Exchange Server Attack – Hafnium Campaign

Hafnium Introduction

This article discusses the recent Hafnium malware campaign that exploits well-known vulnerabilities of on-premises Exchange servers. Hafnium’s goal is to install a remote access tool onto the vulnerable server and slowly exfiltrate data from the infected system. This campaign is designed to covertly gather sensitive information on a variety of targets. The campaign initially exploited the vulnerabilities on specific targets but has recently performed reconnaissance scans to find all vulnerable hosts with accessible Internet connections.

Attack Methodology

The attack is usually initiated via compromised user credentials or through other unpatched vulnerabilities such as a Zero-Day vulnerability. Successful exploitation of the vulnerabilities allows the attacker to upload Web Shell into the web directory of the vulnerable host. The malicious Web Shell is usually created from one of two different application processes:

• UMWorkerProcess.exe – This is the process used for the Exchange Server’s Unified Messaging Service
• W3wp.exe – This is used for serving up the Exchange Server web front-end.

If the web shell is written to the Exchange server’s web directory by the UMWorkerProcess.exe process, it then suggests successful exploitation of CVE-2021-26858. The malicious file that is generated will provide the threat actor with access to the compromised email server remotely.

Once a successful compromise occurs in the environment, the bad actor will start performing a few post-exploitation tasks. The most common is to dump credentials using the LSASS memory process. It’s possible the data may be exfiltrated using 7-Zip compressed archives as well. Powershell may be used with the addition of snap-ins to export entire mailboxes. Powershell may also be utilized to execute well-known offensive security tools such as Covenant, Nishang, and PowerCat for remote access purposes.

Exploiting these vulnerabilities is an excellent way for cyber criminals to gain a foothold in your environment and provides a myriad of lateral movement opportunities to compromise key infrastructure within your network. The intelligence gathering capabilities of Hanfium are also noteworthy given the amount of mission critical communication that occurs through email.

List of CVE Numbers

● CVE-2021-26857
● CVE-2021-26855
● CVE-2021-26858
● CVE-2021-27065
● CVE-2021-24085
● CVE-2021-27065

Remediation and Mitigation

● Implement the patch linked below in your environment immediately to protect your on-premise Exchange server.
○ https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
● Consider scanning your environment for indicators of compromise using the Powershell scripts provided by Microsoft. These scripts can detect if your system is vulnerable to the attack vectors used by Hafnium. You can find those scripts linked below:
○ https://github.com/microsoft/CSS-Exchange/tree/main/Security
● Consider a seamless Exchange migration to avoid the potential risks associated with on-premise Exchange server(s) in your environment.