There are no invulnerable programs - this truth is known to everyone. But when attackers find zero‑day vulnerabilities in some software, the fun begins: both for users and for developers who have to fix the detected gaps in an emergency mode. And if this happens with very popular and widely distributed software, the fun begins to take on shades of drama. This is exactly what happened with Microsoft Exchange Server in January 2021.
FireEye was one of the first companies to report problems in Exchange. According to the vendor, many American commercial firms, several local governments in different states, as well as one of the universities and even an unnamed research center were affected by the hackers ' activities. Cybercriminals uploaded web shells to hacked Exchange servers for unauthorized access, remotely executed code, and disabled security tools running in the system.
Soon, Microsoft confirmed the problem and reported that the villains were using at least four previously unknown zero-day vulnerabilities for their villainous purposes. To fix them, all Exchange Server users need to urgently install the patches they have released. However, everyone knows that rolling out updates is a slow process, requiring significantbeer reserves It took a lot of time, and so the hackers continued to frolic on the compromised servers for several more months. Attacks on Exchange gradually began to decline only by the end of this March. What were these vulnerabilities and how did the attackers use them for their own purposes? Let's get this straight.
WHAT HAPPENED?
According to analysts from FireEye, hackers used several attack vectors. All files on Exchange servers were created by them on behalf of a system account NT AUTHORITY\SYSTEM that has elevated privileges in Windows , and web shells were launched by the Microsoft Exchange Unified Messaging Service process UMWorkerProcess.exe. The parent of malicious files discovered by researchers on compromised servers was the following process: w3wp.exe responsible for the Exchange Server web interface. Microsoft researchers have concluded that a hacker group called HAFNIUM is behind all these incidents, which has previously been seen attacking American defense companies, law firms, think tanks, and infectious disease research laboratories. It is assumed that this group is connected with the Chinese government, but of course there is no absolute proof of this.
The story began in January 2021, when the Mandiant Managed Defense service developed by FireEye discovered a suspicious web shell on one of the Microsoft Exchange servers. A script with a simple name help.aspx I tried to find FireEye xAgent, CarbonBlack, and CrowdStrike Falcon security tools on the server and saved the result of my work to the log.
Fragment of the help.aspx script, illustrated by FireEye
The shell was started by a process UMWorkerProcess.exe, which is linked to the Microsoft Exchange Server Unified Messaging service. For these purposes, the attackers took advantage of the vulnerability CVE-2021-26858, which Microsoft classified as a medium-risk company.
About twenty days later, the hackers committed a new atrocity by uploading another web shell with the name iisstart.aspx. This script was obfuscated and had a wider set of functions: it allowed executing arbitrary commands, as well as viewing the contents, deleting them, uploading them to the server, and launching files at the attackers ' request. Hackers managed to achieve the desired result using Microsoft Exchange Server vulnerabilities.
Fragment of the iisstart.aspx script, illustrated by FireEye
Soon, FireEye analysts noticed another incident with a malicious web shell running on the Exchange server. This time, the process connected to the Internet Information Server web interface w3wp.exelaunched the command line (cmd.exe), and the attackers used it to save a file to disk. This file turned out to be the well-known tool China Chopper Web Shell, which has been used successfully for a long time in China Russian hackers. A small file weighing only 4 KB opens the hackaccess to the file system and databases of the compromised server is restricted. By and large, it is a compact backdoor that can be remotely controlled using a simple utility with an intuitive graphical interface.
The China Chopper management utility has a user-friendly graphical interface
In addition, the researchers found that in both of these cases, the attackers removed the user administrator from the group Exchange Organization administrators of the domain controller to which the attacked server belonged. This was done using the command net group "Exchange Organization administrators" administrator /del /domain. If Exchange Server was deployed on a peer-to-peer network without an AD connection, the command was executed locally.
