Published on March 19, 2021

Detecting HAFNIUM Exchange Exploitation Campaign with ReaQta-Hive

  • A hunting query to identify post-exploitation activities
  • Customized Detection Strategy (DeStra) to detect future exploitation attempts

On the 11th of March, Microsoft reported an active exploitation campaign of several zero-day vulnerabilities affecting on-premise versions of Microsoft Exchange Servers allegedly from a state-sponsored adversary, HAFNIUM. The attack starts by exploiting vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — and deploying a webshell to maintain access to the exploited server. The webshell identified in most observations appears to be “China Chopper”. Once access has been achieved via exploitation, attackers initiate reconnaissance activities to identify and steal data from the organization’s network. The exploitation and subsequent attack appear to be completely automated, requiring a quick response to prevent data exfiltration attempts and lateral movements.

HAFNIUM exploitation as identified by  ReaQta-Hive

In response to the exploitation campaign, ReaQta Threat Intelligence Team has prepared a series of simple steps aimed at preventing new attacks in real-time and blocking those that might be already in progress.

Hunting for HAFNIUM

ReaQta has published a Threat Hunting Query to identify post-exploitation attempts: https://github.com/ReaQta/threats/blob/main/hafnium/hunting/hafnium.hunq

Threat Hunting Query

The hunting query provided by our team provides immediate insights on the attackers’ activities. 

ReaQta-Hive Threat Hunting Console

ReaQta-Hive Threat Hunting Console provides a comprehensive and granular approach towards hunting for specific Indicators of Compromise (IOC) and Indicators of Attack (IOA), combining parameters in an inclusive or exclusive manner. The platform is extremely comprehensive yet easy to use, fitted with pre-configured hunt parameters that do not require any knowledge of complex query languages. 

Hunt Parameters

Am I Compromised?

If the query returns no results, no exploitation attempts have been made. However, if data is returned, analysts are advised to triage the results as there are 2 possible outcomes:

  • The server has been exploited
  • There is anomalous data but the server is NOT compromised

For this current campaign, results are malicious if the following conditions are all met:

  1. There is an Executable Dropped event for the process “w3wp.exeAND the command line contains MSExchangeOWAAppPool
  2. There is an entry for dsquery.exe that was not launched by a System Administrator

If w3wp.exe does not contain the MSExchangeOWAAppPool flagand dsquery.exe was purposely launched by an Administrator, then the results are non-malicious.

IT teams should leverage on the “Create Incident” capability to reconstruct the entire storyline,  paying attention to the originating parent processes involved.

Safeguard From Future Attacks

ReaQta-Hive provides a unique feature called DeStra (Detection Strategies) specifically created to support advanced teams in the detection of highly sophisticated threat actors (APTs) and to create highly-customized detection scenarios, tailor-fitted to the organization’s security needs. 

All DeStra run in real-time at the endpoint level and thus they’re capable of identifying and responding to a new behavior as-it-happens, Once a Destra is created, it is immediately activated across the entire organization without any kind of intervention or downtime. Unlike traditional post-processing rules, DeStra playbooks react immediately to any threat, leaving little room for movement to an attacker. 

In this scenario, ReaQta Threat Intelligence Team created a DeStra to detect future exploitation attacks, which has been made publicly available at the following URL: https://github.com/ReaQta/threats/blob/main/hafnium/detection/hafnium.lua

Destra Script

By simply enabling a new Detection Scenario within the DeStra, ReaQta-Hive safeguards the organization from similar future exploits. 

DeStra Creation

Our Recommendation

We strongly recommend all users of on-premise Microsoft Exchange Servers to patch and update the systems — Exchange Online is not affected. Please also adopt the usual response and remediation playbooks in case of positive results from the hunting query, or in the presence of a DeStra trigger. The exploit is only an entry-point but the post-exploitation response is not different from that of any other attack. 

As always, the ReaQta team is ready to provide all necessary support to organizations in need of assistance. 

You can contact directly our support team at support@reaqta.com