60,000+ organizations susceptible to Microsoft Exchange Server Zero Day Vulnerability

Threat Advisories

60,000+ organizations susceptible to Microsoft Exchange Server Zero Day Vulnerability

THREAT LEVEL: RED

At least 60,000 companies have been affected by the recent sophisticated attacks on Microsoft Exchange Server that have been carried out by threat actors affecting small and medium sized companies.  The actor group has been breaking into the company’s computer networks through the Microsoft Exchange email software, targeting a number of victims.

Vulnerabilities

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065

Affected Versions: Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, Microsoft Exchange Server 2019

Affected CPEs:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 23:
cpe:/a:microsoft:microsoft_exchange_server:2019 Cumulative Update 7:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 18:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 22:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 21:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 20:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 19:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 18:,
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 17:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 16:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 15:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 14:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 13:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 12:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 11:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 10:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 9:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 8:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 7:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 6:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 5:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 4:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 3:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 2:
cpe:/a:microsoft:microsoft_exchange_server:2013 Cumulative Update 1:
cpe:/a:microsoft:microsoft_exchange_server:2013 Service Pack 1:
cpe:/a:microsoft:microsoft_exchange_server:2013:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 17:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 16:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 15:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 14:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 13:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 12:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 11:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 10:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 9:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 8:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 7:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 6:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 5:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 4:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 3:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 2:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 1:,
cpe:/a:microsoft:microsoft_exchange_server:2016:
cpe:/a:microsoft:microsoft_exchange_server:2019 Cumulative Update 8:
cpe:/a:microsoft:microsoft_exchange_server:2019 Cumulative Update 6:
cpe:/a:microsoft:microsoft_exchange_server:2019 Cumulative Update 5:
cpe:/a:microsoft:microsoft_exchange_server:2019 Cumulative Update 4:
cpe:/a:microsoft:microsoft_exchange_server:2019 Cumulative Update 3:
cpe:/a:microsoft:microsoft_exchange_server:2019 Cumulative Update 2:
cpe:/a:microsoft:microsoft_exchange_server:2019 Cumulative Update 1:
cpe:/a:microsoft:microsoft_exchange_server:2019:
cpe:/a:microsoft:microsoft_exchange_server:2016 Cumulative Update 19:

Threat Actors

Name:Hafnium
Alias: UNC2639, UNC2640, UNC2643
Origin: China
Target Industries: Infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.
Target Locations: USA

Name: OilRig
Alias: COBALT GYPSY, Twisted Kitten, Crambus, ITG13, Chrysene, APT34, Helix Kitten
Origin: Iran
Target Industries: Academic, Chemicals, Energy, Financial Services, Government, Law Enforcement, Oil and Gas, Telecommunications
Target Locations: Azerbaijan, Mauritius, Middle East North Africa (MENA), South Africa, Turkey

Indicators of Compromise (IOCs)

Web Shell hashes
  • b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
  • 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
  • 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
  • 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
  • 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
  • 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
  • 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
  • 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944
Paths

We observed web shells in the following paths:

  • C:\inetpub\wwwroot\aspnet_client\
  • C:\inetpub\wwwroot\aspnet_client\system_web\
  • In Microsoft Exchange Server installation paths such as:
    • %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
    • C:\Exchange\FrontEnd\HttpProxy\owa\auth\

The web shells we detected had the following file names:

  • web.aspx
  • help.aspx
  • document.aspx
  • errorEE.aspx
  • errorEEE.aspx
  • errorEW.aspx
  • errorFF.aspx
  • healthcheck.aspx
  • aspnet_www.aspx
  • aspnet_client.aspx
  • xx.aspx
  • shell.aspx
  • aspnet_iisstart.aspx
  • one.aspx

References

https://tech.hindustantimes.com/amp/tech/news/hackers-breach-thousands-of-microsoft-customers-around-the-world-71615082211768.html?utm_campaign=fullarticle&utm_medium=referral&utm_source=inshorts

https://www.msspalert.com/cybersecurity-news/microsoft-exchange-hafnium-attack-timeline/

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/