It turned out that after a successful hack, hackers used the following types of post-exploitation:
INVESTIGATION
A thorough study of these attacks began from several sides at once: on the one hand, the excavations were led by FireEye, whose security tools were the first to fix the threat, and on the other, experts from Microsoft Corporation, whose authorship belongs to the vulnerable Exchange Server, took up the shovels. A little later, ESET joined the process.
The researchers found that, in addition to HAFNIUM , other hacking groups of Chinese origin — LuckyMouse, Tick and Calypso-may also be involved in hacking using Exchange Server vulnerabilities. The cybercriminals carried out a series of attacks using the vulnerability chain CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, the ultimate goal of which was remote code execution without authentication. This chain was given the general name ProxyLogon. On one of the hacked servers, analysts found as many as two different web shells, from which they concluded that the server was broken using the same vulnerabilities by two independent groups of hackers using different tools for post-exploitation.
One of the characteristic signs of compromise was the appearance of suspicious processes in the system, the parent of which is the process of the unified messaging service Exchange UMWorkerProcess.exe. In addition, traces of intrusion can be detected in Windows application event logs, since the use of a deserialization error in the CVE-2021-26857 vulnerability leads to errors being logged by the MSExchange unified messaging service. In these logs, you can also search for events related to the launch cmd.exeof the IIS front-end process or the PowerShell console. C:\Windows \System32\inetsrv\w3wp.exe. In turn, the vulnerability CVE-2021-26858 was used by attackers to delete files on the server, mainly web shell scripts that became unnecessary after successful installation of the payload in the form of backdoors.
If the server was already compromised, the presence of intruders on it could be detected using Sysmon, if you search for suspicious files in unusual places. To steal user credentials, the villains created an LSASS memory dump using a command-line utilityProcDump, which can also be tracked in logs or using Sysmon:
To export mailbox data from Exchange Server users, attackers used the Exchange PowerShell snap-in, which can be easily detected by monitoring process creation events in Sysmon or analyzing the event log:
If Windows Defender is not disabled on the server, it becomes possible to detect malicious activity when scripts and payloads used by attackers are detected, which Defender detects as follows:
General attack pattern on Exchange Server
THE CONSEQUENCES
Microsoft immediately released patches for all detected vulnerabilities that hackers used to attack Microsoft Exchange servers. However, since installing updates is not an instant thing, and information about Exchange Server security holes quickly spread all over the Internet, finding and hacking unpatched servers soon turned into a kind of fun sports contest. Hackers not only stole user data, but also installed the DLTminer Trojan miner and other malicious programs on compromised servers.
Among the victims were such organizations asEuropean Banking Authority, Ministry of Labor and Social Affairs in the Czech Republic and post offices in Prague. Adding fuel to the fire was the fact that in early March, an independent researcher from Vietnam published a working proof-of-concept exploit for this set of vulnerabilities on GitHub. Just the next day, this exploit was removed from the site, butthere was still a bit of sediment. The Internet, as you know, remembers everything that was once publicly available.
Soon, the cryptographic Trojan was added to the miners.the DearCry tag that hackers started running on hacked servers. At the beginning of March, there were only a handful of affected companies (in Australia, Austria, Denmark, Canada and the United States), but then their number began to grow. The Black Kingdom encoder was added to the first ransomware, encrypting files on the server and demanding a ransom of $ 10,000 for decryption.
As the situation with ProxyLogon vulnerabilities looks serious and frightening, Microsoft has released not only security updates for Exchange Server, but also fixes for older versions of Exchange. In addition, Microsoft engineers have prepared a special PowerShell script designed to check Exchange servers for web shells and known indicators of compromise.
Nevertheless, the picture is still bleak. According to publicly available data, there are currently more than 282,000 Microsoft Exchange servers running on the Internet, and many of them are still vulnerable. Until system administrators install the necessary set of updates on all vulnerable servers, hacking is likely to continue, and Hacker magazine will delight its readers with news about the next incidents related to the use of ProxyLogon by attackers.
