Microsoft Exchange & the HAFNIUM Threat Actor

Josh Lemon
Article by Josh Lemon

Digital Forensics and Incident Response Managing Director & Certified SANS Instructor

Given the amount of information going around about the recent vulnerabilities in Microsoft Exchange Server, I wanted to provide a technical write up with a collection of the information I've been recommending to people individually. Hopefully, this acts as a single location to get technical information about protecting against and detecting attacks against the recent vulnerabilities in Microsoft Exchange (aka ProxyLogin).

I'll also attempt to keep this page updated as I find more useful/retentive information.

What are the Vulnerabilities?

There are seven vulnerabilities in total that were patched on the 2nd of March 2021 as part of an out-of-cycle patch provided by Microsoft. Four of the vulnerabilities are known to have been actively exploited by the HAFNIUM threat actor.

The four vulnerabilities that are known to have been exploited:

  • CVE-2021-26855 - is a server-side request forgery (SSRF) vulnerability
  • CVE-2021-26857 - is an insecure deserialization vulnerability in the Unified Messaging service
  • CVE-2021-26858 - is a post-authentication arbitrary file write vulnerability in Exchange
  • CVE-2021-27065 - is a post-authentication arbitrary file write vulnerability in Exchange

The additional three vulnerabilities patched, but not currently known to be exploited by the HAFNIUM threat actor:

What version are actually vulnerable?

Microsoft provided advice that the systems that were considered vulnerable and required immediate patching were on-primes version of:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

Microsoft has advised that Microsoft Exchange Server 2010 and Exchange Online (aka Microsoft 365) are not vulnerable. However, Microsoft were still providing patches to Exchange Server 2010 as a precaution.

[UPDATED 11/03/2021] Microsoft have updated their advice on Microsoft Exchange Server 2010 indicating that it was impacted by CVE-2021-26857 and they pushed out an update for it. They also indicated that this vulnerability is not the first step in the attack chain, so the overall risk to Exchange Server 2010 is lower.

How long has this vulnerability existed?

The team at Volexity reported they had first seen attacks abusing the Exchange Server vulnerabilities in January 2021.

Additionally, Mandiant also observed similar attacks on Exchange Servers at the beginning of January 2021.

A timeline was pulled together by Bryan Krebs, which I've provided below up to the point that Microsoft released the patches:

  • Jan. 5: DEVCORE alerts Microsoft of its findings.
  • Jan. 6: Volexity spots attacks that use unknown vulnerabilities in Exchange.
  • Jan. 8: DEVCORE reports Microsoft had reproduced the problems and verified their findings.
  • Jan. 11: DEVCORE registers proxylogon.com, a domain now used to explain its vulnerability discovery process.
  • Jan. 27: Dubex alerts Microsoft about attacks on a new Exchange flaw.
  • Jan. 29: Trend Micro publishes a blog post about “Chopper” web shells being dropped via Exchange flaws (but attributes cause as Exchange bug Microsoft patched in 2020)
  • Feb. 2: Volexity warns Microsoft about active attacks on previously unknown Exchange vulnerabilities.
  • Feb. 8: Microsoft tells Dubex it has “escalated” its report internally.
  • Feb. 18: Microsoft confirms with DEVCORE a target date of Mar. 9 for publishing security updates for the Exchange flaws. That is the second Tuesday of the month — a.k.a. “Patch Tuesday,” when Microsoft releases monthly security updates.
  • Feb. 26-27: Targeted exploitation gradually turns into a global mass-scan; attackers start rapidly backdooring vulnerable servers.
  • Mar. 2: A week earlier than previously planned, Microsoft releases updates to plug 4 zero-day flaws.

Who is the HAFNIUM Threat Actor?

Microsoft reported the HAFNIUM threat actor as a Chinese based threat actor, that leverages hosted infrastructure within the United States to perform its attacks on victims.

Mandiant track indicators from the same threat actor in three distinct groups UNC2639, UNC2640, UNC2643. This is the first time Mandiant publicly reported on these three groups.

Symantec track the same threat actor as "Ant". This is also the first time that Symantec reported on this threat actor.

Do I need to check if my Exchange Server was compromised?

Yes. Given the first known report of the threat actor abusing the vulnerabilities was in January 2021, and patching wasn't available from Microsoft until the 2nd of March 2021, you need to check if your system was compromised.

