HAFNIUM APT Exploits Microsoft Exchange Zero-Days to Steal Data and Install Malware
In January 2021, security researchers from Violexity revealed a long-term malicious operation launched by China-affiliated HAFNIUM APT against a number of unnamed organizations. Threat actors leveraged a set of previously undisclosed zero-day vulnerabilities in Microsoft Exchange to access sensitive corporate information and perform other nefarious actions after the intrusion.
Zero-Day Vulnerabilities in Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
Researchers report a total of four new zero-days being exploited in the wild during Operation Exchange Marauder.
The first issue leveraged by HAFNIUM threat actors is a server-side request forgery (SSRF) bug (CVE-2021-26855) that might allow a remote unauthorized actor to send arbitrary HTTP requests to port 443 and authenticate as the Exchange server. As a result, attackers can easily access the corporate mailboxes with no special knowledge of the targeted network.
The next zero-day issue used during the campaign is an insecure deserialization bug (CVE-2021-26857) residing in the Unified Messaging service. This security hole allows hackers to run arbitrary code as SYSTEM on the vulnerable Exchange server. Still, successful exploitation demands admin rights or another flaw to leverage first.
The remaining two zero-days are post-authentication arbitrary file write bugs (CVE-2021-26858, CVE-2021-27065) that enable writing a file to any path on the compromised server. The exploitation demands authentication, which might be achieved via SSRF flaw (CVE-2021-26855) or by dumping administrator credentials.
Operation Exchange Marauder: Attack Details
Microsoft reports that Chinese nation-backed actors leveraged the combination of the above-mentioned zero-days to drop web shells on the systems and dump email data alongside admin credentials. Additionally, adversaries managed to gain access to the offline address book (OAB) for Exchange. All gathered details might serve for further reconnaissance against the targeted organizations.
The vendors attacked during the Operation Exchange Marauder remain undisclosed. However, the previous HAFNIUM APT campaigns give grounds to suspect that high-profile organizations located in the U.S. might be in the spotlight. Earlier, threat actors were identified to compromise various assets across the U.S., including those referring to industrial businesses, educational institutions, think tanks, and non-governmental organizations.
Notably, apart from HAFNIUM APT, several other hacker groups aimed at cyber-espionage were identified leveraging Microsoft Exchange zero-days in the wild. Particularly, ESET spotted active SSRF flaw (CVE-2021-26855) exploitation against entities within the US, Germany, France, and Kazakhstan.
Detection and Mitigation
According to Microsoft advisory, the new zero-days affect Microsoft Exchange Server versions 2010, 2013, 2016, and 2019. The out-of-band patches were released on March 2, 2021, so users are urged to upgrade as soon as possible.
In a view of the active exploitation and to facilitate timely attack detection, in collaboration with Microsoft, the SOC Prime Team urgently released a set of free Sigma rules to identify possible malicious activities related to the newly-discovered zero-days.
Update from 3/18/2021: To enhance the proactive defense against possible attacks leveraging Microsoft Exchange zero-day vulnerabilities, SOC Prime’s active Threat Bounty developer Emir Erdogan released a set of community Sigma rules. Explore the detections via the links below.
Stay tuned to the latest Threat Detection Marketplace updates, and don’t miss fresh SOC content related to these severe issues. All the new rules will be added to this post.
Get a free subscription to the Threat Detection Marketplace, a world-leading Content-as-a-Service (CaaS) platform aggregating over 96,000 Detection and Response rules for proactive cyber defense. Want to craft your own detection content? Join our Threat Bounty Program and contribute to the global threat hunting initiatives.