FireEye was one of the first companies to report problems in Exchange. According to the vendor, many American commercial firms, several local governments in different states, as well as one of the universities and even an unnamed research center were affected by the hackers ' activities. Cybercriminals uploaded web shells to hacked Exchange servers for unauthorized access, remotely executed code, and disabled security tools running in the system.
Soon, Microsoft confirmed the problem and reported that the villains were using at least four previously unknown zero-day vulnerabilities for their villainous purposes. To fix them, all Exchange Server users need to urgently install the patches they have released. However, everyone knows that rolling out updates is a slow process, requiring significant
WHAT HAPPENED?
According to analysts from FireEye, hackers used several attack vectors. All files on Exchange servers were created by them on behalf of a system account NT AUTHORITY\SYSTEM that has elevated privileges in Windows , and web shells were launched by the Microsoft Exchange Unified Messaging Service process UMWorkerProcess.exe. The parent of malicious files discovered by researchers on compromised servers was the following process: w3wp.exe responsible for the Exchange Server web interface. Microsoft researchers have concluded that a hacker group called HAFNIUM is behind all these incidents, which has previously been seen attacking American defense companies, law firms, think tanks, and infectious disease research laboratories. It is assumed that this group is connected with the Chinese government, but of course there is no absolute proof of this.
The story began in January 2021, when the Mandiant Managed Defense service developed by FireEye discovered a suspicious web shell on one of the Microsoft Exchange servers. A script with a simple name help.aspx I tried to find FireEye xAgent, CarbonBlack, and CrowdStrike Falcon security tools on the server and saved the result of my work to the log.
Fragment of the help.aspx script, illustrated by FireEye
The shell was started by a process UMWorkerProcess.exe, which is linked to the Microsoft Exchange Server Unified Messaging service. For these purposes, the attackers took advantage of the vulnerability CVE-2021-26858, which Microsoft classified as a medium-risk company.
About twenty days later, the hackers committed a new atrocity by uploading another web shell with the name iisstart.aspx. This script was obfuscated and had a wider set of functions: it allowed executing arbitrary commands, as well as viewing the contents, deleting them, uploading them to the server, and launching files at the attackers ' request. Hackers managed to achieve the desired result using Microsoft Exchange Server vulnerabilities.
Fragment of the iisstart.aspx script, illustrated by FireEye
Soon, FireEye analysts noticed another incident with a malicious web shell running on the Exchange server. This time, the process connected to the Internet Information Server web interface w3wp.exelaunched the command line (cmd.exe), and the attackers used it to save a file to disk. This file turned out to be the well-known tool China Chopper Web Shell, which has been used successfully for a long time in China Russian hackers. A small file weighing only 4 KB opens the hackaccess to the file system and databases of the compromised server is restricted. By and large, it is a compact backdoor that can be remotely controlled using a simple utility with an intuitive graphical interface.
The China Chopper management utility has a user-friendly graphical interface
In addition, the researchers found that in both of these cases, the attackers removed the user administrator from the group Exchange Organization administrators of the domain controller to which the attacked server belonged. This was done using the command net group "Exchange Organization administrators" administrator /del /domain. If Exchange Server was deployed on a peer-to-peer network without an AD connection, the command was executed locally.
It turned out that after a successful hack, hackers used the following types of post-exploitation:
- stealing user credentials using a memory dump of the LSASS process;
- using Exchange PowerShell snap-ins to export custom mailboxes;
- using the Covenant, Nishang, and PowerCat tools to remotely access the compromised server.
INVESTIGATION
A thorough study of these attacks began from several sides at once: on the one hand, the excavations were led by FireEye, whose security tools were the first to fix the threat, and on the other, experts from Microsoft Corporation, whose authorship belongs to the vulnerable Exchange Server, took up the shovels. A little later, ESET joined the process.
The researchers found that, in addition to HAFNIUM , other hacking groups of Chinese origin — LuckyMouse, Tick and Calypso-may also be involved in hacking using Exchange Server vulnerabilities. The cybercriminals carried out a series of attacks using the vulnerability chain CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, the ultimate goal of which was remote code execution without authentication. This chain was given the general name ProxyLogon. On one of the hacked servers, analysts found as many as two different web shells, from which they concluded that the server was broken using the same vulnerabilities by two independent groups of hackers using different tools for post-exploitation.
