Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, an APT group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
Who is HAFNIUM?
HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.
In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments.
HAFNIUM APT group operates primarily from leased virtual private servers (VPS) in the United States.
Microsoft is providing the following details to help our customers understand the techniques used by HAFNIUM to exploit these vulnerabilities and enable more effective defense against any future attacks against unpatched systems.
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.
Indicators of Compromise(IOC):
Web shell hashes:
Kindly note the vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected. These vulnerabilities are used as part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file. We recommend prioritizing installing updates on Exchange Servers that are externally facing. All affected Exchange Servers should ultimately be updated.
Google has confirmed that it is aware of reports that a zero-day Chrome browser exploit exists in the wild. A zero-day vulnerability remains a relatively rare event in cybersecurity terms, and as such is both a valuable and dangerous thing in the hands of threat actors. The term relates to a vulnerability that is actively exploited by hackers before it has been discovered by either the product vendor or the threat intelligence community. Only at the point of discovery, day zero, can mitigation efforts begin. This leaves the threat window wide open, often for weeks or months, to the attackers with that head start.
Chrome 88 fixes a zero-day vulnerability known as CVE-2021-21148. It was reported by security researcher Mattias Buelens back on Jan. 24, but Google discovered it was being exploited by hackers before the vulnerability could be patched out of the browser.
Our security team is recommending both end users and IT administrators to apply the necessary Chrome updates as soon as possible. These updates are for Windows, Mac and Linux versions of the Chrome browser, and those browsers such as Edge which are built using the same Chromium platform, will be rolling out "over the coming days and weeks," according to Google. The patched Chrome version to look out for is 88.0.4324.
Automatic updating ensures that Chrome is updated to the latest version once the browser is restarted. Of course, not everyone will have automatic updates enabled, and not all of those who do will reboot Chrome on a regular basis.
Sudo is a powerful utility that’s included in most if not all Unix- and Linux-based OSes. It allows users to run programs with the security privileges of another user.
Qualys Security Research Team have discovered a heap overflow vulnerability in sudo, a near-ubiquitous utility available on major Unix-like operating systems. Any unprivileged user can gain root privileges on a vulnerable host using a default sudo configuration by exploiting this vulnerability.
The Sudo privilege escalation vulnerability is tracked as CVE-2021-3156 (aka Baron Samedit). The vulnerability itself has been hiding in plain sight for nearly 10 years. It was introduced in July 2011 (commit 8255ed69) and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration.
To test if a system is vulnerable or not, login to the system as a non-root user.
Run command “sudoedit -s /”
If the system is vulnerable, it will respond with an error that starts with “sudoedit:”
If the system is patched, it will respond with an error that starts with “usage:”
Given the breadth of the attack surface for this vulnerability, we recommend users apply patches for this vulnerability immediately.
If you are not our customer, start your free trial of Alien Vault USM SIEM to get full access to scan the vulnerabilities (CVE-2021-3156), leverage threat intelligence and automated security monitoring capabilities, so you can identify your vulnerable assets.
FireEye last week had uncovered a highly evasive hacking campaign that leverages SolarWinds Supply Chain using Sunburst Backdoor, that we are tracking as UNC2452. The bad actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.
SolarWinds recently filed an SEC report indicating that, while they have over 300,000 customers, fewer than 18,000 customers were running the trojanized version of the Orion software. The cyber-attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them. The attack is ongoing and is being actively investigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft.
The nature of the initial phase of the attack and the breadth of supply chain vulnerability is illustrated clearly in the map below, which is based on telemetry data from Microsoft’s Defender Anti-Virus software. The data identifies customers who use Defender and who installed versions of SolarWinds’ Orion software containing the attackers’ malware. As this makes clear, this aspect of the attack created a supply chain vulnerability of nearly global importance, reaching many major national capitals outside Russia. This also illustrates the heightened level of vulnerability in the United States and United Kingdom.
Microsoft has identified and notified more than 40 customers that the attackers targeted more precisely and compromised through additional and sophisticated measures.
While roughly 80% of these customers are located in the United States, this work so far has also identified victims in seven additional countries. This includes Canada and Mexico in North America; Belgium, Spain and the United Kingdom in Europe; and Israel and the UAE in the Middle East. It’s certain that the number and location of victims will keep growing.
The initial list of victims includes not only government agencies, but security and other technology firms as well as non-governmental organizations, as shown in the chart below. 44% of the victims were in the information technology sector including software firms, equipment providers and IT services firm. We anticipate there are additional victims in other countries and verticals.
We are currently tracking the software supply chain compromise and related post intrusion activity as UNC2452. This actor prefers to maintain a light malware footprint, instead preferring legitimate credentials and remote access for access into a victim’s environment.
We’re sharing what we’ve learned from the time we have spent analysing this sophisticated cyber-attack with the community. Any organization utilizing SolarWinds Orion IT management software is potentially at risk from this cyber threat. These organizations should immediately identify Orion systems in their network, determine if they are compromised with the SUNBURST backdoor and seek out further evidence of compromise.
FireEye’s research has been a foundation in providing not only useful signatures, but also indicators which help with tracking and threat hunting for malicious activity.
A summary of Indicators of Compromise (IOCs) is included below.
Threat Detection & Mitigation using IOCs:
SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST.
At the time of this publication, the Windows Installer Patch file including the trojanized version of the SolarWinds Orion product was still reachable:
This installer contains:
The IT infrastructure related to this series of cyber attacks includes:
Due to the nature of these cyber-attacks, we recommend our customers perform the above searches immediately. If you are unable, Ashco Systems will assist you locate SolarWinds Orion servers owned by your organization and assess whether you’ve been compromise. After we’ve completed our analysis, we’ll provide you with an assessment report with expert recommendations.