Hello All. I wanted to pass on these pretty good technical details on the vulnerabilities affecting Microsoft Exchange on-premise:

After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP, is below:

Following web shell deployment, HAFNIUM operators performed the following post-exploitation activity:

  • Using Procdump to dump the LSASS process memory:

  • Using 7-Zip to compress stolen data into ZIP files for exfiltration:

  • Adding and using Exchange PowerShell snap-ins to export mailbox data:

  • Using the Nishang Invoke-PowerShellTcpOneLine reverse shell:

  • Downloading PowerCat from GitHub, then using it to open a connection to a remote server:

HAFNIUM operators were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users.

Our blog, Defending Exchange servers under attack, offers advice for improving defenses against Exchange server compromise. Customers can also find additional guidance about web shell attacks in our blog Web shell attacks continue to rise.

Read more

Hello All. As many of you may have heard, this new 0-day vulnerability affecting on-premise Microsoft Exchange servers is the latest in a string of problems that caused bad days for a lot of companies. Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.

Some details on the HAFNIUM group from Microsoft are as follows:

The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in today’s Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server. We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected.

HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.

In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments.

HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.

The vulnerabilities mainly target flaws related to a deserialization vulnerability in the Unified Messaging service and arbitrary file write vulnerabilities:

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Makes those organizations that did not trust M365’s Exchange Online to want to re-think their e-mail plans for 2021. Just Saying.

Read more

Hello All. Researchers as Claroty, well kn0wn OT passive monitoring vendor have disclosed multiple critical vulnerabilities in vendor implementations of the Open Platform Communications (OPC) network protocol.

What is the OPC Protocol Anyway?

OPC communicates information from a data source such as a server to any client application in a standard way without requiring the application to have any specific knowledge about the data source such as its communication protocols. When diverse OT systems are required to communicate with each other a separate protocol or method is required for each device. As a solution the OPC (linking and correlating objects in process control) standard was developed.

OPC is a communication standard known as the OLE / COM (object Linking & Embedding / component object model) standard, based on Microsoft’s object-oriented technology aimed at integration between different applications, to make the connection between different units in automation systems fast and reliable.

Claroty’s Findings

The vulnerabilities affect the following vendors and products: Softing’s Industrial Automation OPC library, Kepware PTC’s ThingWorx Kepware Edge and KEPServerEX OPC servers, and Matrikon’s Matrikon OPC Tunneller.

These three products are integrated into many other vendors’ offerings as a third-party component. For example, Softing’s OPC library is being used as a third-party OPC protocol stack by some vendors, and the KEPServerEX OPC Server is being used as an OEM shelf solution by other well-known vendors, including Rockwell Automation and GE, both of which have published advisories informing their users of these security issues. We believe these vulnerabilities may affect multiple other products sold by vendors across all ICS vertical markets. Here is a list of the vulnerability CVEs:

Softing Industrial Automation GmbH

  • CVE-2020-14524: Heap-Based Buffer Overflow (CWE-122)
  • CVE-2020-14522: Uncontrolled Resource Consumption (CWE-400)

Kepware PTC

  • CVE-2020-27265: Stack-based buffer overflow (CWE-121)
  • CVE-2020-27263: Heap-based buffer overflow (CWE-122)
  • CVE-2020-27267: Use-after-free (CWE-416)

Matrikon Honeywell OPC DA Tunneler

  • CVE-2020-27297: Heap overflow due to integer overflow (CWE-122)
  • CVE-2020-27299: Information leak due to OOB read (CWE-125)
  • CVE-2020-27274: Improper check for unusual or exceptional conditions (CWE-754)
  • CVE-2020-27295: Uncontrolled resource consumption (CWE-400)

Claroty are urging users of these products to upgrade to the latest version to mitigate these vulnerabilities.

Read more