One of the characteristic signs of compromise was the appearance of suspicious processes in the system, the parent of which is the process of the unified messaging service Exchange UMWorkerProcess.exe. In addition, traces of intrusion can be detected in Windows application event logs, since the use of a deserialization error in the CVE-2021-26857 vulnerability leads to errors being logged by the MSExchange unified messaging service. In these logs, you can also search for events related to the launch cmd.exeof the IIS front-end process or the PowerShell console. C:\Windows \System32\inetsrv\w3wp.exe. In turn, the vulnerability CVE-2021-26858 was used by attackers to delete files on the server, mainly web shell scripts that became unnecessary after successful installation of the payload in the form of backdoors.
If the server was already compromised, the presence of intruders on it could be detected using Sysmon, if you search for suspicious files in unusual places. To steal user credentials, the villains created an LSASS memory dump using a command-line utilityProcDump, which can also be tracked in logs or using Sysmon:
Code:
norm_id=WindowsSysmon label="Process" label=Create
command IN ["* -ma lsass*"]To export mailbox data from Exchange Server users, attackers used the Exchange PowerShell snap-in, which can be easily detected by monitoring process creation events in Sysmon or analyzing the event log:
Code:
norm_id=WindowsSysmon label="Process" label=Create
image IN ["*\cmd.exe", "*\powershell.exe", "*\powershell_ise.exe"] command="*Add-PSSnapin Microsoft.Exchange.Powershell.Snapin*"If Windows Defender is not disabled on the server, it becomes possible to detect malicious activity when scripts and payloads used by attackers are detected, which Defender detects as follows:
- Exploit:Script/Exmann.A!dha;
- Behavior:Win32/Exmann.A;
- Backdoor:ASP/SecChecker.A;
- Backdoor:JS/Webshell;
- Trojan:JS/Chopper!dha;
- Behavior:Win32/DumpLsass.A!attk;
- Backdoor:HTML/TwoFaceVar.B.
General attack pattern on Exchange Server
THE CONSEQUENCES
Microsoft immediately released patches for all detected vulnerabilities that hackers used to attack Microsoft Exchange servers. However, since installing updates is not an instant thing, and information about Exchange Server security holes quickly spread all over the Internet, finding and hacking unpatched servers soon turned into a kind of fun sports contest. Hackers not only stole user data, but also installed the DLTminer Trojan miner and other malicious programs on compromised servers.
Among the victims were such organizations asEuropean Banking Authority, Ministry of Labor and Social Affairs in the Czech Republic and post offices in Prague. Adding fuel to the fire was the fact that in early March, an independent researcher from Vietnam published a working proof-of-concept exploit for this set of vulnerabilities on GitHub. Just the next day, this exploit was removed from the site, but
Soon, the cryptographic Trojan was added to the miners.the DearCry tag that hackers started running on hacked servers. At the beginning of March, there were only a handful of affected companies (in Australia, Austria, Denmark, Canada and the United States), but then their number began to grow. The Black Kingdom encoder was added to the first ransomware, encrypting files on the server and demanding a ransom of $ 10,000 for decryption.
As the situation with ProxyLogon vulnerabilities looks serious and frightening, Microsoft has released not only security updates for Exchange Server, but also fixes for older versions of Exchange. In addition, Microsoft engineers have prepared a special PowerShell script designed to check Exchange servers for web shells and known indicators of compromise.
Nevertheless, the picture is still bleak. According to publicly available data, there are currently more than 282,000 Microsoft Exchange servers running on the Internet, and many of them are still vulnerable. Until system administrators install the necessary set of updates on all vulnerable servers, hacking is likely to continue, and Hacker magazine will delight its readers with news about the next incidents related to the use of ProxyLogon by attackers.
