CVEs - Vulnerable Microsoft Exchange Server Report
Description
The Microsoft Exchange Server is an email, calendaring, contact, scheduling and collaboration platform that runs exclusively on the Microsoft Windows server operating system. The Microsoft Exchange server primarily uses a proprietary protocol called Messaging Application Programming Interface (MAPI) to talk to email clients. Support for Post Office Protocol version 3 (POP3), Internet Message Access Protocol (IMAP) and Exchange ActiveSync (EAS) protocols was subsequently added. The Simple Mail Transfer Protocol (SMTP) is used to communicate to other internet mail servers.
Problem
In January 2021, the US based security firm Volexity, which assists organisations with incident response, digital forensics and threat intelligence services detected anomalous activity from two (2) of its customers' Microsoft Exchange Servers through its network security monitoring service. A large amount of data was identified being sent to IP addresses not tied to the legitimate users. Inspection of the internet information services (IIS) logs from the Microsoft Exchange Servers, revealed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by the browser-based application, Outlook Web Access (OWA). OWA allows a user to access email, calendars, tasks and contacts from an on-premise Microsoft Exchange Server. Volexity reported they had first observed the exploit on the 03rd Jan 2021.
On the 2nd March 2021, the Microsoft Security Response Center (MSRC) issued a communication in which they stated they had detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. The Microsoft Corporation publicly disclosed the following Common Vulnerability and Exposures (CVEs) associated with the Microsoft Exchange Server:-
| No. | CVEs |
|---|---|
| 1. | CVE-2021-26855 |
| 2. | CVE-2021-26857 |
| 3. | CVE-2020-26858 |
| 4. | CVE-2021-27065 |
The Microsoft Corporation attributed the action to the Advanced Persistent Threat (APT) Group 'HAFNIUM'.
Common Vulnerabilities & Exposures (CVEs).
Systems used for reporting and assessing the severity of security vulnerabilities.
| No. | System | Description |
|---|---|---|
| 1. | Common Vulnerabilities and Exposures (CVE). | The CVE system is used to identify, define, catalogue and publicly disclosed known information-security vulnerabilities and exposures. |
| 2. | The Common Vulnerability Scoring System (CVSS). | CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. It provides a numerical (0-10) representation of the severity of an information security vulnerability. |
CVSSv3.0 Metrics.
| No. | Base Score Range | Severity |
|---|---|---|
| 1. | 0.0 | None |
| 2. | 0.1 - 3.9 | Low |
| 3. | 4.0 - 6.9 | Medium |
| 4. | 7.0 - 8.9 | High |
| 5. | 9.0 - 10.0 | Critical |
Microsoft Exchange Server - Publicly Disclosed CVEs w.e.f. 11 Feb 2020.
| No. | CVE Report | Vendor | Product | CVSSv3 |
|---|---|---|---|---|
| 1. | CVE-2020-0688 | MSFT. | MS Exchange Server 2013. | 8.8 |
| 2. | CVE-2021-26855 | MSFT. | MS Exchange Server 2016 Cumulative Update 19. | 9.1 |
| 3. | CVE-2021-26857 | MSFT. | MS Exchange Server 2016 Cumulative Update 19. | 7.8 |
| 4. | CVE-2021-26858 | MSFT. | MS Microsoft Exchange Server 2019. | 7.8 |
| 5. | CVE-2021-27065 | MSFT. | MS Exchange Server 2019. | 7.8 |
| 6. | CVE-2022-41082 | MSFT. | MS Exchange Server 2013 Cumulative Update 23. | 8.0 |
| 7. | CVE-2023-21529 | MSFT. | MS Exchange Server 2019 Cumulative Update 12. | 8.8 |
| 8. | CVE-2023-36439 | MSFT. | MS Exchange Server 2016 Cumulative Update 23. | 8.0 |
| 9. | CVE-2023-36745 | MSFT. | MS Exchange Server 2019 Cumulative Update 13. | 8.0 |
| 10. | CVE-2024-21410 | MSFT. | MS Exchange Server 2016 Cumulative Update 23. | 9.8 |
| 11. | CVE-2024-26198 | MSFT. | MS Exchange Server 2019 Cumulative Update 14. | 8.8 |
| 12. | CVE-2025-53786 | MSFT. | Hybrid Deployments & non-security Hot Fix. | 8.0 |
Tactics, Techniques and Procedures
The following Tactics, Techniques and Procedures were employed by the APT Group 'HAFNIUM' responsible for the exploitation of the four (4) CVE's discovered in the Microsoft Exchange server and subsequently publicly disclosed on the 02nd Mar 2021.
Reconnaissance
All systems targeted and compromised in the attack were on-premise Microsoft Exchange servers. Prior to the initial access, active or passive scanning would have been conducted on targeted networks seeking to identify on-premise Microsoft Exchange servers with web services accessible to the public internet. The fully qualified domain name (FQDN) of an on-premise Microsoft Exchange server had to be identified as a prerequisite to an attack. This information could be extracted from knowledge of the external IP address or domain name of the publicly accessible Microsoft Exchange Server. Lists of e-mail addresses of intended targets were also collected.
Resource Development
The operation and attack on the Microsoft Exchange servers were primarily conducted from leased virtual private servers (VPS) in the United States. A range of free and commercial exploit tools were used to compromise the Microsoft Exchange servers and to perform unauthorised activities.
List of IP addresses used in the attack on Microsoft Exchange Servers.
These IP addresses are tied to the virtual private (VPS) servers and virtual private networks (VPNs) from which the operation was conducted.
Indicators of Compromise (IoC).
| No. | IP Address |
|---|---|
| 1. | 103.77.192[.]219 |
| 2. | 104.140.114[.]110 |
| 3. | 104.250.191[.]110 |
| 4. | 108.61.246[.]56 |
| 5. | 149.28.14[.]163 |
| 6. | 157.230.221[.]198 |
| 7. | 167.99.168[.]251 |
| 8. | 185.250.151[.]72 |
| 9. | 192.81.208[.]169 |
| 10. | 203.160.69[.]66 |
| 11. | 211.56.98[.]146 |
| 12. | 5.254.43[.]18 |
| 13. | 5.2.69[.]14 |
| 14. | 80.92.205[.]81 |
| 15. | 91.192.103[.]43 |
List of software tools used in the exploitation of Microsoft Exchange Server.
| No. | Software Tool | Function | Action |
|---|---|---|---|
| 1. | Covenant | Covenant is an cross-platform application that includes a web-based interface that allows for multi-user collaboration. | Covenant was used as a command and control (C2) platform for the attack on vulnerable on-premise Microsoft Exchange Servers. C2 traffic was ASCII encoded. The Nishang framework and collection of scripts were used to establish a reverse shell connection from the compromised Microsoft Exchange Server to the C2 platform. |
| 2. | Exchange Powershell Snap-ins | Exchange powershell is a powerful command-line interface that enables automation of administrative tasks. Snap-ins are modules that can be added to the Exchange Powershell to extend the set of commands use within a powershell session, script or function. | Exchange PowerShell Snap-ins modules were added to extend the set of commands use within a powershell session to export data contained in the Microsoft Exchange Servers mailboxes. |
| 3. | Nishang Framework | This is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and penetration testing. Used during all phases of penetration testing and red teaming. | The Nishang framework and collection of scripts were used to establish a reverse shell connection from the compromised Microsoft Exchange Server to the C2 platform. |
| 4. | PowerCat | This is an open-source powershell script that can read and write data across network connections. | PowerCat brings the functionality and power of the computer networking utility Netcat to Microsoft Windows. Traditional anti-virus solutions may be unable to detect PowerCat. PowerCat was used to open a connection to remote servers, after it had been downloaded from the internet. |
| 5. | ProcDump | ProcDump is a command-line application included in the Microsoft Sysinternals PsTools suite, used for monitoring an application for CPU spikes and creating crash dumps during a spike. | The command line utility ProcDump was used to dump the process memory of the Local Security Authority Subsystem Service (LSASS), from which credentials were acquired. Web shells were used to create copies of the NTDS.dit (NT Directory Services) file that were then exfiltrated from the Microsoft Exchange servers. |
| 6. | PsExec | This is a command-line utility, and part of the Microsoft Sysinternals PsTools suite. It was used to execute commands on remote systems and to either download or upload a file over a network share. | The command-line tool PsExec was used for Lateral Movement, to execute processes on remote systems, using network shares and valid accounts. |
| 7. | 7-Zip. | This is a free and open-source file archiver which is used to compress data. | The file archiver utility 7-zip was used to compress data prior to exfiltration. |
| 8. | WinRAR | WinRAR is a Microsoft Windows-only file archiver used to compress data. | WinRAR file archiver was used to collect and compress data prior to exfiltration. |
Initial Access
Initial access was through the server-side request forgery (SSRF) vulnerability in the on-premise Exchange server. Specially crafted HTTP POST requests were sent to the Exchange server with an Extensible Markup Language (XML) Simple Object Access Protocol (SOAP) payload to the Exchange Web Services (EWS) Application Programming Interface (API) endpoint. The SOAP request, using specially crafted cookies, bypassed authentication and the underlying request specified in the XML was ultimately executed, allowing any operation to be perform on the users' mailbox. The HTTP POST requests targeted files found in the folder:-
/owa/auth/Current/themes/resources
Contained in this folder are image, font and cascading stype sheet files. Use of any of these files for the HTTP POST request appear to allow the exploit to proceed.
