Microsoft Exchange Server — Attack 2021

The biggest attack blew 2021 in the start, where Microsoft Exchange Server was attacked by Hafnium — A Chinese group of hackers. The big buzz was created when almost all the important organizations including homeland security to Health Care organizations to 500 Fortune Companies, became victim of the attack. Let’s dive deeper, and learn few points on how attack worked.

TIMELINE OF EVENTS

Common Vulnerability Exposure list — Addressed

CVE-2021–26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

This occurred because the unauthenticated requests were allowed on exchange server at port 443.Once the SSRF was done successfully, the Remote code execution was possible.

CVE-2021–26857 : insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run remote code as SYSTEM on the Exchange server. This requires administrators’ permission or another vulnerability to exploit.

The CVE-2021-26857 resulted into RCE (Remote Code Execution). Now if the hackers gain either of the two : Credentials of admin or simply authenticate them by SSRF, they can leverage to write to the files on server.

CVE-2021–26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server.

CVE-2021–27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021–26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Once the attack was done and access to server was gained, it was time to maintain persistence on the server. Hackers did so by simply uploading a webshell — CHINA CHOPPER , which is capable of executing commands , hence acting as a backdoor, which whenever triggered, results to access of the server. They created a good level of defense and were difficult to spot. Together these 4 vulnerabilities form a powerful attack chain which only requires the attacker to find the server running Exchange, and the account from which they want to extract email.

After the webshell was uploaded, the exfiltration of data was easy.

Step 1: Using Procdump to dump the LSASS process memory:

Step 2: Using 7-Zip to compress stolen data into ZIP files for exfiltration:

Step 3: Adding and using Exchange PowerShell snap-ins to export mailbox data:

Step 4: Using the Nishang Invoke-PowerShellTcpOneLine reverse shell:

Step 5: Downloading PowerCat from GitHub, then using it to open a connection to a remote server:

Step 6: Simply transfer the zip to your C2 server, to your team server.

The attack phases listed by Microsoft.

If we look closely, the steps and phases are nothing but simple red team operation cycle. In which we do initial recon , exploit, persist, laterally move, exfiltrate data and come out of victim server.

Once the access was gained, whole process afterwards, was nothing but a simple Windows Privilege Escalation process, starting with checking whoami, net user (which was SYSTEM as highest privileges were gained by exploiting SSRF) , then simply creating users, adding them to local groups and admin groups and so on.

PREVENTION

1. Always keep yourself updated with patches, though I can say here patches were release after the exploit. But since now they available, go and please patch.
2. Always keep your antivirus and endpoint security enabled.
3. Follow concept of ACL — Access control list, to prevent breach of confidentiality. That means , only authorized personal should be allowed to access the things he is authorized for.

MITIGATION

1. Apply patches if not compromised yet.
2. If compromised try developing | rebuilding your exchange server using backups.
3. If can’t patch, isolate the compromised servers, by cutting of the internet connection
4. Consider switching to exchange online or OFFICE 365.

Hopefully, you might have gained some insight of this attack.