Security Advisory: Hafnium Detection and Monitoring Solution

Last Updated: April 2, 2021

US-CERT.CISA

Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert on active exploitation of vulnerabilities in Microsoft Exchange Server products which are used by Hafnium-attack-group and China Chopper Web Shell attacks, and other Advanced Persistence Threats.

Description

Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments.

Determined Impact

• Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system.
• Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. 

Why it is Critical?

After successful exploitation activities, Attackers can gain access to email accounts and install additional malware/ scanning tools to remain persisted on the network.

Affected Components

• On-premises versions of Microsoft Exchange Servers primarily on Microsoft Exchange Server 2013, 2016, 2019.

Note: Exchange Online is not affected.

CVE Details

• CVE-2021-26855 allows Unauthenticated attacker to send arbitrary HTTP requests.

The following CVEs allow for remote code execution.

• CVE-2021-26857
• CVE-2021-26858
• CVE-2021-27065

Exploit Tools used by HAFNIUM Group/China chopper variants

• Procdump
• Nishang
• PowerCat
• Adfind.exe
• nbtscan.exe

Required Actions

If any exploit attempts are observed with lateral movement activities, Netsurion’s SOC recommends the following actions.

• Microsoft has released a new one-click mitigation tool, Microsoft Exchange On-Premises Mitigation Tool, to help customers apply security updates, who do not have dedicated security or IT teams.
• SOC recommends updating on-premises systems immediately. (Reference: Microsoft Security Response Center).
• Validate whether any unknown tasks and services are existing on the Exchange server and disable the unknown tasks, then run a complete anti-malware scan with the updated signature.
• Validate and remove unknown .aspx, .bat and unknown executable files from the following paths and restore the files from an uninfected backup file:
  • C:\Exchange\FrontEnd\HttpProxy\owa\auth\
  • C:\inetpub\wwwroot\aspnet_client\
  • C:\inetpub\wwwroot\aspnet_client\system_web\
• Initiate global password reset operation for exchange accounts if any unauthorized file access observed for Lsass.exe, lsass.dmp and ntds.dit.
• Kindly ensure that the strong password policy is in place.
• Ensure that Multi-Factor Authentication (MFA) is enabled for Exchange account logins.
• Remove unwanted applications from the server.
• Upgrade Operating Systems to the latest version.
• Run vulnerability scans on the host and patch all critical vulnerabilities.
• Ensure that the regular backup operation and proper network segmentation is in place for public-facing servers.

Recommended mitigation steps by CISA:

• Microsoft strongly urges customers to update on-premises systems immediately. The latest version is available on Microsoft Security Response Center.
  • Exchange Server 2010 (update requires SP 3 or any SP 3 RU – this is a Defense-in-Depth update)
  • Exchange Server 2013 (update requires CU 23)
  • Exchange Server 2016 (update requires CU 19 or CU 18)
  • Exchange Server 2019 (update requires CU 8 or CU 7)
• (Updated March 4, 2021): If you are running an older CU than what the patch will accept, you must upgrade to at least the required CU as stated above, then apply the patch. 
• (Updated March 4, 2021): All patches must be applied using administrator privileges.
• Restrict untrusted connections to port 443 or set up a VPN to separate the Exchange Server from external access; note that this will not prevent an adversary from exploiting the vulnerability if the attacker is already in your network.
• Block external access to on-premises Exchange.
• Restrict external access to OWA URL:/owa/. 
• Restrict external access to Exchange Admin Center (EAC) aka Exchange Control Panel (ECP) URL:/ecp/.

(Updated March 4, 2021): Disconnect vulnerable Exchange servers from the internet until a patch can be applied.

Detection Mechanism (If patches not applied)

Existing P1 Alerts:

• Netsurion: Exploit Attempt Detected will be triggered while net user command used for copying user details to remote files/folders or lsass.dmp file accessed through sys internal tools.
• Netsurion: Active Directory Enumeration Attempt Detected will be triggered when active directory enumeration related tool or command executions observed.
• Netsurion: Bad Hash Detected will be triggered when a known exploit tool/executable file with VirusTotal reputation score of five (5) and above.
• PowerShell running suspicious commands will be triggered if any encoded commands or download strings are observed.
• Netsurion: Suspicious Exploit tool detected helps in identifying known exploit tools.
• Netsurion EDR: New product or signer is detected will be triggered when a new product or signer detected during the first time launch of malicious tools.
• Netsurion: A process has been terminated by Netsurion will be triggered when an identified bad Hash component launch stopped by Netsurion agent based on the unsafe list.
• Netsurion: A process connected to an unsafe IP will be triggered when a connection observed to unsafe IP addresses which are known to be involved in Command-and-Control server.

Monitoring Plans: Alert Monitoring, Saved Searches and Dashboards:

Alert Monitoring

• New real-time alert [Netsurion: Hafnium group activity detected] has been created to monitor known patterns with Hafnium-attack-group and China Chopper Web Shell attacks.