Files that were targets of HTTP POST requests.
| No. | File |
|---|---|
| 1. | /owa/auth/Current/themes/resources/logon.css. |
| 2. | /owa/auth/Current/themes/resources/owafont_ja.css. |
| 3. | /owa/auth/Current/themes/resources/lgnbotl.gif. |
| 4. | /owa/auth/Current/themes/resources/owafont_ko.css. |
| 5. | /owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot. |
| 6. | /owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf. |
| 7. | /owa/auth/Current/themes/resources/lgnbotl.gif. |
Execution
Access to the Exchange server was through the server-side request forgery (SSRF) vulnerability (CVE 2021-26855). The NT AUTHORITY\SYSTEM account was used to create files on the Exchange server (CVE 2021-26857). (CVE 2021-26858) and (CVE 2021-27065) were exploited for post-authentication arbitrary file write operations. The compromise of the on-premise Exchange server, enabled access to the e-mail accounts from which data was stolen and the installation of additional malware.
Web Shells.
Web shells (ASPX files) were installed on the Exchange server and used to execute malicious code via the Command Prompt (CMD.exe) and Microsoft Windows Command Shell.
Purposes for which Web shells were used in the attack on Exchange servers.
| No. | Purpose |
|---|---|
| 1. | To harvest and exfiltrate sensitive data and credentials. |
| 2. | Upload additional malware with the potential of creating, e.g. a watering hole for infection and scanning of further victims. |
| 3. | To use as a rely point to issue commands to hosts within the network without direct internet internet access. |
| 4. | To use as a command and control infrastructure, potentially in the form of a bot in a botnet or in support of compromises to additional external networks. This may occur in the event that the threat actor intends to establish persistence on the target. |
SHA256 Hashes of Web shells used in the attack on Exchange servers.
| No. | Web shell SHA256 Hash |
|---|---|
| 1. | 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 |
| 2. | b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 |
| 3. | 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea |
| 4. | 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d |
| 5. | 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5 |
| 6. | b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 |
| 7. | 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e |
| 8. | 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1 |
| 9. | 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5 |
| 10. | 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 |
| 11. | 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea |
| 12. | 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d |
| 13. | 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944 |
Persistence
To establish and to maintain a persistence presence or foothold on the Microsoft Exchange servers, web shells (ASPX files), malware and backdoors were used.
Web shells deployed to maintain a persistence presence on a Microsoft Exchange Server.
| No. | Name | Function |
|---|---|---|
| 1. | SIMPLESEESHARP | This is a simple ASPX web shell used to write additional files to disk e.g. SPORTSBALL web shell. |
| 2. | SPORTSBALL | This is an extensive web shell used to upload files and execute commands on the system. |
| 3. | China Chopper | This is a web shell that provides access back into the system. It is used by several Advanced Persistent Threat (APT) Groups. |
| 4. | ASPXSpy | This is a publicly available web shell used by several Advanced Persistent Threat (APT) Groups as a backdoor payload. It may be used to fetch, install and execute additional malware payloads on an infected Microsoft Exchange server. |
Defence Evasion
Web shells deployed on the Microsoft Exchange servers had names that were identical to, or similar to legitimate files.
Names of web shells detected.
| No. | Name |
|---|---|
| 1. | web.aspx |
| 2. | help.aspx |
| 3. | document.aspx |
| 4. | errorEE.aspx |
| 5. | errorEEE.aspx |
| 6. | errorEW.aspx |
| 7. | errorFF.aspx |
| 8. | healthcheck.aspx |
| 9. | aspnet_www.aspx |
| 10. | aspnet_client.aspx |
| 11. | xx.aspx |
| 12. | shell.aspx |
| 13. | aspnet_iisstart.aspx |
| 14. | one.aspx |
Credential Access
The command line utility ProcDump was used to dump the process memory of the Local Security Authority Subsystem Service (LSASS), from which credentials were acquired. Web shells were used to create copies of the NTDS.dit (NT Directory Services) file that were then exfiltrated from the Microsoft servers.
