Operation Exchange Marauder

March 03, 2021 · 4 min read

HAFNIUM APT Exploits Microsoft Exchange Zero-Days to Steal Data and Install Malware

In January 2021, security researchers from Violexity revealed a long-term malicious operation launched by China-affiliated HAFNIUM APT against a number of unnamed organizations. Threat actors leveraged a set of previously undisclosed zero-day vulnerabilities in Microsoft Exchange to access sensitive corporate information and perform other nefarious actions after the intrusion.

Zero-Day Vulnerabilities in Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)

Researchers report a total of four new zero-days being exploited in the wild during Operation Exchange Marauder.

The first issue leveraged by HAFNIUM threat actors is a server-side request forgery (SSRF) bug (CVE-2021-26855) that might allow a remote unauthorized actor to send arbitrary HTTP requests to port 443 and authenticate as the Exchange server. As a result, attackers can easily access the corporate mailboxes with no special knowledge of the targeted network.

The next zero-day issue used during the campaign is an insecure deserialization bug (CVE-2021-26857) residing in the Unified Messaging service. This security hole allows hackers to run arbitrary code as SYSTEM on the vulnerable Exchange server. Still, successful exploitation demands admin rights or another flaw to leverage first.

The remaining two zero-days are post-authentication arbitrary file write bugs (CVE-2021-26858, CVE-2021-27065) that enable writing a file to any path on the compromised server. The exploitation demands authentication, which might be achieved via SSRF flaw (CVE-2021-26855) or by dumping administrator credentials.

Operation Exchange Marauder: Attack Details

Microsoft reports that Chinese nation-backed actors leveraged the combination of the above-mentioned zero-days to drop web shells on the systems and dump email data alongside admin credentials. Additionally, adversaries managed to gain access to the offline address book (OAB) for Exchange. All gathered details might serve for further reconnaissance against the targeted organizations.

The vendors attacked during the Operation Exchange Marauder remain undisclosed. However, the previous HAFNIUM APT campaigns give grounds to suspect that high-profile organizations located in the U.S. might be in the spotlight. Earlier, threat actors were identified to compromise various assets across the U.S., including those referring to industrial businesses, educational institutions, think tanks, and non-governmental organizations.

Notably, apart from HAFNIUM APT, several other hacker groups aimed at cyber-espionage were identified leveraging Microsoft Exchange zero-days in the wild. Particularly, ESET spotted active SSRF flaw (CVE-2021-26855) exploitation against entities within the US, Germany, France, and Kazakhstan.

Detection and Mitigation

According to Microsoft advisory, the new zero-days affect Microsoft Exchange Server versions 2010, 2013, 2016, and 2019. The out-of-band patches were released on March 2, 2021, so users are urged to upgrade as soon as possible.

In a view of the active exploitation and to facilitate timely attack detection, in collaboration with Microsoft, the SOC Prime Team urgently released a set of free Sigma rules to identify possible malicious activities related to the newly-discovered zero-days.

Possible Unknown Exchange 0 Day March 2021 (via web)

Possible HAFNIUM Webshell March 2021 (via web)

Possible Exchange CVE-2021-26858 (via file_event)

Powershell Exchange Snapin (via cmdline)

Possible Exchange CVE-2021-26858 (via audit)

Powershell Opens Raw Socket (via cmdline)

Unknown Exchange 0day Relevant Crash Event (via application)

UMWorkerProcess Creating Unusual Child Process CVE-2021-26857 (via cmdline)

Update from 3/18/2021: To enhance the proactive defense against possible attacks leveraging Microsoft Exchange zero-day vulnerabilities, SOC Prime’s active Threat Bounty developer Emir Erdogan released a set of community Sigma rules. Explore the detections via the links below.

Post-Exploitation Web-Shell Access To Exchange Servers (Web Log User-Agents)

CVE-2021-27065 Exploited on Exchange Server To Deploy CHOPPER Webshell

Marauder Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities (via WebServer)

Post Exploitation From Microsoft Exchange Hafnium (via scheduled task and proxy)

Possible File Creation By Known Processes Dropping Webshells CVE-2021-26858

Stay tuned to the latest Threat Detection Marketplace updates, and don’t miss fresh SOC content related to these severe issues. All the new rules will be added to this post.

Get a free subscription to the Threat Detection Marketplace, a world-leading Content-as-a-Service (CaaS) platform aggregating over 96,000 Detection and Response rules for proactive cyber defense. Want to craft your own detection content? Join our Threat Bounty Program and contribute to the global threat hunting initiatives.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts