Hands-on with Hafnium: Proxylogon evolves

Hafnium has been exploiting four zero-day vulnerabilities in Microsoft Exchange, depositing tools that would enable threat actors to gain remote access to victim systems following initial access.

It seems there’s one major hack after another right now, and the latest to hit headlines impacts hundreds of thousands of organizations globally. Microsoft announced on March 3 that Hafnium, a state-backed Chinese threat group, had exploited vulnerabilities in its Exchange email servers – vulns Microsoft acknowledged formally a day earlier. (Exchange, for the uninitiated, is an email inbox, calendar and collaboration solution with users of all sizes globally.)

Hafnium has been exploiting not one but four zero-day vulnerabilities in Exchange, depositing tools that would enable threat actors to gain remote access to victim systems following initial access. Microsoft even released a patch for the 2010 edition of Exchange, suggesting these vulnerabilities – listed below – are at least a decade old.

  • CVE-2021-26855: CVSS 9.1: a server side request forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
  • CVE-2021-26857: CVSS 7.8: an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. However, this vulnerability needs to be combined with another or stolen credentials must be used.
  • CVE-2021-26858: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths. 
  • CVE-2021-27065: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths. 

These vulnerabilities have been collectively codenamed “Exchange Marauder” and “ProxyLogon”. 

Volexity, the cybersecurity company that discovered the vulns being exploited, said, “espionage operations using the SSRF vulnerability CVE-2021-26855 started occurring on January 3, 2021”, meaning the hackers flew under the radar for around three months. It’s thought that Volexity’s activity may have alerted Hafnium to an impending patch, sparking the group to act more aggressively.

While the Exchange hack hasn’t captured the media’s imagination quite like SolarWinds did, it isn’t any less dangerous. Gaz Lockwood, Immersive Labs’ Principle Threat Hunt Engineer, says: “Exchange as a target creates real challenges for businesses. Firstly, it's very widely used, so versions are installed in lots of networks around the world. Secondly, it’s designed to face the public internet, which makes the severity of the vulnerabilities worse. And finally, Exchange usually runs with elevated privileges, meaning attackers can use it to gain a high level of privilege very quickly.”

The fallout of this is that enterprises may be frightened into investing in security solutions and adopting cloud-based email in favor of in-house servers. Fixes for the vulns have of course been issued – but organizations with suboptimal patching processes could find themselves joining the growing list of victims.

At this moment there are still 266,629 publicly available and exploitable Exchange Server installations, according to Shodan. Since the initial attacks by the Hafnium APT groups, more than 10 other threat actors have begun exploiting these vulnerabilities to deploy ransomware and other malicious code.  

Even with this apparently widespread adoption of the exploit, it took several days for the security community to develop and release proof of concept (PoC) code in the public domain that chains multiple vulnerabilities together. There was also a hint of controversy last week when Microsoft was accused of censorship after removing early PoC exploit code that a security researcher had posted on GitHub, a platform owned by Microsoft.

How can I protect my organization?

Patching the vulnerabilities will protect currently unaffected servers; if patching isn’t possible, organizations should still look to block servers from untrusted connections. Businesses can also take proactive steps to both detect and mitigate this threat, starting with Microsoft’s Safety Scanner. Finally, there is a wealth of information on indicators of compromise (IoCs) and suggested actions from both CISA in the US and the NCSC in the UK. The Cyber Humanity team go into more depth here:

TOPICS
CVEs
Threats
PUBLISHED

16 March 2021

Get hands-on

The ultimate way to learn about these zero-days is to get to grips with them in a secure environment. Our content team has worked hard and fast to bring you engaging Proxylogon labs in our free-to-all Community Mode, which you can access here.

Alternatively, you can book a demo of the full platform using the button below.

We help businesses to increase and evidence human capability in every part of cybersecurity.