• Saved Searches/Dashboards has been created to identify the known patterns discovered with Recent Exchange server exploits.

Indicators of Compromise

• Netsurion Threat Center has been updated with Identified Bad MD5 Hash Values and IP addresses to detect the IP address communication and terminate process launches based on the unsafe list.

IOC Type	Value
MD5	4b3039cf227c611c45d2242d1228a121
	2C79376B314535CEC6EB026E76FB7BCE
	9b02dd2a1a15e94922be3f85129083ac
	e438712e336982548b884cbfbfee6c9e
	8aea2ae91cc084731a08aa231e79a430
	7a6c605af4b85954f62f35d648d532bf
	c2d8c7a741b68b227281e391f8f6f7d2
	79eb217578bed4c250803bd573b10151
	cdda3913408c4c46a6c575421485fa5b
	0e55ead3b8fd305d9a54f78c7b56741a
	c6eeb14485d93f4e30fb79f3a57518fc
	f2e22df5e284587dc36f8041129af391
	aef2ae9b36989bab8818696de5ccd5e7
	e912f273e629bf974a29213b6427d02b
	4ef04cba6bec2c3a164b9b755efbeb1c
	fe15fc6341baad2a111462854f96a2bc
	5544ba9ad1b56101b5d52b5270421d4a
	12011c44955fd6631113f68a99447515
	263b49414c6ff7ef241483e56ba3f9fd
	42097da8cfcaa155d2428f1e4798ceaf
	045c9b751db2ab01ff0ebece76804e78
	d6a82b866f7f9e1e01bf89c3da106d9d
	8af476e24db8d3cd76b2d8d3d889bb5c
	74b1fe8003e43195458bcacb0ceff5ec
	36f0f5c88e6f16d95ffbf471d6c7a03e
	9c7268ff2834d14688386c89385bbc8b
	39d0ad83e254ed1a7eade133a00a5264
	37ce783abd979851f35314d050978a22
	ad3cad7d9bcb68d35484eb63a0b4c928
	27a79d5d4263c400767ece37dbda2687
	ef4681593128987f357e2c2d1e91230a
	e3af60f483774014c43a7617c44d05e7
	98E445AB15F91DCBAAEFF3AF517F1842
	819B97326C40F0677C63492451C9B9DD
	354B3C8A54BA3B23C6B899BF5830D777
	5CFA1868F0112B1F413CCD527F08EACF
	217B7244D8AC1D7604B0848A9A283945
	DA4A376F5F0E771E7AC01AD42FFAFBD0
	7EEE73ECAB40ACDE73FE763FB1D79658
	817A6ED8578403B1E56C75D41BDC4881
	C528278654422CB7339DBF9BFC19397A
	f8b604ca7aa304a479f2461d1b74e795
	96c2f4acef5807b54ded4e0dae6ed79d
	aa2efe290df3c38c26c70b1f40f69812
	faa5f4def7e037324f5f87239ddead2d
	a5f6b6e95ef8a26081259813ca18e17b
	20e8e55625f68ed42a793d76d359a858
IP Address	103.77.192.219
	104.140.114.110
	104.250.191.110
	108.61.246.56
	149.28.14.163
	157.230.221.198
	167.99.168.251
	185.250.151.72
	192.81.208.169
	203.160.69.66
	211.56.98.146
	5.254.43.18
	80.92.205.81
	165.232.154.116
	161.35.45.41
	45.77.252.175
	5.2.69.14
	91.192.103.43
	188.166.162.201
	86.105.18.116
	89.34.111.11
	154.83.16.122
	43.254.216.136
	45.133.119.141
	45.249.244.118
	94.177.123.16
	152.32.174.110
	1.36.203.86
	1.65.152.106
	1.9.2.18
	103.135.248.70
	103.212.223.210
	104.225.219.16
	108.172.93.199
	108.61.171.184
	110.36.235.230
	110.36.238.2
	110.39.189.202
	112.168.90.84
	113.173.3.225
	114.205.37.150
	116.49.101.143
	117.146.53.162
	119.197.26.38
	119.231.129.222
	121.174.31.220
	121.176.145.25
	122.213.178.102
	123.16.231.247
	124.5.24.161
	128.90.21.223
	139.59.56.239
	161.35.76.1
	167.179.67.3
	170.10.228.74
	172.105.87.139
	179.1.65.54
	182.165.53.4
	182.18.152.105
	185.171.166.188
	185.173.235.172
	185.173.235.54
	185.224.83.137
	185.65.134.165
185.65.134.170
198.50.168.176
200.52.177.138
201.17.196.211
201.208.18.226
202.182.118.99
209.58.163.131
211.177.182.80
213.219.235.158
218.39.251.104
219.100.37.239
219.100.37.243
219.78.205.63
23.95.80.191
31.182.197.163
31.28.31.132
39.123.17.120
45.154.2.94
46.101.232.43
46.23.196.21
46.244.29.17
49.36.47.211
5.189.162.164
5.2.69.13
58.190.46.175
61.82.150.49
78.188.104.84
78.189.225.136
89.147.119.227
90.230.190.92
121.154.50.51
58.126.135.235
URL Queries on IIS (IIS logging is must)	/ecp/(Random string).js
	/ecp/DDI/DDIService.svc/GetList
	/owa/auth/logon.aspx
	C:\inetpub\wwwroot\aspnet_client\ (random file name).aspx
