• A hunting query to identify post-exploitation activities 

• Customized Detection Strategy (DeStra) to detect future exploitation attempts 

On the 11th of March, Microsoft reported an active exploitation campaign of several zero-day vulnerabilities affecting on-premise versions of Microsoft Exchange Servers allegedly from a state-sponsored adversary, HAFNIUM.  

The attack starts by exploiting vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — and deploying a webshell to maintain access to the exploited server.  

The webshell identified in most observations appears to be “China Chopper”. Once access has been achieved via exploitation, attackers initiate reconnaissance activities to identify and steal data from the organization’s network.  

The exploitation and subsequent attack appear to be completely automated, requiring a quick response to prevent data exfiltration attempts and lateral movements. 

HAFNIUM exploitation as identified by IBM Security ReaQta 

In response to the exploitation campaign, the ReaQta Threat Intelligence Team has prepared a series of simple steps aimed at preventing new attacks in real-time and blocking those that might be already in progress. 

Hunting for HAFNIUM 
 
ReaQta has published a Threat Hunting Query to identify post-exploitation attempts: https://github.com/ReaQta/threats/blob/main/hafnium/hunting/hafnium.hunq  

Threat Hunting Query 

The hunting query provided by our team provides immediate insights on the attackers’ activities.  

IBM Security ReaQta’s Threat Hunting Console 

ReaQta’s Threat Hunting Console provides a comprehensive and granular approach towards hunting for specific Indicators of Compromise (IOC) and Indicators of Attack (IOA), combining parameters in an inclusive or exclusive manner. The platform is extremely comprehensive yet easy to use, fitted with pre-configured hunt parameters that do not require any knowledge of complex query languages.  

Hunt Parameters 

Am I Compromised? 

If the query returns no results, no exploitation attempts have been made. However, if data is returned, analysts are advised to triage the results as there are 2 possible outcomes: 

• The server has been exploited 
• There is anomalous data but the server is NOT compromised 

For this current campaign, results are malicious if the following conditions are all met: 

1. There is an Executable Dropped event for the process “w3wp.exe” AND the command line contains MSExchangeOWAAppPool 

1. There is an entry for dsquery.exe that was not launched by a System Administrator 

If w3wp.exe does not contain the MSExchangeOWAAppPool flag and dsquery.exe was purposely launched by an Administrator, then the results are non-malicious. 

IT teams should leverage on the “Create Incident” capability to reconstruct the entire storyline,  paying attention to the originating parent processes involved. 

Safeguard From Future Attacks 

ReaQta provides a unique feature called DeStra (Detection Strategies) specifically created to support advanced teams in the detection of highly sophisticated threat actors (APTs) and to create highly-customized detection scenarios, tailor-fitted to the organization’s security needs.  

All DeStra run in real-time at the endpoint level and thus they’re capable of identifying and responding to a new behavior as-it-happens, Once a Destra is created, it is immediately activated across the entire organization without any kind of intervention or downtime. Unlike traditional post-processing rules, DeStra playbooks react immediately to any threat, leaving little room for movement to an attacker.  

In this scenario, ReaQta Threat Intelligence Team created a DeStra to detect future exploitation attacks, which has been made publicly available at the following URL: https://github.com/ReaQta/threats/blob/main/hafnium/detection/hafnium.lua.  

Destra Script 

By simply enabling a new Detection Scenario within the DeStra, ReaQta safeguards the organization from similar future exploits.  

DeStra Creation 

Our Recommendation 

Users of on-premise Microsoft Exchange Servers are strongly recommended to patch and update the systems — Exchange Online is not affected. Please also adopt the usual response and remediation playbooks in case of positive results from the hunting query, or in the presence of a DeStra trigger.  

The exploit is only an entry-point but the post-exploitation response is not different from that of any other attack.  

As always, the IBM Security ReaQta team is ready to provide all necessary support to organizations in need of assistance.  

To learn more about how the IBM Security ReaQta team can help your organization safeguard against future attacks, learn more here.