Microsoft has detected multiple 0-days exploits being used to attack on-premises versions of Microsoft Exchange Servers. Microsoft releases today multiple patches. It is highly recommended to patch direct. Microsoft shared all the information about the HAFNIUM group and detected 0-day exploits. If you use on-premises exchange servers it is recommended to take direct action and patch the systems. 

Microsoft says the 0-day exploits being used to attack on-premises versions in limited and targeted attacks. The actor used vulnerabilities to access the on-premises Exchange servers. From the exchange servers it is possible to deploy additional malware for the managed environments.

In this blog post an overview of multiple Microsoft products and detection options based on the IOC’s. The following topics will be described;

  • Defender for Endpoint Threat Analytics report
  • Detection with Defender
  • Advanced hunting
  • Known vulnerabilities

Known vulnerabilities

The exploited vulnerabilities contain the following CVE’s scoped for on-prem Exchange Servers.

  • CVE-2021-26855
  • CVE-2021-26857
  • CVE-2021-26858
  • CVE-2021-27065

For patching the servers Microsoft announced multiple Security Updates for Exchange Server. Visit Microsoft Security Response Center (MSRC) for downloading the released updates.


Detection with Microsoft technology

If the environment is protected with Defender for Endpoint multiple IOC’s and hunting queries are available for the detection with Microsoft technology.

The attack uses the following detections. Note; some of the detections are generic.

Unique detections:

  • Exploit:Script/Exmann.A!dha
  • Behavior:Win32/Exmann.A
  • Backdoor:ASP/SecChecker.A

Not unique:

  • Backdoor:JS/Webshell (not unique)
  • Trojan:JS/Chopper!dha (not unique)
  • Behavior:Win32/DumpLsass.A!attk (not unique)
  • Backdoor:HTML/TwoFaceVar.B (not unique)

Microsoft Defender for Endpoints will trigger the following detections:

Unique detection:

  • Suspicious Exchange UM process creation
  • Suspicious Exchange UM file creation

Not unique

  • Possible web shell installation (not unique)
  • Process memory dump (not unique)

If Sentinel is used. The following detections are available from Github:


Advanced hunting with Defender for Endpoint

Possible exploit detection is possible with Defender for Endpoint Advanced hunting queries. How do you start advanced hunting?

  1. Go to https://securitycenter.windows.com/hunting
  2. Click Query
  3. Now you have the option to build and run a query.

 

From the hafnium page multiple details and detection events are available with sample hunting query commands.

UMWorkerProcess.exe in Exchange creating abnormal content

Look for Microsoft Exchange Server’s Unified Messaging service creating non-standard content on disk, which could indicate web shells or other malicious content, suggesting exploitation of CVE-2021-26858 vulnerability:

DeviceFileEvents | where InitiatingProcessFileName == "UMWorkerProcess.exe" | where FileName != "CacheCleanup.bin" | where FileName !endswith ".txt"
| where FileName !endswith ".LOG" | where FileName !endswith ".cfg" | where FileName != "cleanup.bin"

UMWorkerProcess.exe spawning

Look for Microsoft Exchange Server’s Unified Messaging service spawning abnormal subprocesses, suggesting exploitation of CVE-2021-26857 vulnerability:

DeviceProcessEvents
| where InitiatingProcessFileName == "UMWorkerProcess.exe" | where FileName != "wermgr.exe" | where FileName != "WerFault.exe"


Microsoft defender for Endpoint Threat Analytics report

Microsoft published the Analytics reports inside Microsoft Defender for Endpoint. The Analytics report provides information in three sections; overview, mitigations and analyst report. To get the Analytics report:

  1. Go to Securitycenter.microsoft.com
  2. Dashboards – Threat Analytics
  3. Open the threat: Exchange server zero-days exploited in the wild. Direct link: https://securitycenter.windows.com/threatanalytics3/4ef1fbc5-5659-4d9b-b32e-97a694475955/overview

Open the analytics report to view the executive summary and analysis. The analyst report contains the summary and analysis from Microsoft. Inside the analyst report information, you can find more detection rules and background information.

Apply these mitigations to reduce the impact of this threat.

  • Apply latest security updates for Exchange Servers (source)
  • For the Defender part; make sure you enabled cloud-delivered protection and automatic sample submission

From the mitigations tab inside Defender for Endpoint you can find the full report with all the details and information:

From the overview page, you get an overview with the general information about the related devices, devices with alerts and misconfigured/ vulnerable devices.


Summary

With Defender for Endpoint it is possible to detect some of the indicators. Make sure you’re reading the full detail page from Microsoft with all the information/ detections and indicators. This blog gives only a small introduction of the Defender for Endpoint detection part in combination with the shared information.

Oh and if you are using Exchange on-prem. Exchange online… 🙂

Sources

Microsoft: HAFNIUM targeting Exchange Servers with 0-day exploits

NSA: https://twitter.com/NSACyber/status/1366867790288850944