Solutions
Go Back

Make Security Possible

Reduce Alert Noise and False Positives

Boost your team's productivity by cutting down alert noise and false positives.

Automate Security Operations

Boost efficiency, reduce burnout, and better manage risk through automation.

Dark Web Monitoring

Online protection tuned to the need of your business.

Maximize Existing Security Investments

Improve efficiencies from existing investments in security tools.

Beyond MDR

Move your security operations beyond the limitations of MDR.

Secure with Microsoft 365 E5

Boost the power of Microsoft 365 E5 security.

Secure Multi-Cloud Environments

Improve cloud security and overcome complexity across multi-cloud environments.

Secure Mergers and Acquisitions

Control cyber risk for business acquisitions and dispersed business units.

Force-Multiply Your Security Operations

Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Explore Our Solutions
Platform
Go Back

The GreyMatter Platform

Detection Investigation Response

Modernize Detection, Investigation, Response with a Security Operations Platform.

Threat Hunting

Locate and eliminate lurking threats with ReliaQuest GreyMatter

Threat Intelligence

Find cyber threats that have evaded your defenses.

Model Index

Security metrics to manage and improve security operations.

Breach and Attack Simulation

GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.

Digital Risk Protection

Continuous monitoring of open, deep, and dark web sources to identify threats.

Phishing Analyzer

GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.

Unify and Optimize Your Security Operations

ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Explore the GreyMatter Platform
Resources
Go Back

Resources

Blog

Company Blog

Case Studies

Brands of the world trust ReliaQuest to achieve their security goals.

Data Sheets

Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.

eBooks

The latest security trends and perspectives to help inform your security operations.

Industry Guides and Reports

The latest security research and industry reports.

Podcasts

Catch to the latest cybersecurity perspectives, tutorials and industry discussions with various guest speakers.

Solution Briefs

A deep dive on how ReliaQuest GreyMatter addresses security challenges.

Threat Advisories

The latest threat research report from ReliaQuest Photons research team.

Upcoming & On-Demand Webinars

Upcoming and on-demand webinars addressing the latest challenges and solutions security analysts must know.

White Papers

The latest white papers focused on security operations strategy, technology & insight.

Videos

Current and future SOC trends presented by our security experts.

Events & Webinars

Explore all upcoming company events, in-person and on-demand webinars

ReliaQuest Resource
Center

From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Resource Center
Company
Go Back

Company

About ReliaQuest

We bring our best attitude, energy and effort to everything we do, every day, to make security possible.

Executive Leadership

Security is a team sport.

Careers

Join our world-class team.

Press and Media Coverage

ReliaQuest newsroom covering the latest press release and media coverage.

Become a Channel Partner

When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.

Contact Us

How can we help you?

A Mindset Like No Other in the Industry

Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Search
Go Back

Generic selectors

Exact matches only

Search in title

Search in content

Post Type Selectors

Back to blog

Mapping MITRE ATT&CK to the Microsoft Exchange Zero-Day Exploits

ReliaQuest 11 March 2021

Threat Intelligence

Note: This blog is a part of our MITRE ATT&CK Mapping series in which we map the latest major threat intelligence incidents to the MITRE ATT&CK framework. You can view similar postings such as Mapping MITRE ATT&CK to the DPRK Financial Crime Indictment, Compromised RDP Sales, or Sandworm’s APT Campaign.

On 02 March 2021, Microsoft released an advisory to discuss the detection of multiple zero-day exploits used to compromise on-premises versions of Microsoft Exchange Server. Microsoft Exchange Server is a mail, calendaring, and collaboration platform mainly designed by Microsoft for business use. The observed attacks exploited four previously-unseen vulnerabilities in Microsoft’s product to access corporate email addresses and install external software to maintain persistence in the victim environment.

Microsoft initially attributed the attacks detected to HAFNIUM, a threat actor assessed to be supported and operating from the People’s Republic of China. This highly sophisticated actor traditionally conducts its operations from Virtual Private Servers (VPS) located in the United States. HAFNIUM primarily targets organizations in the US across various industry verticals, such as think tanks, infectious disease researchers, defense contractors, and educational institutions for the purpose of exfiltrating information. However, subsequent analysis of the zero-day exploits observed revealed that multiple threat actors (some say more than ten) were abusing unpatched versions of Microsoft Exchange Server.

While the zero-day exploits story is still unfolding, it is crucial to analyze how threat actors have proceeded to compromise vulnerable versions of Microsoft Exchange Server. Although Microsoft published the appropriate patches last week, initial estimates place the number of compromised organizations to 30,000 with many more servers still needing protections. As security teams will need to prioritize patching and investigating this compromise in the coming weeks, let’s dive into the tactics, techniques, and methods used by threat actors to exploit these four zero-day vulnerabilities by mapping MITRE ATT&CK to the Microsoft Exchange exploit.

Why Map the Microsoft Exchange Exploit to MITRE ATT&CK?

Digital Shadows (now ReliaQuest) will continue to update this blog as new details of this malicious operation emerge. In the meantime, mapping the MITRE ATT&CK framework to the information disclosed by Microsoft about this sophisticated campaign is useful to understand the modus operandi of the threat actors involved and better protect your organization against potential threats. Without further ado, let’s pack our compasses and adventure shoes and begin this orienteering exercise.

