Exchange Zero-Day Exploits
The security community has detected multiple exploits actively being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem. This blog also continues our mission to elevate awareness of the sophisticated tactics and techniques.
The related IOCs are curated list from community intelligence, live observations and confirmed attacks.
Vulnerabilities
- CVE-2021-26855: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
- CVE-2021-26857: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
- CVE-2021-26858: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
- CVE-2021-27065: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
Actions
We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected.
Microsoft also released a powershell script that can be used to hunt for indicators of compromise.
NMAP Detection Script and Powershell Scanning Script
Yara APT Hafnium
Curated List of Webshells Found
Indicators of Compromise
To identify possible historical activity relating to the authentication bypass and RCE activity, IIS logs from Exchange servers can be examined for the following:
POST /owa/auth/Current/POST /ecp/default.fltPOST /ecp/main.cssPOST /ecp/<single char>.js
IP Addresses
- 103.77.192.219
- 104.140.114.110
- 104.250.191.110
- 108.61.246.56
- 149.28.14.163
- 157.230.221.198
- 167.99.168.251
- 185.250.151.72
- 192.81.208.169
- 203.160.69.66
- 211.56.98.146
- 125.254.43.18
- 80.92.205.81
- 165.232.154.116
- 182.18.152.105
- 86.34.111.111
- 86.105.18.116
Webshell Hashes
1b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d02097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e32b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1465149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b55511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa164edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea7811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d81631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944
UNC2640
| Indicator | Type | MD5 |
| help.aspx | File: Web shell | 4b3039cf227c611c45d2242d1228a121 |
| iisstart.aspx | File: Web shell | 0fd9bffa49c76ee12e51e3b8ae0609ac |
UNC2643
| Indicator | Type | MD5/Note |
| Cobalt Strike BEACON | File: Shellcode | 79eb217578bed4c250803bd573b1015 |