor to execute additional instructions on the compromised devices.
The attackers have been observed dumping LSASS process memory with Procdump and comsvcs.dll, using 7-Zip and WinRar to compress stolen data for exfiltration, using PsExec and PowerCat to connect and send commands to remote systems, using PowerShell and the Nishang framework to make changes including creating a reverse shell and creating new user accounts.
All organisations using the affected software should prevent external access to port 443 on Exchange Servers, or set up a VPN to provide external access to port 443. This will ensure that only authenticated and authorized users can connect to this service. However, this action will only protect against the initial step of the attack.
Administrators should immediately apply the published patches to vulnerable Exchange Servers. This will require bringing the devices up to the necessary patch level by applying previous patches, if these have not been already applied.
Cisco has been closely monitoring the situation and has released protection against the threat as detailed in the coverage section.
- CVE-2021-26857 — 57233-57234
- CVE-2021-26855 — 57241-57244
- CVE-2021-26858 & CVE-2021-27065 — 57245-57246
- CVE-2021-24085 — 57251
- CVE-2021-27065 — 57252-57253
- Html.Webshell.Hafnium — 57235-57240
Cisco Secure Endpoint (formerly AMP):
Malicious files detected as:
- Threat Name: Html.Webshell.HAFNIUM.DRT.Talos
Behavioural Protection Signatures:
- PowerShell Download String
- Raw GitHub Argument
- RunDLL32 Suspicious Process
- CVE-2021-26858 Potential Exploitation
- CVE-2021-26857 Potential Exploitation
- Nishang Powershell Reverse Shell
Talos Security Intelligence Block List
IP addresses blocked as Classification: Attackers
IP addresses blocked as Security Category: Command and Control Threat Types: Dropper
Cisco Incident Response Services are available to assist organisations to respond and recover from an incident. Additionally, Incident Response Services can be used to help organisations prepare for attacks and to test existing procedures.
Cisco Secure Firewall / Secure IPS (Network Security) appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), Cisco ISR, and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Endpoint is ideally suited to prevent the execution of the malware detailed in this post. Users of this solution can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. Try Cisco Secure Endpoint for free here.
Cisco AMP for Networks is able to detect malicious software as it crosses the network.
Cisco Secure X gives security teams a single location to identify threats, perform automated workflows, and to remediate incidents.
Cisco Secure Malware Analytics(Threat Grid) helps identify malicious binaries and build protection into all Cisco Security products.
Cisco Secure Network Analytics (Stealthwatch) uses a variety of analytical processes to identify anomalous and malicious behavior occurring on the network.
Cisco Secure Workload (Tetration), can identify anomalous behaviour of affected systems and highlight systems that require patching.
Cisco Umbrella, our secure internet gateway (SIG), blocks users and systems from connecting to malicious domains and IPs.
Additional protections with context to your specific environment and threat data are available from the Firepower Management Center.
Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
IP addresses leveraged by attackers.
Web Shell SHA256 Hashes
CISA Alert - Mitigate Microsoft Exchange Server Vulnerabilities
Volexity Blog - Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
Microsoft Blog - Defending Exchange Servers Under Attack
Exchange Team Blog - Released: March 2020 Exchange Server Security Updates
Microsoft EMEA Out of Band Webcast
Microsoft Blog - HAFNIUM Targeting Exchange Servers with 0-Day Exploits