Operating System Credential Dumping
| No. | Name | Description |
|---|---|---|
| 1. | LSASS Memory | The Local Security Authority Subsystem Service is a process in the Microsoft operating systems that is responsible for enforcing the security policy on the system. LSASS stores in memory, the credentials of users that are currently logged-in to the network. This allows users seamless access to network resources without having to re-enter their credentials. |
| 2. | NTDS.dit | The NTDS.dit (NT Directory Services) file is a database that stores the Windows Active Directory data including information about user objects, groups and group membership. It includes the password hashes for all users in the domain. The file is stored on the domain controllers. |
Following the deployment of web shell scripts, the threat actors took a dump of the LSASS process memory.
Microsoft advised customers to monitor the following folders for LSASS dumps.
LSASS dumps
| No. | Folder |
|---|---|
| 1. | C:\windows\temp\ |
| 2. | C:\root\ |
Microsoft advised customers to monitor the following folder for suspicious .zip .rar and .7z files which may indicate possible data exfilitration.
ZIP files
| No. | Folder |
|---|---|
| 1. | C:\ProgramData\ |
Exfiltration.
The collected and compresses data was exfiltrated to Cloud service providers that provided secure, user-controlled end-to-end encrypted cloud storage and communications services such as the New Zealand based company MEGA Limited.
Solution.
Shadowserver Foundation - Vulnerable Exchange Server Report - Tag Index.
Note: The Shadowserver Foundation has included in the 'Tag' column of their report, a list of terms, which indicate the type of vulnerability associated with the specific host identified in the report.
| No. | Tag | Description |
|---|---|---|
| 1. | cve;exchange. | The CVE with its unique CVE ID identifies the Exchange Server vulnerability. |
| 2. | eol;exchange. | EOL is commonly referred to as End of Life, or alternatively, End of Support, It signifies the point where a product or service is no longer actively supported by the original vendor. In relation to Exchange Server, it signifies that the Microsoft Corporation will no longer provide security updates, software patches, or technical support for that particular version of Exchange Server. |
Recommendations.
| No. | Tag | Recommendations |
|---|---|---|
| 1. | CVEs. | Constituents are advised to apply all software patches and updates released by Microsoft in reponse to all publicly disclosed Common Vulnerabilities and Exposures (CVEs) in relation to the Exchange Server w.e.f. 02nd Mar 2021. |
| 2. | eol;exchange. | The version of Exchange Server has reached it's End of Life (EOL) or alternatively, End of Support. Constituents are advised to upgrade to a version of Exchange Server that is supported by Microsoft, if they intend to continue to run Exchange Server on-premises. |
Microsoft Exchange Server Versions - End of Life (EOF) or End of Support.
The Microsoft Corporation have announced End of Life (EOF) or End of Support for the following versions of Microsoft Exchange Server on the undermentioned dates:-
| No. | Product | End of Support |
|---|---|---|
| 1. | Exchange Server 2019 | 14 Oct 2025 |
| 2. | Exchange Server 2016 | 14 Oct 2025 |
| 3. | Exchange Server 2013 | 11 Apr 2023 |
| 4. | Exchange Server 2010 | 13 Oct 2020 |
Additional Information.
Microsoft Security - HAFNIUM targeting Exchange Servers with 0-day exploits - 02 March 2021MANDIANT - Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
Shadowserver CRITICAL: Vulnerable Exchange Server Report
US-Cert - Mitigate Microsoft Exchange Server Vulnerabilities
Microsoft - Exchange Server Security Updates - 02 March 2021
Microsoft - Exchange Server Security Updates for older Cumulative Updates of Exchange Server - 08 March 2021
Microsoft - Upgrade Exchange to the latest Cumulative Update
PICUS - Tactics, Techniques and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers.
Microsoft Security Response Center - Microsoft Exchange Server - updated 15 March 2021
Microsoft Security Response Center - Guidance for responders: 16 March 2021
Microsoft Security Response Center - On Premises Exchange Server - updated 25 March 2021
Microsoft Exchange Server Build Numbers and Release Dates
Volexity Blog - Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
GovCERT.ch - Exchange Vulnerability 2021
Tenable Blog
Everything you need to know about the Microsoft Exchange Server hack
PsExec Explainer by Mark Russinovich
Introduction - PsTools Documentation by Mark Russinovich
Hunting Malware with Windows Sysinternals - Process Explorer