(Updated 03/10/2021 to include defensive tips)
As the cybersecurity community continues to reel with the sweeping effects of the SolarWinds attack, the Microsoft Threat Intelligence Center (MSTIC) has released information about another widespread campaign targeting Exchange servers. It has been found that a state-sponsored threat actor operating out of China, which they are calling HAFNIUM, has been exploiting 0-day vulnerabilities in on-premise Exchange server software. There are four known vulnerabilities identified by the MSTIC since the incident occurred which target on-premise Exchange servers only. Cloud Exchange servers are not affected by these vulnerabilities.
The attack is performed by first exploiting a server-side request forgery (SSRF) vulnerability allowing for the full contents of a user’s mailbox to be stolen. The attacker only needs to know the server running the Exchange software and the account they want to steal from (CVE-2021-26855). The attacker then chains this exploit with a secondary exploit that allows for remote code execution on the targeted Exchange server (CVE-2021-27065). Another vulnerability is also part of this chained exploit allowing attackers to write a file to any path on the server (CVE-2021-26858). The fourth vulnerability allows attackers to run code as SYSTEM after exploiting an insecure deserialization vulnerability in the Unified Messaging service (CVE-2021-26857).
In addition to the four primary Indicators of Compromise (IoCs), Microsoft has released PowerShell scripts and various tools on their GitHub to help identify these IoCs within your Exchange servers. Volexity, who spotted these attacks occurring in the wild, also released an in-depth write-up on various IoCs, proofs-of-concept, and demonstrations to assist with this detection effort. A similar write-up can be found by Microsoft as well.
Microsoft has released a patch for all four vulnerabilities, as well as some others, and they urge everyone with on-premise Exchange servers to patch their systems immediately. Information about the security updates can be found here. Although HAFNIUM is attributed to be the first known entity to exploit these vulnerabilities, Microsoft continues to see increased attacks on unpatched systems by actors beyond this actor.
Threat Response Measures
- Identify and patch vulnerable Exchange Server systems with the Microsoft-issued security updates
- Utilize alternative mitigations provided by Microsoft where you cannot immediately deploy patches.
- Use Microsoft’s PowerShell script to search for indicators of compromise on your Exchange server.
- Enable WatchGuard security services for additional protections
Panda AD 360 has detections for the PowerShell payloads and many of the webshells involved in this attack.
The Firebox’s Intrusion Prevention Service (IPS) has signatures that detect and block the first stage in the attack’s exploit chain.
Gateway AntiVirus has multiple signatures to detect and block the webshells used in the attack.
APT Blocker’s successfully detects the malicious PowerShell backdoors used in this attack.
Firebox Access Portal and VPN
The first attack stage for this threat requires an Exchange server exposed to the internet. You can mitigate this stage of the attack by protecting the Exchange server behind the Firebox’s Access Portal on supported appliances.
Klaus Richter says
Watchguard introduce IPS Signatures to prevent the vulnurabilitys in Watchguard firewalls?
Any suggested settings from watchguard to help with this?
Reverse-proxy? block /ecp folder with snat rules?
Our company patched day of the patch’s release, but we hit days before (on the 27th)
We deleted the installed webshell and plan a rebuild this weekend.
But any pointers on settings that might have prevented this attack on the firewall side would be very helpful.