Reconnaissance

T1595 – Active Scanning

Attackers have been actively scanning the internet to find on-premise Microsoft Exchange Server versions able to receive unwarranted external connections on port 443. According to Volexity, the attackers only need the external IP address or domain name of a publicly available Exchange server to leverage the zero-day vulnerabilities and gain unauthorized access to the targeted environment. This technique cannot be easily mitigated as it involves behaviors that cannot be controlled by security tools; however, by applying Microsoft’s patches, organizations probably won’t be targeted as the attackers will likely focus on the vulnerable ones.

Initial Access

T1190 – Exploit Public-Facing Application

T1078 – Valid Accounts

There are two main ways to gain access to a Microsoft Exchange Server: either through stolen valid account credentials or by leveraging zero-day vulnerabilities to appear as a legitimate and authorized user. CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allows attackers to send specially crafted HTTP requests and authenticate as the Exchange server. This vulnerability can be exploited remotely and does not require any particular knowledge of the target environment. In the observed attacks, this vulnerability was often chained to other zero-days that allowed attackers to run code as SYSTEM on Exchange.

Execution

T1072 – Software Deployment Tools CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 are also being leveraged to allow Remote Code Execution (RCE) on targeted systems. These post-authentication vulnerabilities enabled the attackers to write a file on the server’s path and perform additional malicious actions on the Exchange servers. This capability may be used to move laterally through the network, extract valuable information, and deploy further malware in the system. In this specific scenario, attackers were often found using web shells to gain continued access in the victim environment.

Persistence

T1505.003 – Server Software Component: Web Shell

According to MITRE, “Adversaries may backdoor web servers with web shells to establish persistent access to systems”—and that’s exactly what attackers did in the observed operations. By deploying web shells on the compromised servers, the attackers create a persistent way into the network that allows them to perpetrate a series of actions, including credential theft, data exfiltration, lateral movement, hands-on-keyboard activity, and deployment of additional payloads.

Exfiltration

T1041 – Exfiltration over C2 channel

Among all the actions that can be enabled via web shells, establishing command and control (C2) is undoubtedly one. According to the reports on the campaigns leveraging those four zero-day exploits, the threat actors likely used this connection to steal email data from an organization’s network. However, since reports are emerging claiming that more than ten threat actors were leveraging these vulnerabilities, the post-exploitation TTPs likely varied depending on the actor behind the operation.

Suggested Mitigations for the Microsoft Exchange Vulnerabilities

Along with the details of the exploited zero-days vulnerabilities, Microsoft published security updates that should be immediately applied by every organization using Exchange in their corporate environments. We’re well aware that patching communication software can be pain for business continuity, but promptly applying these patches can go a long way in protecting organizations from nation-state and criminal actors ready to exploit these public vulnerabilities. Digital Shadows (now ReliaQuest) has already observed chatter in high-profile Russian-language criminal forums discussing the potential presence of Proof of Concepts (PoCs) exploiting zero-day vulnerabilities CVE-2021-26855 and CVE-2021-27065.

Cybercriminals in a Russian-language cybercriminal forum mentioning the Microsoft Exchange vulnerabilities — *Cybercriminals in a Russian-language cybercriminal forum mentioning the Microsoft Exchange vulnerabili*ties

It’s worth noting at this point that if your company has already been backdoored, these patches won’t actively remove the malicious web shells, and the server likely needs to be rebuilt entirely. Microsoft made a nMap script to scan for evidence of exploited vulnerabilities in your environment. Investigating for exploitation, persistence, or evidence of lateral movement can highlight traces of an effective intrusion before the patches were applied. If that’s the case, you’re now in incident response mode.

Cybercriminals can leverage installed backdoor web shells to deploy malicious payloads (i.e. ransomware) on victim environments. If the cybercriminal group is financially-motivated, they will likely attempt to deploy ransomware to fully capitalize on these vulnerabilities. Additionally, compromised Exchange servers can be a virtual doorway into the rest of the victim’s network, thus leaving cybercriminals and nation-state actors free to roam undisturbed.

It’s fundamental to stay updated on the latest vulnerabilities and security updates related to this high-profile exploit. As more details emerge, Digital Shadows (now ReliaQuest) will continue to update this post with additional analysis and recommendations in addition to delivering intelligence updates to our clients. Having an in-house or outsourced Cyber Threat Intelligence (CTI) team can quickly identify trends and listings relevant to your organization. This practice can help security teams prioritize the most vulnerable areas, thus granting a more robust security posture.

If you’d like to get a clear picture of your attack surface, SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) aggregates data from billions of sources across the open, deep, and dark web, giving you a view of your exposure in real-time. Unlike other threat intelligence providers, Digital Shadows (now ReliaQuest) focuses on high-priority, actionable alerts as they relate to genuine threats to the business. Get a demo request of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here

For existing clients, Digital Shadows (now ReliaQuest) recommends the following Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection) queries for updates on developments of this event:

(type=[blog posts] OR type=[intelligence updates] OR type=[indicator feeds] OR type=[Vulnerabilities & Exploits]) AND (“CVE-2021-26855” OR “CVE-2021-26857” OR “CVE-2021-26858” OR “CVE-2021-27065”)

(type=[blog posts] OR type=[intelligence updates] OR type=[indicator feeds] OR type=[Vulnerabilities & Exploits]) AND (“Hafnium” OR “Microsoft Exchange Servers”) AND date=[now-14d TO now]

(type=[forum posts]) AND (“CVE-2021-26855” OR “CVE-2021-26857” OR “CVE-2021-26858” OR “CVE-2021-27065”)

(type=[forum posts]) AND (“Hafnium” OR “Microsoft Exchange Servers”) AND date=[now-14d TO now]