Note: This blog is a part of our MITRE ATT&CK Mapping series in which we map the latest major threat intelligence incidents to the MITRE ATT&CK framework. You can view similar postings such as Mapping MITRE ATT&CK to the DPRK Financial Crime Indictment, Compromised RDP Sales, or Sandworm’s APT Campaign.

On 02 March 2021, Microsoft released an advisory to discuss the detection of multiple zero-day exploits used to compromise on-premises versions of Microsoft Exchange Server. Microsoft Exchange Server is a mail, calendaring, and collaboration platform mainly designed by Microsoft for business use. The observed attacks exploited four previously-unseen vulnerabilities in Microsoft’s product to access corporate email addresses and install external software to maintain persistence in the victim environment.

Microsoft initially attributed the attacks detected to HAFNIUM, a threat actor assessed to be supported and operating from the People’s Republic of China. This highly sophisticated actor traditionally conducts its operations from Virtual Private Servers (VPS) located in the United States. HAFNIUM primarily targets organizations in the US across various industry verticals, such as think tanks, infectious disease researchers, defense contractors, and educational institutions for the purpose of exfiltrating information. However, subsequent analysis of the zero-day exploits observed revealed that multiple threat actors (some say more than ten) were abusing unpatched versions of Microsoft Exchange Server.

While the zero-day exploits story is still unfolding, it is crucial to analyze how threat actors have proceeded to compromise vulnerable versions of Microsoft Exchange Server. Although Microsoft published the appropriate patches last week, initial estimates place the number of compromised organizations to 30,000 with many more servers still needing protections. As security teams will need to prioritize patching and investigating this compromise in the coming weeks, let’s dive into the tactics, techniques, and methods used by threat actors to exploit these four zero-day vulnerabilities by mapping MITRE ATT&CK to the Microsoft Exchange exploit.

Why Map the Microsoft Exchange Exploit to MITRE ATT&CK?

Digital Shadows (now ReliaQuest) will continue to update this blog as new details of this malicious operation emerge. In the meantime, mapping the MITRE ATT&CK framework to the information disclosed by Microsoft about this sophisticated campaign is useful to understand the modus operandi of the threat actors involved and better protect your organization against potential threats. Without further ado, let’s pack our compasses and adventure shoes and begin this orienteering exercise.

Reconnaissance

T1595 – Active Scanning

Attackers have been actively scanning the internet to find on-premise Microsoft Exchange Server versions able to receive unwarranted external connections on port 443. According to Volexity, the attackers only need the external IP address or domain name of a publicly available Exchange server to leverage the zero-day vulnerabilities and gain unauthorized access to the targeted environment. This technique cannot be easily mitigated as it involves behaviors that cannot be controlled by security tools; however, by applying Microsoft’s patches, organizations probably won’t be targeted as the attackers will likely focus on the vulnerable ones.

Initial Access

T1190 – Exploit Public-Facing Application

T1078 – Valid Accounts

There are two main ways to gain access to a Microsoft Exchange Server: either through stolen valid account credentials or by leveraging zero-day vulnerabilities to appear as a legitimate and authorized user. CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allows attackers to send specially crafted HTTP requests and authenticate as the Exchange server. This vulnerability can be exploited remotely and does not require any particular knowledge of the target environment. In the observed attacks, this vulnerability was often chained to other zero-days that allowed attackers to run code as SYSTEM on Exchange.

Execution

T1072 – Software Deployment Tools CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 are also being leveraged to allow Remote Code Execution (RCE) on targeted systems. These post-authentication vulnerabilities enabled the attackers to write a file on the server’s path and perform additional malicious actions on the Exchange servers. This capability may be used to move laterally through the network, extract valuable information, and deploy further malware in the system. In this specific scenario, attackers were often found using web shells to gain continued access in the victim environment.

Persistence

T1505.003 – Server Software Component: Web Shell

According to MITRE, “Adversaries may backdoor web servers with web shells to establish persistent access to systems”—and that’s exactly what attackers did in the observed operations. By deploying web shells on the compromised servers, the attackers create a persistent way into the network that allows them to perpetrate a series of actions, including credential theft, data exfiltration, lateral movement, hands-on-keyboard activity, and deployment of additional payloads.

Exfiltration

T1041 – Exfiltration over C2 channel

Among all the actions that can be enabled via web shells, establishing command and control (C2) is undoubtedly one. According to the reports on the campaigns leveraging those four zero-day exploits, the threat actors likely used this connection to steal email data from an organization’s network. However, since reports are emerging claiming that more than ten threat actors were leveraging these vulnerabilities, the post-exploitation TTPs likely varied depending on the actor behind the operation.

Suggested Mitigations for the Microsoft Exchange Vulnerabilities

Along with the details of the exploited zero-days vulnerabilities, Microsoft published security updates that should be immediately applied by every organization using Exchange in their corporate environments. We’re well aware that patching communication software can be pain for business continuity, but promptly applying these patches can go a long way in protecting organizations from nation-state and criminal actors ready to exploit these public vulnerabilities. Digital Shadows (now ReliaQuest) has already observed chatter in high-profile Russian-language criminal forums discussing the potential presence of Proof of Concepts (PoCs) exploiting zero-day vulnerabilities CVE-2021-26855 and CVE-2021-27065.

Cybercriminals in a Russian-language cybercriminal forum mentioning the Microsoft Exchange vulnerabilities
Cybercriminals in a Russian-language cybercriminal forum mentioning the Microsoft Exchange vulnerabilities

It’s worth noting at this point that if your company has already been backdoored, these patches won’t actively remove the malicious web shells, and the server likely needs to be rebuilt entirely. Microsoft made a nMap script to scan for evidence of exploited vulnerabilities in your environment. Investigating for exploitation, persistence, or evidence of lateral movement can highlight traces of an effective intrusion before the patches were applied. If that’s the case, you’re now in incident response mode.

Cybercriminals can leverage installed backdoor web shells to deploy malicious payloads (i.e. ransomware) on victim environments. If the cybercriminal group is financially-motivated, they will likely attempt to deploy ransomware to fully capitalize on these vulnerabilities. Additionally, compromised Exchange servers can be a virtual doorway into the rest of the victim’s network, thus leaving cybercriminals and nation-state actors free to roam undisturbed.

It’s fundamental to stay updated on the latest vulnerabilities and security updates related to this high-profile exploit. As more details emerge, Digital Shadows (now ReliaQuest) will continue to update this post with additional analysis and recommendations in addition to delivering intelligence updates to our clients. Having an in-house or outsourced Cyber Threat Intelligence (CTI) team can quickly identify trends and listings relevant to your organization. This practice can help security teams prioritize the most vulnerable areas, thus granting a more robust security posture.

If you’d like to get a clear picture of your attack surface, SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) aggregates data from billions of sources across the open, deep, and dark web, giving you a view of your exposure in real-time. Unlike other threat intelligence providers, Digital Shadows (now ReliaQuest) focuses on high-priority, actionable alerts as they relate to genuine threats to the business. Get a demo request of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here

For existing clients, Digital Shadows (now ReliaQuest) recommends the following Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection) queries for updates on developments of this event:

  • (type=[blog posts] OR type=[intelligence updates] OR type=[indicator feeds] OR type=[Vulnerabilities & Exploits]) AND (“Hafnium” OR “Microsoft Exchange Servers”) AND date=[now-14d TO now]
  • (type=[forum posts]) AND (“Hafnium” OR “Microsoft Exchange Servers”) AND date=[now-14d TO now]