March 2, 2021 marked the day of the release of a Threat Intelligence report by Microsoft, reporting multiple (!) 0-days exploits abused in the wild, to attack on-premise versions of Microsoft Exchange Servers.
The threat actor, dubbed ‘HAFNIUM‘, abuses multiple vulnerabilities to access on-premise Exchange servers, bypassing authentication mechanisms.
Once access is gained to the on-premise Exchange servers, full contents of user mailboxes can be extracted and exfiltrated outside of the network, as well as the installation of additional malware.
Affected Microsoft Exchange Servers:
- Microsoft Exchange Server 2010
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Davinsi Labs strongly recommends and urges our customers to update on-premise Exchange servers immediately, to assure the following patch is in place: Security update for Microsoft Exchange Server 2013, 2016 and 2019.
In order to provide threat detection to identify the threat actor’s activity and post-compromise activity, the following datasources are required to be onboarded in your SIEM:
- Microsoft Exchange Server logs
- Exchange HttpProxy logs
- Exchange ECP Server logs
- C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server
- Exchange OABGeneratorLog
- C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog
- Microsoft Security logs from the Exchange server
- Audit Process Creation (Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Detailed Tracking)
- Include command line in process creation events (Administrative Templates\System\Audit Process Creation -> include command line in process creation events)
- Microsoft Application logs from the Exchange server
- MSExchange Unified Messaging
- Microsoft Powershell logs from the Exchange server
- Microsoft Powershell Operational logs from the Exchange server
- Script Block Logging enabled (only applicable for PS v5)
- Module Logging enabled (only applicable for PS v4 & v5, with the following module enabled: Microsoft.Powershell.*)
- Microsoft Defender Antivirus logs (if applicable)
- Microsoft Defender for Endpoint logs (if applicable)
For a head start in the right direction in terms of Threat Detection, take a look at the blogposts of Splunk, Sentinel and Rapid7 to detect adversarial activity related to Hafnium:
- Blog Splunk, March 3 2021: Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk
- Blog Microsoft, March 2 2021: HAFNIUM targeting Exchange Servers with 0-day exploits
- Blog Rapid 7, March 3 2021: Insight IDR enables detection and response to microsoft exchange 0-day
- Blog Rapid7, March 3 2021: Mass exploitation of exchange server zero-day CVEs: what you need to know
Furthermore, Rapid7 is actively covering the 0-day related CVE’s in their Vulnerability & Exploit database.
Update March 16 2021
Microsoft has released a new, one-click mitigation tool, named Microsoft Exchange On-Premises Mitigation Tool, with the following features:
- Automatically mitigates CVE-2021-26855 via a URL Rewrite configuration
- Runs a malware scan via the Microsoft Safety Scanner
- Reverses changes made by known threats.
This tool includes the latest Microsoft Safety Scanner and is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching.
Davinsi Labs recommends the usage of this tool to automate remediation in case security patching or mitigation for the on-premises Exchange Servers are ongoing.
A technical deep-dive of this tool can be found on the following link.
The tool, a Powershell script, can be found and downloaded on Github.
Reach out to firstname.lastname@example.org if you need any assistance from our team of security experts.
We hope the following threat advisory assists to react quickly to ongoing threats and urges the need of patching and security monitoring.