Ransom for 'Exchange'
Hains Jose
Security Operations Team Lead @ LCM Security Inc. | Cybersecurity Expert | GIAC Certified Incident Handler | Fortinet Certified Professional | Security+
Hi, as we all know there was a recent attack on Microsoft Exchange On-prem servers. I would like to discuss some insights from this attack.
What's the name of the attack?
Ransomware : Ransomware is a type of malicious software that infects a computer and restricts user's access to it until a ransom(money) is paid to unlock it
In this attack ransomware HAFNIUM is used. Lets discuss what's HAFNIUM
HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.
The attack was basically 3 stages
1. Gain access to an Exchange server either with stolen passwords or by using the zero-days to disguise the hackers as personnel who should have access
2. Create a web shell to control the compromised server remotely
3. Use that remote access to steal data from a target’s network
Who was the sponsor or primary actor in this attack?
Nation-state
The motivations and resulting consequences of state-sponsored cyberattacks are as far ranging as the geographies from which they originate. Nation-state hackers target government agencies, critical infrastructure and any and all industries known to contain sensitive data or property. Typically, they strike via sophisticated techniques that interrupt business operations, leak confidential information and generate massive data and revenue loss.
What was the type of attack?
The attack was a Zero-day attack. Lets discuss what is an zero-day attack
There are a few common, but slightly different definitions of zero-day attacks. Some define zero-day attacks as attacks on vulnerabilities that have not been patched or made public, while others define them as attacks that take advantage of a security vulnerability on the same day that the vulnerability becomes publicly known (zero-day).
What all are the servers affected in this attack?
CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allowed the attackers to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857, an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is when untrusted user-controllable data is desterilized by a program. Exploiting this vulnerability gave Hafnium the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858, a post-authentication arbitrary file write vulnerability. If Hafnium could authenticate with the Exchange server, then it could use this vulnerability to write a file to any path on the server. The group could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
CVE-2021-27065, a post-authentication arbitrary file write vulnerability. If Hafnium could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
Reference
https://www.bullguard.com/bullguard-security-center/pc-security/computer-threats/what-are-zero-day-attacks.aspx
https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
https://arstechnica.com/information-technology/2021/03/microsoft-issues-emergency-patches-for-4-exploited-0days-in-exchange/