Microsoft Exchange Vulnerabilities You Need to Know
| March 11, 2021Are you running Microsoft Exchange server? Have you installed the latest update for Microsoft Exchange kb5000871? According to the Microsoft Threat Intelligence Center (MSTIC), the Hafnium group, a state-sponsored group operating out of China, is likely behind the rash of exploits of four newly announced vulnerabilities. An exploit of these vulnerabilities could be used to:
- Create a web shell to remote control the server, with SYSTEM level access, a backdoor into the network
- Exfiltrate data from the compromised server
- Run additional exploits from the compromised server
What are the vulnerabilities?
The Microsoft Security Blog Post provided the following details about the newly announced CVEs:
- CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
- CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
- CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
Why is this important?
Volexity, a security firm, detected active exploits of these vulnerabilities in the wild. This means that all unpatched Exchange Servers are vulnerable.
When exploited, these vulnerabilities give attackers system level access which can be used to compromise other network systems. Keep reading for insight on how to protect your network from being compromised.
What You Should Do About It
Assess the Situation
If you are unsure of the patch status of your exchange environment, Microsoft has made an Exchange Health Check script available for Download.
Exchange should be patched to a current cumulative update. Next, you should apply kb5000871.
Scan Exchange Log Files for Indicators of Compromise
After assessing the patch status of exchange, you should then scan exchange files to check for any compromised information.
According to Microsoft, CVE-2021-26855 exploitation can be detected via the following Exchange HttpProxy logs:
- These logs are located in the following directory: %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy
Exploitation can be identified by searching for log entries where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of ServerInfo~*/*
Here is an example PowerShell command to find these log entries:
- Import-Csv -Path (Get-ChildItem -Recurse -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy” -Filter ‘*.log’).FullName | Where-Object { $_.AuthenticatedUser -eq ” -and $_.AnchorMailbox -like ‘ServerInfo~*/*’ } | select DateTime, AnchorMailbox
If activity is detected, the logs specific to the application specified in the AnchorMailbox path can be used to help determine what actions were taken. These logs are located in the %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging directory.
CVE-2021-26858 exploitation can be detected via the Exchange log files:
- C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog
- Files should only be downloaded to the %PROGRAMFILES%\Microsoft\Exchange Server\V15\ClientAccess\OAB\Temp directory
In case of exploitation, files are downloaded to other directories (UNC or local paths). Windows command to search for potential exploitation:
- findstr /snip /c:”Download failed and temporary file” “%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log”
CVE-2021-26857 exploitation can be detected via the Windows Application event logs.
Exploitation of this deserialization bug will create Application events with the following properties:
- Source: MSExchange Unified Messaging
- EntryType: Error
- Event Message Contains: System.InvalidCastException
The following is a PowerShell command to query the Application Event Log for these log entries:
- Get-EventLog -LogName Application -Source “MSExchange Unified Messaging” -EntryType Error | Where-Object { $_.Message -like “*System.InvalidCastException*” }
CVE-2021-27065 exploitation can be detected via the following Exchange log files.
- C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server
- All Set-<AppName>VirtualDirectory properties should never contain script. InternalUrl and ExternalUrl should only be valid Uris.
The following is a PowerShell command to search for potential exploitation:
Select-String -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\ECP\Server\*.log” -Pattern ‘Set-.+VirtualDirectory’
Host Indicators of Compromise (IOCs)
We’ve compiled a list of hashes and paths that should be thoroughly checked for web shells and other compromises.
Hashes
- b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
- 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
- 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
- 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
- 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
- 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
- 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
- 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944
Paths
Web shells can be found in the following paths:
- C:\inetpub\wwwroot\aspnet_client\
- C:\inetpub\wwwroot\aspnet_client\system_web\
- In Microsoft Exchange Server installation paths such as:
- %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
- C:\Exchange\FrontEnd\HttpProxy\owa\auth\
The web shells we detected had the following file names:
- web.aspx
- help.aspx
- document.aspx
- errorEE.aspx
- errorEEE.aspx
- errorEW.aspx
- errorFF.aspx
- healthcheck.aspx
- aspnet_www.aspx
- aspnet_client.aspx
- xx.aspx
- shell.aspx
- aspnet_iisstart.aspx
- one.aspx
Check for suspicious .zip, .rar, and .7z files in C:\ProgramData\, which may indicate possible data exfiltration.
We also recommended that all customers monitor these paths for LSASS dumps:
- C:\windows\temp\
- C:\root\
Our team of IT experts at Concensus Technologies can help further explain these vulnerabilities and walk you through the process of thoroughly assessing your networks for any compromises. Reach out to our team here.
Sources:
- HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security
- New nation-state cyberattacks – Microsoft On the Issues
- Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities | Volexity
- Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder Emails — Krebs on Security