[UPDATED 11/03/21] The team at ESET reported they observed exploitation of the vulnerabilities from the 28th of February 2021 by other threat actors, including, Tick (aka Bronze Butler), LuckyMouse (aka Emissary Panda and APT27), Calypso and the Winnti Group (aka Wicked Panda and APT41). This would have given these threat actors a head start on compromising systems before the patch was released on the 2nd of March 2021.

Additionally, if you did not patch your systems on the 2nd of March 2021, or still haven't patched, you are at a high risk of compromise. Tools like Shodan can be used by cybercriminal groups to identify Exchange Servers connected to the internet quickly. In combination with details of the vulnerabilities being released on the 2nd of March 2021, and the ability to rapidly identify potentially vulnerable systems, it makes finding potential victims relatively quick for cybercriminal groups.

You should continually check your systems for signs of compromise until you have patched, then once again after you have completed patching.

How can I check if my Exchange Server was compromised?

What indicators should I be looking for manually?

This is really intended to assist teams that have internal SOC/CERT/CSIRT staff, or third party DFIR teams. Additionally, this list may grow as other threat actors abuse these vulnerabilities.

HAFNIUM IoC's

Additionally, the HAFNIUM threat actor group is known to use the following tools/malware:

  • Covenant
  • Procdump
  • 7-Zip
  • Nishang
  • PowerCat

Generalised IoC's

I have found the IoC's on my system, what should I do?

[UPDATED 15/03/2021]

You should immediately notify;

  1. your internal security team, or
  2. your third party Incident Response consultants, or
  3. seek assistance from a professional Incident Response firm.

You should not shutdown, reboot, or start rebuilding the impacted system(s). Doing this starts to destroy digital evidence that is needed to understand what the threat actor(s) have done, how they got in, and what they may have taken. You should only consider isolating the system(s) if there is an immediately threat to personal safety of your staff or customers/clients (i.e. health care systems or critical utilities), or if you have direct indicators that relate to ransomware. Microsoft has reported that the DearCry ransomware variant has been abusing the Exchange vulnerabilities to access networks.

Is HAFNIUM the only threat actor abusing this vulnerability?

No. Following the release of the patch by Microsoft on the 2nd of March 2021, other threat actors have been observed abusing the same vulnerabilities. Multiple antivirus and incident response firms have reported this. ESET publicly reported on Twitter that they have seen several cyber-espionage groups targeting the Exchange vulnerabilities.

No reporting of other threat actors, other than HAFNIUM, has been provided prior to the vulnerabilities being patched on the 2nd of March 2021.

If you patched on the 2nd of March 2021 you only need to be concerned with identifying the HAFNIUM threat actor, if you patched after this date other threat actor may have abused the vulnerabilities in your Exchange Server(s).

[UPDATED 10/03/21] Praetorian have provided details on how to reverse three of the patches and exploit them to compromise a vulnerable Exchange Server. You should consider that cybercriminal groups will have used a similar technique shortly after the patches were released on the 2nd of March 2021.

[UPDATED 11/03/21] ESET reported observing multiple threat actors abusing this vulnerability from the 28th of February 2021, see the "Do I need to check if my Exchange Server was compromised?" above. Along with an increase of mass scanning and compromise of Exchange servers the day following the patch released by Tonto Team (aka CactusPete), Mikroceen (aka SixLittleMonkeys and Microcin) and DLTMiner

[UPDATED 12/03/21] The proof of concept (PoC) code to exploit the Exchange Server vulnerabilities is easily accessible online for threat actors to use and modify to compromise an unpatched Exchange Server. This will likely see more threat actors scanning and exploiting vulnerable systems.

What if I can't patch my Exchange Server yet?

If you're unable to patch your Exchange Server yet, you should attempt to use the Microsoft mitigation provided here. Please note, this doesn't protect you from all possible attacks leveraging the vulnerabilities. Additionally, if you are already compromised, it will not provide any protection.

Provided you have the capabilities, you should also put in place active/enhanced monitoring of your Exchange Servers. This should include both network-level monitoring and host-based monitoring. At minimum, ensure you have NetFlow enabled on routers/switches in front of your Exchange server and SysMon installed and running with a config. There are undoubtedly additional things you should also do, however, these are the absolute minimum. Seek expert advice on some of the other monitoring and mitigation you can implement

No. There is currently no reporting that connects both the SolarWinds, the attacks on Microsoft Exchange, or the HAFNIUM threat actor are related.