by Bhabesh Raj Rai, Associate Security Analytics Engineer

On March 2, 2021, Microsoft released emergency security updates for Microsoft Exchange Server that patched seven vulnerabilities, among them four were zero-days that were being exploited in the wild by multiple threat actors.

ESET’s telemetry revealed that several cyber-espionage groups of Chinese origin like LuckyMouse, Tick and Calypso are exploiting at least CVE-2021-26855 to achieve pre-authenticated remote code execution on vulnerable on-premises Exchange servers.

The patched zero-days are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Threat actors can chain the vulnerabilities to achieve unauthenticated remote code execution. These vulnerabilities impact only the on-premises Microsoft Exchange servers and not the Exchange Online or Microsoft 365 cloud email services.

CISA also released an emergency directive requiring all U.S. federal organizations to immediately patch Microsoft Exchange and give a report on exploitation status by noon EST on Friday, March 5, 2021. ESET has noted that most of the targets are located in the U.S. with governments, law firms, private companies and medical facilities as targeted verticals.

Threat actors are dropping web shells like China Chopper after successfully exploiting these vulnerabilities. Huntress has disclosed how multiple web shells were deployed in a single Exchange server, which may indicate compromise by independent threat actors. Administrators should look out for web shell drops in locations recorded by Huntress, Microsoft and ESET’s telemetry.

FireEye currently tracks the threat actors exploiting these zero-days into three clusters, UNC2639, UNC2640, and UNC2643 while Microsoft Threat Intelligence Center (MSTIC) attributes this campaign to Chinese state-sponsored group HAFNIUM.

System administrators should keep in mind that this security update is not available for all cumulative and rollup updates. So, for enterprises running unsupported Exchange server cumulative or rollup update, administrators will need to first install a currently supported RU/CU before they can install the security update.

Detection of exploitation in LogPoint

Administrators can look for spawning of abnormal processes by Exchange server’s Unified Messaging service that may indicate successful exploitation of CVE-2021-26857.

norm_id=WindowsSysmon label="Process" label=Create
parent_image="*\UMWorkerProcess.exe" -image IN ["*\wermgr.exe", "*\WerFault.exe"]

The exploitation of CVE-2021-26857 can also be detected via the Windows Application event logs as the exploitation of this deserialization bug will generate error events by MSExchange Unified Messaging service.

norm_id=WinServer channel=Application event_type=Error
((message="Watson report*" message="*umworkerprocess*" message="*TextFormattingRunProperties*")
OR (message="An unhandled exception occurred in a UM worker process*" OR message="The Microsoft Exchange Unified Messaging service*"))

Similarly, we can look for dropping of suspicious files by Exchange server’s Unified Messaging service which may indicate dropping of web shells or other payloads via exploitation of CVE-2021-26858.
norm_id=WindowsSysmon label=File label=Create
source_image=”*\UMWorkerProcess.exe” -file IN [“CacheCleanup.bin”, “*.txt”, “*.LOG”, “*.cfg”, “cleanup.bin”] In general, one can detect successful exploitation by looking for spawning of command prompt or PowerShell by IIS worker process w3wp.exe.

norm_id=WindowsSysmon label="Process" label=Create
parent_image="*\w2wp.exe" image IN ["*\cmd.exe", "*\powershell.exe"]

Test the benefits of LogPoint’s SIEM solution

To learn more about the benefits of our SIEM product and different download options, book a personal demo.

Detection of post-exploitation activity in LogPoint

Microsoft’s blog on HAFNIUM has revealed the use of several tools like Nishang, PowerCat and Procdump in the post-exploitation phase. For example, the threat actor used 7-Zip to compress files for exfiltration. We can use Sysmon to look for suspicious file drops in unusual locations.

norm_id=WindowsSysmon label=File label=Create
file IN ["*.exe", "*.zip", "*.rar", "*.7z"] path IN ["C:\ProgramData*", "*\AppData\Local\*", "*\AppData\Roaming\*", "C:\Users\Public*"]-file IN ["vs_setup_bootstrapper.exe", "DismHost.exe"]-source_image IN ["*\Microsoft Visual Studio\Installer\*\BackgroundDownload.exe", "C:\Windows\system32\cleanmgr.exe",
"*\MsMpEng.exe", "C:\Windows\SysWOW64\OneDriveSetup.exe", "*\AppData\Local\Microsoft\OneDrive\*", "*\MpCmdRun.exe", "*\AppData\Local\Temp\mpam-*.exe"]

Similarly, HAFNIUM also used Procdump to dump LSASS memory for credential access, which we can hunt by looking for command-line arguments of Procdump.

norm_id=WindowsSysmon label="Process" label=Create
command IN ["* -ma lsass*"]

