The Havoc of MS Exchange Servers: Is it only Hafnium or somebody else as well?

As per the recent attacks on Microsoft Exchange Server by the Chinese threat group named Hafnium, at least 60,000 companies have been affected all over the world. The attack has affected on-premises versions of Microsoft Exchange Server and targeted a varied set of organizations such as small business, government bodies, critical infrastructures, and enterprises. The Hafnium group installed a web shell exploiting remote code execution vulnerabilities on the target exchange servers, thereby gaining access to sensitive information including but not limited to email addresses, user profiles, email contents, attachments, etc. Whenever are zero-day vulnerability is discovered, multiple hacker groups come out to milk the benefits of it and therefore the question arises whether it is only the Hafnium group who exploiting these vulnerabilities.

The answer to this question is NO. While most investigations have traced the attack campaigns to Hafnium, Hive Pro Threat Research Team observed the TTPs of an Iranian State Sponsored Threat Group OilRig aka GreenBug and APT34 on critical infrastructure customers in the Middle East region targeting MS Exchange Servers. Most of the evidence obtained in the investigation were in line with the activities performed by OilRig in the past; however, the signatures and IOCs identified were of the MS Exchange Server Zero Day Vulnerabilities.

This attack campaign has been included in the list of the most sophisticated attacks in history and therefore, let us walk through the series of events from the first whistle blown by Volexity to what is happening today.

January 2021

• Volexity, an incident response firm and pioneer of memory forensics headquartered in the United States observed anomalous activity on two of its customers’ exchange servers and identified large amounts of data exfiltration to malicious IP addresses. The damage was so huge and alarming that they termed the incident to be the Operation Exchange Marauder.
• Mandiant Managed Defence observed similar incidents of web shell creation for persistent access, remote code execution and reconnaissance for endpoint security solutions and in response to that, launched threat hunting campaigns to identify additional targets.

February 2021

• Hive Pro threat research team observed similar activity trails on several critical infrastructure customers in the Middle East region and traced the TTPs to Iranian Threat Actor group OilRig exploiting the same attack vector i.e., MS Exchange Server RCE vulnerabilities.

2^nd March 2021

• Microsoft in its blog titled New Nation-State Cyber Attacks disclosed the TTPs of Hafnium, a Chinese threat actor group primarily exploiting the MS Exchange Servers and complimented them to be a highly skilled and sophisticated actor group.
• KB5000871 released by Microsoft as a critical security update for MS Exchange Servers to patch CVE-2021-26412, CVE-2021-27078, CVE-2021-26854, CVE-2021-26855, CVE-2021-27065, CVE-2021-26857, CVE-2021-26858.

3^rd March 2021

• Cyber Security Services Provider Huntress based in the United States released its blog post titled Rapid Response: Mass Exploitation of On-Prem Exchange Servers specifying the potential implications and investigation procedure for MSPs.
• US CERT – CISA issued an alert mentioning that patching is not sufficient and organizations running the vulnerable versions of MS Exchange Servers must examine their infrastructure for TTPs to check if they have been hit. A detailed investigation methodology along with TTPs and IOCs were published in Alert (AA21-062A).

5th March 2021

• Following the alert from US CERT – CISA, Microsoft endorsed the reality that patching is not enough. NMAP script to identify vulnerable servers and hunting scripts to investigate if they have been compromised were published by the Technology Giant.

6th March 2021

• The Wall Street Journal published a report stating that the attack may have impacted tens of thousands of U.S. Microsoft Customers.
• Some sources also suspect the numbers to be higher than 2,50,000.

7th March 2021

• The European Banking Authority published a news about being hit by the hackers following the same TTPs.
• Microsoft released an updated script titled Test-ProxyLogon which to scan the MS Exchange server log files for indicators of comprise associated with the attacks.
• The White House via a Reuters report quoted the incidents to be an “Active Threat” and urged the network operators to investigate if they have been hit.
• Bloomberg accounted China for morphing a global crisis through the series of attacks and reported at least 60,000 known victims of the attack.

Author: Rashmi Singh