HAFNIUM: Advice about the new nation-state attack

By Seth Geftic and Greg Iddon

On March 2nd, zero-day vulnerabilities affecting Microsoft Exchange were publicly disclosed. These vulnerabilities are being actively exploited in the wild by HAFNIUM, a threat actor believed to be a nation state.

What is HAFNIUM? According to a CISA alert: Microsoft has released out-of-band security updates to address vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. A remote attacker can exploit three remote code execution vulnerabilities—CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065—to take control of an affected system and can exploit one vulnerability—CVE-2021-26855—to obtain access to sensitive information. These vulnerabilities are being actively exploited in the wild. CISA also issued an emergency directive urging organizations to patch on-premises Exchange Servers and search their networks for indicators of attack. For details of the Sophos protections against the exploitation of these vulnerabilities, click here.

UPDATE: Other threat actors are now taking advantage of the persistence established by Hafnium to conduct a range of attacks. One actor is installing a new ransomware variant called DearCry. It is important to note that patching only protects your organization from being exploited by the vulnerabilities going forward. It does NOT ensure that an adversary has not already exploited the vulnerabilities.

What should you do?

1. Patch or disable Patch all on-premise Microsoft Exchanged servers in your environment with the relevant security update. Details can be found on Microsoft’s Exchange Team blog. If you are unable to patch, implement an IIS Re-Write Rule and disable Unified Messaging (UM), Exchange Control Panel (ECP) VDir, and Offline Address Book (OAB) VDir Services. Details can be found in the Microsoft’s Security Response Center blog. Sophos recommends you backup Exchange IIS/Server logs before patching and updating.

2. Determine possible exposure Download and run the Test-ProxyLogon.ps1 script provided by the Microsoft Customer Support Services team to determine possible exposure. Details on interpreting the results of this script can be found in this Microsoft article, a few paragraphs into the “Have I been compromised?” section). It is important to note that even with the patches installed, this will not address the presence of any malicious web shells. It is for this reason we recommend the use of Microsoft’s script to identify affected servers and look for the presence of web shells. Test-ProxyLogon.ps1 can output multiple .csv files per Exchange server, depending on what it finds. These .csv files can be viewed in a text editor or spreadsheet application. The script will look for evidence of each vulnerability being abused, creating a .csv per CVE. It will also look for suspicious files (which may be web shells) which should be reviewed, and calculate how many days back in the logs it can identify potential abuse of the vulnerabilities. Our most common observations are related to output for CVE-2021-26855. Hosts that may have been exploited by CVE-2021-26855 will be listed in the file [HOSTNAME]-Cve-2021-26855.csv The “ClientIpAddress” column will list the source IP addresses of potential attackers. The “AnchorMailbox” column will list a path to various applications running on Exchange that may have been targeted. To reveal what actions may have been taken by the attacker, you will need to extract the relevant application from AnchorMailbox. e.g. for “ServerInfo~a]@[REDACTED]:444/autodiscover/autodiscover.xml?#” the relevant application is /autodiscover/ To determine what actions were taken by the adversary, you will need to look at the logs in %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\{application} e.g. %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\autodiscover\ The “DateTime” column in [HOSTNAME]-Cve-2021-26855.csv will provide you with a timestamp when the potential exploitation took place, to use when referencing the log files.

3. Look for web shells or other suspicious .aspx files. Web shells have been observed in the following directories: <volume>\inetpub\wwwroot\aspnet_client\

   • e.g. C:\inetpub\wwwroot\aspnet_client\

<volume>\inetpub\wwwroot\aspnet_client\system_web\

• <exchange install path>\FrontEnd\HttpProxy\owa\auth\

  • e.g. C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\

<exchange install path>\FrontEnd\HttpProxy\owa\auth\Current\

• <exchange install path>\FrontEnd\HttpProxy\owa\auth\<folder with version number>\

Common names for these web shells include: (8 random letters and numbers)

• Regex: [0-9a-zA-Z]{8}.aspx

• aspnet_client.aspx

• aspnet_iisstart.aspx

• aspnet_www.aspx

• aspnettest.aspx

• discover.aspx

• document.aspx

• error.aspx

• errorcheck.aspx

• errorEE.aspx

• errorEEE.aspx

• errorEW.aspx

• errorFF.aspx

• healthcheck.aspx

• help.aspx

• HttpProxy.aspx

• Logout.aspx

• MultiUp.aspx

• one.aspx

• OutlookEN.aspx

• OutlookJP.aspx

• OutlookRU.aspx

• RedirSuiteServerProxy.aspx

• shell.aspx

• shellex.aspx

• supp0rt.aspx

• system_web.aspx

• t.aspx

• TimeoutLogout.aspx

• web.aspx

• web.aspx

• xx.aspx

4. Query with Sophos EDR If you are using Sophos EDR, you can leverage the following example queries to identify potential web shells to investigate, check patch level of your servers, and look for suspicious commands from child processes of w3wp.exe (a Microsoft’s IIS web server worker process, used by Exchange).