60,000+ organizations susceptible to Microsoft Exchange Server Zero Day Vulnerability
60,000+ organizations susceptible to Microsoft Exchange Server Zero Day Vulnerability
THREAT LEVEL: RED
At least 60,000 companies have been affected by the recent sophisticated attacks on Microsoft Exchange Server that have been carried out by threat actors affecting small and medium sized companies. The actor group has been breaking into the company’s computer networks through the Microsoft Exchange email software, targeting a number of victims.
Vulnerabilities
Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065
Affected Versions: Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, Microsoft Exchange Server 2019
Affected CPEs:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 23:
cpe:/a:microsoft:microsoft_exchange_server:2019 Cumulative Update 7:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 18:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 22:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 21:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 20:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 19:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 18:,
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 17:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 16:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 15:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 14:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 13:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 12:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 11:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 10:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 9:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 8:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 7:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 6:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 5:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 4:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 3:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 2:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 1:
cpe:/a:microsoft:microsoft_exchange_server:2013 Service Pack 1:
cpe:/a:microsoft:microsoft_exchange_server:2013:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 17:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 16:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 15:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 14:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 13:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 12:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 11:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 10:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 9:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 8:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 7:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 6:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 5:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 4:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 3:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 2:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 1:,
cpe:/a:microsoft:microsoft_exchange_server:2016:
cpe:/a:microsoft:microsoft_exchange_server:2019 Cumulative Update 8:
cpe:/a:microsoft:microsoft_exchange_server:2019 Cumulative Update 6:
cpe:/a:microsoft:microsoft_exchange_server:2019 Cumulative Update 5:
cpe:/a:microsoft:microsoft_exchange_server:2019 Cumulative Update 4:
cpe:/a:microsoft:microsoft_exchange_server:2019 Cumulative Update 3:
cpe:/a:microsoft:microsoft_exchange_server:2019 Cumulative Update 2:
cpe:/a:microsoft:microsoft_exchange_server:2019 Cumulative Update 1:
cpe:/a:microsoft:microsoft_exchange_server:2019:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 19:
Threat Actors
Name:Hafnium
Alias: UNC2639, UNC2640, UNC2643
Origin: China
Target Industries: Infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.
Target Locations: USA
Name: OilRig
Alias: COBALT GYPSY, Twisted Kitten, Crambus, ITG13, Chrysene, APT34, Helix Kitten
Origin: Iran
Target Industries: Academic, Chemicals, Energy, Financial Services, Government, Law Enforcement, Oil and Gas, Telecommunications
Target Locations: Azerbaijan, Mauritius, Middle East North Africa (MENA), South Africa, Turkey
Indicators of Compromise (IOCs)
Web Shell hashes
- b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
- 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
- 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
- 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
- 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
- 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
- 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
- 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944
Paths
We observed web shells in the following paths:
- C:\inetpub\wwwroot\aspnet_client\
- C:\inetpub\wwwroot\aspnet_client\system_web\
- In Microsoft Exchange Server installation paths such as:
- %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
- C:\Exchange\FrontEnd\HttpProxy\owa\auth\
The web shells we detected had the following file names:
- web.aspx
- help.aspx
- document.aspx
- errorEE.aspx
- errorEEE.aspx
- errorEW.aspx
- errorFF.aspx
- healthcheck.aspx
- aspnet_www.aspx
- aspnet_client.aspx
- xx.aspx
- shell.aspx
- aspnet_iisstart.aspx
- one.aspx
References
https://www.msspalert.com/cybersecurity-news/microsoft-exchange-hafnium-attack-timeline/
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/