Chinese State Sponsored Group HAFNIUM Exploiting Exchange Zero-Day Vulnerabilities – PATCH NOW

Posted in: Resources » Cyber Heads-up


Microsoft recently released out-of-band security updates to address four new vulnerabilities in Exchange Server (on-premises). The series of exploits is actively being used by malicious actors to steal emails and compromise internal networks.

What Do We Know About This Attack?

The Microsoft announcement contains four new vulnerabilities, which when chained, together have glaringly evil results. Let’s break them down in order:

  • CVE-2021-26855 – This vulnerability takes advantage of a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server’s Exchange Control Panel (ECP). Exploiting this vulnerability allows a malicious attacker to steal the contents of users’ mailboxes. This portion of the attack is exploitable remotely and without any form of authentication.
  • CVE-2021-26857 – A vulnerability in the Unified Messaging service to run code as NT AUTHORITY\SYSTEM (the highest possible privileges) on the Exchange Server. The exploitation of this vulnerability requires either administrative credentials or the exploitation of another vulnerability that provides administrative privileges. The exploitation of this vulnerability also requires local access to the server.
  • CVE-2021-26858 – A post-authentication vulnerability that allows an attacker to write a file to any path on the server they wish.
  • CVE-2021-27065 – Another post-authentication vulnerability that allows an attacker to write a file to any path on the server they wish.

Microsoft detected these four, previously undisclosed or “0-day”, exploits being used to attack on-premises Microsoft Exchange Servers. The Microsoft Threat Intelligence Center (MSTIC) is attributing this attack campaign to a state-sponsored group out of China dubbed, “HAFNIUM.”

HAFNIUM has a history of primarily targeting the United States across several business sectors including infectious disease research, law firms, higher education, defense contractors, policy think tanks, and other non-government organizations. The group operates primarily from virtual private servers (VPS) in the United States.

Assura’s Take

While not a one-shot kill, this attack chain will result in access to your internal environment and ease the process of privilege escalation, subsequently, pivoting throughout your environment to gain further access to information. It has been demonstrated by HAFNIUM that through the exploitation of the four vulnerabilities described above and the use of other tools such as ProcDump, Nishang PowerShell scripts, etc., that total environment compromise can be achieved with relative ease. In some cases, the attackers exfiltrated entire Active Directory Databases.

While Microsoft’s alert focuses on HAFNIUM’s exploitation of these vulnerabilities, anyone who has worked in information security for any time knows that now that the public knows about these vulnerabilities, they will become more widely exploited by malicious actors from other state-sponsored attackers down to simple script-kiddies.

Below are some steps that you can take to determine if indicators of compromise (IOCs) exist in your environment:

  • Scan Exchange log files for the following IOCs:
    • Exchange HttpProxy logs – located in “%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy
      • Look for entries where the “AuthenticatedUser” is empty and the “AnchorMailbox” contains the pattern of “ServerInfo~*/*”
      • If results are found, then the logs specific to the application specified in the “AnchorMailbox” path can be used to see the attacker’s actions. These logs are located in the “%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging” directory.
    • Look for files within the OABGeneratorLog that were downloaded to directories other than “%PROGRAMFILES%\Microsoft\Exchange Server\V15\ClientAccess\OAB\Temp”. Files should only be downloaded to the Temp folder. Downloads to other locations are indicators of malicious activity. Use the following command to search for downloads outside of the Temp folder:
      • findstr /snip /c:”Download failed and temporary file” “%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log”
    • The exploitation of the UnifiedMessaging deserialization vulnerability will result in Application events within the Windows Event Viewer log. The following PowerShell command will query for these log entries:
      • Get-EventLog -LogName Application -Source “MSExchange Unified Messaging” -EntryType Error | Where-Object { $_.Message -like “*System.InvalidCastException*” }”
    • Finally, review “C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server” for “Set-<AppName>VirtualDirectory” properties that contain script. “InternalURL” and “ExternalURL” should be the only valid URLs. The following PowerShell script will query for potential compromises:
      • Select-String -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\ECP\Server\*.log” -Pattern ‘Set-.+VirtualDirectory’

Assura’s Security Operations Center monitors for breaches and security announcements in real-time.

  • When US-CERT and Microsoft announced the four new vulnerabilities yesterday (Wednesday, March 3), a detection ruleset was put in place within our Security Information and Event Management (SIEM) platform for all security monitoring customers.
  • As of March 3, 9:11:57 PM, Assura’s SOC was able to detect and alarm on the indicators of compromise provided by Microsoft and US-CERT (CISA).
  • Assura utilizes the most advanced Endpoint Protection tools for Managed Endpoint Protection clients. Active system exploitation related to this exploit would be detected via AI engines without additional rulesets. However, Assura’s Endpoint Detection and Response tools have updated rulesets to help assist in the detection of the indicators of compromise related to these vulnerabilities.
  • If you are a Managed SIEM client, or a Managed Endpoint Protection client, and have an on-premises Exchange Server protected, we are actively monitoring for the exploitation of the four Exchange vulnerabilities.

If you have not already patched against the CVEs discussed in this article, please do so ASAP.

If you’re an Assura client, please do not hesitate to reach out to your Virtual ISO or Assura SOC point-of-contact if you have questions about the incident or our response. Otherwise, please contact us at [email protected].