Exchange Server Attack – Hafnium Campaign
Hafnium Introduction
This article discusses the recent Hafnium malware campaign that exploits well-known vulnerabilities of on-premises Exchange servers. Hafnium’s goal is to install a remote access tool onto the vulnerable server and slowly exfiltrate data from the infected system. This campaign is designed to covertly gather sensitive information on a variety of targets. The campaign initially exploited the vulnerabilities on specific targets but has recently performed reconnaissance scans to find all vulnerable hosts with accessible Internet connections.
Attack Methodology
The attack is usually initiated via compromised user credentials or through other unpatched vulnerabilities such as a Zero-Day vulnerability. Successful exploitation of the vulnerabilities allows the attacker to upload Web Shell into the web directory of the vulnerable host. The malicious Web Shell is usually created from one of two different application processes:
- UMWorkerProcess.exe – This is the process used for the Exchange Server’s Unified Messaging Service
- W3wp.exe – This is used for serving up the Exchange Server web front-end.
If the web shell is written to the Exchange server’s web directory by the UMWorkerProcess.exe process, it then suggests successful exploitation of CVE-2021-26858. The malicious file that is generated will provide the threat actor with access to the compromised email server remotely.
Once a successful compromise occurs in the environment, the bad actor will start performing a few post-exploitation tasks. The most common is to dump credentials using the LSASS memory process. It’s possible the data may be exfiltrated using 7-Zip compressed archives as well. Powershell may be used with the addition of snap-ins to export entire mailboxes. Powershell may also be utilized to execute well-known offensive security tools such as Covenant, Nishang, and PowerCat for remote access purposes.
Exploiting these vulnerabilities is an excellent way for cyber criminals to gain a foothold in your environment and provides a myriad of lateral movement opportunities to compromise key infrastructure within your network. The intelligence gathering capabilities of Hanfium are also noteworthy given the amount of mission critical communication that occurs through email.
List of CVE Numbers
● CVE-2021-26857
● CVE-2021-26855
● CVE-2021-26858
● CVE-2021-27065
● CVE-2021-24085
● CVE-2021-27065
Remediation and Mitigation
● Implement the patch linked below in your environment immediately to protect your on-premise Exchange server.
○ https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
● Consider scanning your environment for indicators of compromise using the Powershell scripts provided by Microsoft. These scripts can detect if your system is vulnerable to the attack vectors used by Hafnium. You can find those scripts linked below:
○ https://github.com/microsoft/CSS-Exchange/tree/main/Security
● Consider a seamless Exchange migration to avoid the potential risks associated with on-premise Exchange server(s) in your environment.
Wonderful beat ! I would like to apprentice at the same time as you amend your site, how can i subscribe for a blog website? The account helped me a applicable deal. I were tiny bit familiar of this your broadcast offered vivid transparent concept
Top ,.. top top … post! Keep the good work on !
I’d like to thank you for the efforts you’ve put in writing this site. I’m hoping to view the same high-grade content from you later on as well. In fact, your creative writing abilities has encouraged me to get my own website now ;)|
It is not my first time to go to see this site, i am browsing this web site dailly and take nice facts from here everyday.|
I need to to thank you for this wonderful read!! I definitely enjoyed every little bit of it. I have you bookmarked to look at new stuff you post…|