Microsoft flags China-based Hafnium as main actor behind Exchange Server exploits
- 03 March, 2021 13:00
Microsoft has released security updates for Exchange Server to protect users against vulnerabilities in on-premises versions of the software, with the China-based state-sponsored actor Hafnium flagged as the primary group behind the exploits.
The vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 — affect Microsoft Exchange Server 2013, 2016 and 2019, and are part of an attack chain initiated with the ability to make an untrusted connection to Exchange Server port 443.
Meanwhile, Exchange Online is not affected.
According to a blog post by Tom Burt, Microsoft corporate vice president of customer security and trust, the primary group of the exploits has been called Hafnium by the Microsoft Threat Intelligence Center (MSTIC), which has previously targeted US entities.
In the past, Hafnium has taken information from infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks and non-government organisations. Despite being based in China however, its operations have been conducted primarily from leased virtual private servers in the US.
In terms of the Exchange Server exploits, the attack chain starts with an actor gaining access to an Exchange Server, either with stolen passwords or with the vulnerabilities, to appear as someone with appropriate access.
Next, the actor creates a web shell to control the compromised server remotely. It then uses that access, through US-based private servers, to steal data.
While the initial attack can be protected by restricting untrusted connections or setting up a VPN to separate the Exchange Server from external access, the rest of the chain can occur if an actor already has access, or if it can persuade an administrator to run a malicious file.
If users want to check if they have been compromised, Microsoft recommended for users to scan Exchange log files for signs of breaches.
To identify signs of CVE-2021-26855 exploitation, log entries will have an empty AuthenticatedUser and the AnchorMailbox will contain the pattern of ServerInfo~*/*.
Meanwhile, exploitation of CVE-2021-26858 can be found in the Exchange log file C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog.
Evidence of CVE-2021-26857 exploitation will be found in Windows Application event logs, with events containing the following properties, according to Microsoft:
- Source: MSExchange Unified Messaging
- EntryType: Error
- Event Message Contains: System.InvalidCastException
As for the last vulnerability, CVE-2021-27065, proof of its exploitation can be found in the Exchange log file C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server, with Microsoft flagging that all Set-<AppName>VirtualDirectory properties should never contain script. Additionally, InternalUrl and ExternalUrl should only be valid Uris.
Microsoft added that the Exchange Server exploits were not connected to the SolarWinds attacks that occurred late last year, and that it has seen no evidence to date that the actor behind SolarWinds found or used any vulnerability in its own products and services.