Microsoft has detected multiple 0-days exploits being used to attack on-premises versions of Microsoft Exchange Servers. Microsoft releases today multiple patches. It is highly recommended to patch direct. Microsoft shared all the information about the HAFNIUM group and detected 0-day exploits. If you use on-premises exchange servers it is recommended to take direct action and patch the systems.
Microsoft says the 0-day exploits being used to attack on-premises versions in limited and targeted attacks. The actor used vulnerabilities to access the on-premises Exchange servers. From the exchange servers it is possible to deploy additional malware for the managed environments.
Multiple zero-day exploits of Microsoft Exchange Server require immediate action. Check for reported IOCs and apply critical patches here: https://t.co/cTDVbU2q4h
— NSA Cyber (@NSACyber) March 2, 2021
In this blog post an overview of multiple Microsoft products and detection options based on the IOC’s. The following topics will be described;
- Defender for Endpoint Threat Analytics report
- Detection with Defender
- Advanced hunting
- Known vulnerabilities
Known vulnerabilities
The exploited vulnerabilities contain the following CVE’s scoped for on-prem Exchange Servers.
- CVE-2021-26855
- CVE-2021-26857
- CVE-2021-26858
- CVE-2021-27065
For patching the servers Microsoft announced multiple Security Updates for Exchange Server. Visit Microsoft Security Response Center (MSRC) for downloading the released updates.
Detection with Microsoft technology
If the environment is protected with Defender for Endpoint multiple IOC’s and hunting queries are available for the detection with Microsoft technology.
The attack uses the following detections. Note; some of the detections are generic.
Unique detections:
- Exploit:Script/Exmann.A!dha
- Behavior:Win32/Exmann.A
- Backdoor:ASP/SecChecker.A
Not unique:
- Backdoor:JS/Webshell (not unique)
- Trojan:JS/Chopper!dha (not unique)
- Behavior:Win32/DumpLsass.A!attk (not unique)
- Backdoor:HTML/TwoFaceVar.B (not unique)
Microsoft Defender for Endpoints will trigger the following detections:
Unique detection:
- Suspicious Exchange UM process creation
- Suspicious Exchange UM file creation
Not unique
- Possible web shell installation (not unique)
- Process memory dump (not unique)
If Sentinel is used. The following detections are available from Github:
- HAFNIUM Suspicious Exchange Request
- HAFNIUM UM Service writing suspicious file
- HAFNIUM New UM Service Child Process
- HAFNIUM Suspicious UM Service Errors
- HAFNIUM Suspicious File Downloads
Advanced hunting with Defender for Endpoint
Possible exploit detection is possible with Defender for Endpoint Advanced hunting queries. How do you start advanced hunting?
- Go to https://securitycenter.windows.com/hunting
- Click Query
- Now you have the option to build and run a query.
From the hafnium page multiple details and detection events are available with sample hunting query commands.
UMWorkerProcess.exe in Exchange creating abnormal content
Look for Microsoft Exchange Server’s Unified Messaging service creating non-standard content on disk, which could indicate web shells or other malicious content, suggesting exploitation of CVE-2021-26858 vulnerability:
DeviceFileEvents | where InitiatingProcessFileName == "UMWorkerProcess.exe" | where FileName != "CacheCleanup.bin" | where FileName !endswith ".txt" | where FileName !endswith ".LOG" | where FileName !endswith ".cfg" | where FileName != "cleanup.bin"
UMWorkerProcess.exe spawning
Look for Microsoft Exchange Server’s Unified Messaging service spawning abnormal subprocesses, suggesting exploitation of CVE-2021-26857 vulnerability:
DeviceProcessEvents | where InitiatingProcessFileName == "UMWorkerProcess.exe" | where FileName != "wermgr.exe" | where FileName != "WerFault.exe"
Microsoft defender for Endpoint Threat Analytics report
Microsoft published the Analytics reports inside Microsoft Defender for Endpoint. The Analytics report provides information in three sections; overview, mitigations and analyst report. To get the Analytics report:
- Go to Securitycenter.microsoft.com
- Dashboards – Threat Analytics
- Open the threat: Exchange server zero-days exploited in the wild. Direct link: https://securitycenter.windows.com/threatanalytics3/4ef1fbc5-5659-4d9b-b32e-97a694475955/overview
Open the analytics report to view the executive summary and analysis. The analyst report contains the summary and analysis from Microsoft. Inside the analyst report information, you can find more detection rules and background information.
Apply these mitigations to reduce the impact of this threat.
- Apply latest security updates for Exchange Servers (source)
- For the Defender part; make sure you enabled cloud-delivered protection and automatic sample submission
From the mitigations tab inside Defender for Endpoint you can find the full report with all the details and information:
From the overview page, you get an overview with the general information about the related devices, devices with alerts and misconfigured/ vulnerable devices.
Summary
With Defender for Endpoint it is possible to detect some of the indicators. Make sure you’re reading the full detail page from Microsoft with all the information/ detections and indicators. This blog gives only a small introduction of the Defender for Endpoint detection part in combination with the shared information.
Oh and if you are using Exchange on-prem. Exchange online… 🙂
Sources
Microsoft: HAFNIUM targeting Exchange Servers with 0-day exploits
NSA: https://twitter.com/NSACyber/status/1366867790288850944
if someone use exchange on-prem, they do not have enough subscription to use security center.