Microsoft disclosed that hackers, a group named Hafnium were gaining access to business and government email accounts through vulnerabilities in its Exchange Server email software and issued security patches.
Microsoft told KrebsOnSecurity it was initially notified in early January of this year of this hack.
The hack will be one of the top cybersecurity events of the year, because Microsoft Exchange is still widely used around the world.
Danish security firm Dubex says it first saw clients hit on Jan. 18 and reported their incident response findings to Microsoft on Jan. 27.
Dubex said the victims it investigated in January had a “web shell” backdoor installed via the “unifying messaging” module, a component of Exchange that allows an organization to store voicemail and faxes along with emails, calendars, and contacts in users’ mailboxes.
Explaining the vulnerability
Through the investigation of the systems by Dubex, it was revealed that the webshells were written by the UMWorkerProcess, a part of the Unifying Messaging module.
The UM server allows an Exchange organization to store voicemail and faxes along with emails, calendars, and contacts in users’ mailboxes. A unified messaging server also allows users access to voicemail features via smartphones, Microsoft Outlook and Outlook Web App.
Dubex says most users and IT departments manage their voicemail separately from their email, and voicemail and email exist as separate inboxes hosted on separate servers. Unified Messaging offers an integrated store for all messages and access to content through the computer and the telephone.
Through analysis of the systems, Dubex Incident Response Team determined that feeding the UM Server with a sufficiently malformed voicemail file caused it to spawn a UMWorkerProcess that de-serialized the voicemail and executed contents.
After code execution, the process crashes and the malicious file is not removed from the disk. Exchange recovers the service after 1-2 minutes and the process repeats as the file is still there for processing.
In this case, the code executed by UM runs as ‘NT Authority\SYSTEM’ and can unhindered alter the system.
Post-exploitation tasks seen in this attack:
• Spawning common webshells in the public accessible OWA directory for easy remote access. Observed files were written in ASP.NET and allowed remote code execution via POST requests. This is a common way to gain a foothold on the system for further exploration and exploitation.
• LSASS process dump to gather more credentials.
As seen in the Microsoft Security Advisory hafnium-targeting-exchange-servers, there are now multiple paths for attackers to exploit Exchange servers, and you need to patch your exchange servers as soon as possible, and check public accessible paths on the Exchange servers for unknown files. Webserver and Exchange log files can also be queried for activity related to these attacks.
IOCs linked to this attack.
Files larger than 1kb located in the Exchange Voicemails directory with nonstandard content.
The following ASPX files were found on the compromised systems – however the attacker can rename them.
• errorEEE.aspx
• errorEW.aspx
• errorFF.aspx
Exchange Installation can be setup with their webserver files in non-standard paths, and all OWA/ECP related directories should be checked for non-standard files.
Using ProcDump to dump LSASS triggers Behavior: Win32/DumpLsass.A!attk (not unique)
Dubex also caught several attempts to upload webshells that were immediately quarantined by antimalware protection.
How long have these vulnerabilities been in place?
Microsoft also took the unusual step of issuing a patch for the 2010 edition, even though support for it ended in October. That means the vulnerabilities the attackers exploited have been in the Microsoft Exchange Server code base for more than 10 years.
It would appear that the hackers would need access to Microsoft’s source code to locate these vulnerabilities, it would be nearly impossible to discovery them through basic hacking attempts. If I was a Wall Street hedge fund manager, I would put my client’s bet on the SolarWinds Hack.
We at Adept Technologies do not use Microsoft Exchange, we retired our exchange servers back in 2007.
If your organization is running Microsoft Exchange you need to install the patches ASAP, and do not run to the cloud. The vulnerabilities of Cloud email systems are just as bad.
We live in a world that if you are on the internet you are being attacked. In fact, based on our attack data over 60 percent of the internet traffic we get is malicious.
Application development MUST be written to defend against these types of attacks. The sad part is, in the United States which is the most attacked country in the world, the rush to be first to market in application development, the leveraging of open-source technology has created a hacker’s paradise.
Cyber security must be incorporated in every system being developed. You need to write the code yourself, do not use open source, do not use platforms, do not cheat to be first to market.
Reference 1: https://www.dubex.dk – please leave an exploit after the beep.
Reference 2: https://krebsonsecurity.com – timeline of the exchange mass hack.
Reference 3: https://www.cnbc.com – microsoft exchange hack explained.
Contact us today toll free 1-888-392-9623 to find out more on how Adept Technologies can save you money by utilizing our services and software technology.