	C:\inetpub\wwwroot\aspnet_client\system_web\(random file name).aspx
	C:\Exchange\FrontEnd\HttpProxy\owa\auth\(random file name).aspx
	web.aspx
	help.aspx
	document.aspx
	errorEEE.aspx
	errorEW.aspx
	healthcheck.aspx
	aspnet_www.aspx
	aspnet_client.aspx
	xx.aspx
	shell.aspx
	aspnet_iisstart.aspx
	one.aspx
	/owa/auth/errorEE.aspx
	/owa/auth/errorFE.aspx
	/aspnet_client/aa.aspx
	hackIdIO.aspx
	ckPassPL.aspx
	chackLogsPL.aspx
	healthcheck.htm
	antSword/v2.1 (User agent)
	DuckDuckBot/1.0 (User agent)
	ExchangeServicesClient/0.0.0.0 (User agent)
Process Command Lines	cmd /c cd /d “C:\inetpub\wwwroot\aspnet_client\system_web\”&id&echo [S]&cd&echo [E]
	cmd /c cd /d “C:\inetpub\wwwroot\aspnet_client\system_web\”&whoami&echo [S]&cd&echo [E]
	cmd /c cd /d “C:\inetpub\wwwroot\aspnet_client\system_web\”&quser&echo [S]&cd&echo [E]
	cmd /c cd /d “C:\inetpub\wwwroot\aspnet_client\system_web\”&netstat -anop tcp | grep LISTEN*&echo [S]&cd&echo [E]
	cmd /c cd /d “C:\inetpub\wwwroot\aspnet_client\system_web\”&reg query “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp” /v PortNumber&echo [S]&cd&echo [E]
	cmd /c cd /d “C:\inetpub\wwwroot\aspnet_client\system_web\”&net use * /delete /y&echo [S]&cd&echo [E]
	cmd /c cd /d “C:\inetpub\wwwroot\aspnet_client\system_web\”&xcopy \\shared path\ c:\windows\temp\doc\ /S /Y&echo [S]&cd&echo [E]
	cmd /c cd /d “C:\inetpub\wwwroot\aspnet_client\system_web\”&rmdir c:\windows\temp\doc&echo [S]&cd&echo [E]
	cmd /c cd /d “C:\inetpub\wwwroot\aspnet_client\system_web\”&del /f /s /q c:\windows\temp\x.rar&echo [S]&cd&echo [E]
	c:\Windows\debug\\7za.exe  -admin@files a c:\Windows\debug\\n.7z c:\Windows\debug\\system c:\Windows\debug\\ntds.dit
	C:\Windows\system32\cmd.exe  /K c:\windows\debug\(Random single letter).bat
	cmd /c cd /d “C:\inetpub\wwwroot\aspnet_client\system_web\”&C:\windows\temp\ps.exe -accepteula -ma lsass.exe C:\windows\temp\lsass
	C:\Windows\system32\cmd.exe  /K c:\windows\debug\(Random single letter).bat
	cmd /c cd /d “C:\inetpub\wwwroot\aspnet_client\system_web\”&taskkill /f /im ncat.exe&echo [S]&cd&echo [E]
	cmd /c cd /d “C:\inetpub\wwwroot\aspnet_client\system_web\”&del /f /s /q c:\windows\temp\p3.exe&echo [S]&cd&echo [E]
	cmd /c cd /d “C:\inetpub\wwwroot\aspnet_client\system_web\”&tasklist&echo [S]&cd&echo [E]
	cmd /c cd /d “C:\inetpub\wwwroot\aspnet_client\system_web\”&systeminfo&echo [S]&cd&echo [E]
	“cmd” /c cd /d “C:\inetpub\wwwroot\aspnet_client\system_web\”&C:\windows\temp\procdump.exe -accepteula -ma lsass.exe C:\windows\temp\lsass.dmp&echo [S]&cd&echo [E]

Reference Details:

• https://us-cert.cisa.gov/ncas/alerts/aa21-062a
• https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
• https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/
• https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
• https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/
• https://www.sentinelone.com/blog/sentinelone-and-hafnium-microsoft-exchange-0-days/
• https://us-cert.cisa.gov/ncas/current-activity/2021/03/06/microsoft-ioc-detection-tool-exchange-server-vulnerabilities
• https://github.com/sophoslabs/IoCs/blob/master/Ransomware_BlackKingDom.csv
• https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/
• https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
• https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968
• https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection
• https://github.com/picussecurity/picuslabs/blob/master/Microsoft%20Exchange%20Vulnerabilities/all_vendor_spesific_content.csv
• https://github.com/microsoft/CSS-Exchange/tree/main/Security