Exchange Server Attacks Against US Local Governments — Zero-Day Vulnerabilities

Home/Microsoft, Security Update, Zero Day Attack/Exchange Server Attacks Against US Local Governments — Zero-Day Vulnerabilities

Exchange Server Attacks Against US Local Governments — Zero-Day Vulnerabilities

Zero-Day vulnerabilities are actively exploit — attacks against local US government agencies.

Microsoft Exchange Server — Zero-Day Vulnerabilities

Mandiant the information security industry acquired by FireEye observed multiple instances of abuse of Microsoft Exchange Server.

On March 2, Microsoft warned that the four zero-day vulnerabilities being exploited by threat actors in the wild:

  • CVE-2021-26855

A server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

Also considered as CRITICAL severity.

  • CVE-2021-26857

is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program.

However, exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server.

In addition, this requires administrator permission or another vulnerability to exploit.

  • CVE-2021-26858, CVE-2021-27065  

A post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server.

However, They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

HAFNIUM?

According to Microsoft, HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

Moreover, HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.

In addition, after exploiting the vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server.

Where, web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.

Security Update

In short, Exchange users are urged to update their software as quickly as possible.

Host IOCs

Hashes

Web shell hashes

  • b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
  • 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
  • 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
  • 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
  • 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
  • 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
  • 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
  • 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944

MD5 Hashes:

  • 4b3039cf227c611c45d2242d1228a121
  • 0fd9bffa49c76ee12e51e3b8ae0609ac
  • 79eb217578bed4c250803bd573b10151

Microsoft Defender Antivirus detections

Please note that some of these detections are generic detections and not unique to this campaign or these exploits.

  • Exploit:Script/Exmann.A!dha
  • Behavior:Win32/Exmann.A
  • Backdoor:ASP/SecChecker.A
  • Backdoor:JS/Webshell (not unique)
  • Trojan:JS/Chopper!dha (not unique)
  • Behavior:Win32/DumpLsass.A!attk (not unique)
  • Backdoor:HTML/TwoFaceVar.B (not unique)

IP Address:

  • 165.232.154.116
  • 182.18.152.105
  • 89.34.111.11
  • 86.105.18.116
By | 2021-03-06T11:31:19+05:30 March 6th, 2021|Microsoft, Security Update, Zero Day Attack|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!