We advise administrators to hunt for web shell drops via Sysmon’s file creation events.

norm_id=WindowsSysmon label=File label=Create
file="*.aspx" path IN ["C:\inetpub\wwwroot\aspnet_client*", "*\FrontEnd\HttpProxy\owa\auth\Current*"]

If you have Microsoft Defender running on endpoints, then look for the following malware and inspect further if such events were found to be generated by Defender.

norm_id=WinServer event_id=1116 event_source="Microsoft-Windows-Windows Defender"
(threat_name IN ["Exploit:Script/Exmann.A!dha", "Behavior:Win32/Exmann.A", "Backdoor:ASP/SecChecker.A",
"Backdoor:JS/Webshell", "Trojan:JS/Chopper!dha", "Behavior:Win32/DumpLsass.A!attk", "Backdoor:HTML/TwoFaceVar.B"] OR
threat IN ["Exploit:Script/Exmann.A!dha", "Behavior:Win32/Exmann.A", "Backdoor:ASP/SecChecker.A",
"Backdoor:JS/Webshell", "Trojan:JS/Chopper!dha", "Behavior:Win32/DumpLsass.A!attk", "Backdoor:HTML/TwoFaceVar.B"])

HAFNIUM utilized Nishang’s Invoke-PowerShellTcpOneLine which is a simple one-liner PowerShell reverse shell command which we can hunt by using process creation events.

norm_id=WindowsSysmon label="Process" label=Create
image IN ["*\powershell.exe", "*\powershell_ise.exe"]command="*$client = New-Object System.Net.Sockets.TCPClient*"
Similarly, the use of PowerCat can also be detected by using process creation events.
norm_id=WindowsSysmon label="Process" label=Create
image IN ["*\cmd.exe", "*\powershell.exe", "*\powershell_ise.exe"]command="**"

Also, HAFNIUM imported the Exchange PowerShell Snapin which can be used to export mailbox data and can be easily detected by utilizing process creation events either via Sysmon or native event logs.

norm_id=WindowsSysmon label="Process" label=Create
image IN ["*\cmd.exe", "*\powershell.exe", "*\powershell_ise.exe"]command="*Add-PSSnapin Microsoft.Exchange.Powershell.Snapin*"

Volexity and FireEye have also disclosed the IoC IP addresses used by threat actors exploiting the zero-days. Thus, administrators can initiate an enterprise-wide IoC sweep to determine whether their Exchange servers have been compromised.

(source_address IN ["", "", "", "", "", "",
"", "", "", "", "", "", "", "", "", "", ""]OR destination_address IN ["", "", "", "", "",
"", "", "", "", "", "", "", "", "", "", "", ""])

As noted by Huntress and FireEye, after exploiting the vulnerabilities, the threat actors deleted the administrator user from the Exchange Organizations Administrators group via net command which can be easily detected.

norm_id=WindowsSysmon label="Process" label=Create image IN ["*\net.exe", "*\net1.exe"] command="*net*group *Exchange Organization Administrators* /del*"

Nextron System’s Florian Roth has released a sigma rule for hunting Exchange exploitation artifacts left by HAFNIUM.

(request_method=POST ((url="*/owa/auth/Current/themes/resources/*" OR resource="*/owa/auth/Current/themes/resources/*")
OR ((url="*/owa/auth/Current/*" OR resource="*/owa/auth/Current/*")
user_agent IN ['DuckDuckBot/1.0;+(+',
OR ((url="*/ecp/*" OR resource="*/ecp/*")
user_agent IN ['ExchangeServicesClient/', 'python-requests/2.19.1', 'python-requests/2.25.1'])
OR (((url="*/owa/*" OR resource="*/owa/*") OR (url="*/aspnet_client/*" OR resource="*/aspnet_client/*"))
user_agent IN ['antSword/v2.1', 'Googlebot/2.1+(+',
OR (url IN ["*/owa/auth/Current/*", "*/ecp/default.flt*", "*/ecp/main.css*"]OR resource IN ["*/owa/auth/Current/*", "*/ecp/default.flt*", "*/ecp/main.css*"])
OR (url="*/ecp/*.js*" OR resource="*/ecp/*.js*")))


Only a few espionage-focused threat actors were found to exploit these zero-days in Exchange servers; however, we expect financially motivated actors to start adding these zero-days in their arsenal as time passes. In March, Microsoft is scheduled to release Exchange Server 2016 CU 20 and Exchange Server 2019 CU 9 with the security updates for these zero-days; nevertheless, we strongly advise system administrators to patch their Exchange servers immediately.

It has also been reported that after some enterprises had patched their servers, it was later discovered that they have already been compromised before patching and that the threat actors had already established persistence. Administrators should keep in mind that applying the patches will not remove the persistence mediums installed by threat actors.