Name : Exploitation of Microsoft Exchange Servers ON PREM Zero-day vulnerabilities

Threat Actor(who is behind the attacks): Linked to HAFNIUM who previously targeted various US based companies in GAS, law firms etc.,

What is Bad: Attacker does not need any credentials for authentication if the below vulnerabilities were discovered on the systems and can reach these machines via public network.

Vulnerabilities actively being Exploited:

Ø  CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065

Ø  Can be exploited via Network Access if exposed public

Direction: We recommend all our Customers and who has on prem servers - Patch the Vulnerabilities above immediately to mitigate the exploitation

What it means to the customers if patched: Patching does not mean that the Customers are safe. There might be scenarios where the systems with Exchange Roles were already compromised and the threat actors may have maintained persistence with other malware or other processes in the environment.

Attackers/Threat Actors: Have the capability of creating web shells( for persistence and privilege escalations) after exploiting the vulnerabilities(post Exploitation)

Some of the Indicators of Compromise artifacts:

Ø  Help.aspx(MD5 Hash: 4b3039cf227c611c45d2242d1228a121)

Ø  Iisstart.aspx(MD5 Hash: 0fd9bffa49c76ee12e51e3b8ae0609ac)

Ø  W3wp.exe(IIS process with front end exchange server) which spawns cmd.exe to write files

Ø  BEACON MD5 Hash: 79eb217578bed4c250803bd573b10151

Other Network Indicators:

Ø  165.232.154.116

Ø  182.18.152.105

Ø  89.34.111.11

Ø  86.105.18.116

Other activities after exploitation and successful may include per the Microsoft documentation/blog:

Ø  Credential theft via dumping of LSASS process memory.

Ø  Compression of data for exfiltration via 7-Zip.

Ø  Use of Exchange PowerShell Snap-ins to export mailbox data.

Ø  Use of additional offensive security tools Covenant, Nishang, and PowerCat for remote access.

 

Other Investigation leads:

Ø  Check for child processes of inetserv\w3wp.exe citing cmd.exe

Ø  Any files related written to system by w2wp.exe

Ø  Temp files with extension of .aspx as names are very infidel and can be named as anything

Ø  Unexpected Export of Mailboxes

Ø  Check for LSASS process dumps from the system events.

Ø  Check for any zip files created for exfiltration on the systems

Ø  Check for any PowerShell ONE Liners scripts in SIEM tools and well as other access mechanisms.

 

CYFLARE what it is doing for the customers as a threat hunting mechanism:

Ø  Check for the Windows Event  Logs in case if the systems are recognized as Exchange Servers

Ø  Check for the respective IOCs mentioned above any other additional IOCs while we learn more on this threat that will help identify if the systems were compromised within the network as well as specific systems

Ø  Monitor for any Credential Dump detections such as Mimi Katz Credential Dump if triggered in the environment which could be possible for the exfiltration of data

Ø  We are also actively working with vendors to create detection rules if applicable to ensure that our customers are notified for any detections.

Ø  We are also reaching out to the Customers to have this message delivered and have them being active for any type of activity as we work together.

If the client has End point protection solutions that CYFLARE manages:

Ø  CYFLARE performs advanced threat hunting and check for logs that may contain possible exploitation related attempts for any trojans and other real time IOCs triggered who has Endpoint protection agents installed on.

 

 

Other links to blog post by Microsoft for detailed information:

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/