Beginning in January 2021, Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment. The observed activity included creation of web shells for persistent access, remote code execution, and reconnaissance for endpoint security solutions. Our investigation revealed that the files created on the Exchange servers were owned by the user NT AUTHORITYSYSTEM, a privileged local account on the Windows operating system. Furthermore, the process that created the web shell was UMWorkerProcess.exe, the process responsible for Exchange Server’s Unified Messaging Service. In subsequent investigations, we observed malicious files created by w3wp.exe, the process responsible for the Exchange Server web front-end.

In response to this activity, we built threat hunting campaigns designed to identify additional Exchange Server abuse. We also utilized this data to build higher-fidelity detections of web server process chains. On March 2, 2021, Microsoft released a blog post that detailed multiple zero-day vulnerabilities used to attack on-premises versions of Microsoft Exchange Server. Microsoft also issued emergency Exchange Server updates for the following vulnerabilities:

CVE

Risk Rating

Access Vector

Exploitability

Ease of Attack

Mandiant Intel

CVE-2021-26855

Critical

Network

Functional

Easy

Link

CVE-2021-26857

Medium

Network

Functional

Easy

Link

CVE-2021-26858

Medium

Network

Functional

Easy

Link

CVE-2021-27065

Medium

Network

Functional

Easy

Link

Table 1: List of March 2021 Microsoft Exchange CVEs and FireEye Intel Summaries

The activity reported by Microsoft aligns with our observations. FireEye currently tracks this activity in three clusters, UNC2639, UNC2640, and UNC2643. We anticipate additional clusters as we respond to intrusions. We recommend following Microsoft’s guidance and patching Exchange Server immediately to mitigate this activity.

Based on our telemetry, we have identified an array of affected victims including US-based retailers, local governments, a university, and an engineering firm. Related activity may also include a Southeast Asian government and Central Asian telecom. Microsoft reported the exploitation occurred together and is linked to a single group of actors tracked as “HAFNIUM”, a group that has previously targeted the US-based defense companies, law firms, infectious disease researchers, and think tanks.

In this blog post, we will detail our observations on the active investigations we are currently performing. As our experience with and knowledge of this threat actor grows, we will update this post or release new technical details as appropriate. For our Managed Defense Customers, we have launched a Community Protection Event that will provide frequent updates on this threat actor and activity.

From Exploit to Web Shell

Beginning in January 2021, Mandiant Managed Defense observed the creation of web shells on one Microsoft Exchange server file system within a customer’s environment. The web shell, named help.aspx (MD5: 4b3039cf227c611c45d2242d1228a121), contained code to identify the presence of (1) FireEye xAgent, (2) CarbonBlack, or (3) CrowdStrike Falcon endpoint products and write the output of discovery. Figure 1 provides a snippet of the web shell’s code.

, Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
Figure 1: Snippet of the web shell help.aspx, crafted to identify the presence of endpoint security software on a victim system

The web shell was written to the system by the UMWorkerProcess.exe process, which is associated with Microsoft Exchange Server’s Unified Messaging service. This activity suggested exploitation of CVE-2021-26858.

Approximately twenty days later, the attacker placed another web shell on a separate Microsoft Exchange Server. This second, partially obfuscated web shell, named iisstart.aspx (MD5: 0fd9bffa49c76ee12e51e3b8ae0609ac), was more advanced and contained functions to interact with the file system. As seen in Figure 2, the web shell included the ability to run arbitrary commands and upload, delete, and view the contents of files.

, Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
Figure 2: Snippet of iisstart.aspx, uploaded by the attacker in late January 2021

While the use of web shells is common amongst threat actors, the parent processes, timing, and victim(s) of these files clearly indicate activity that commenced with the abuse of Microsoft Exchange.

In March 2021, in a separate environment, we observed a threat actor utilize one or more vulnerabilities to place at least one web shell on the vulnerable Exchange Server. This was likely to establish both persistence and secondary access, as in other environments. In this case, Mandiant observed the process w3wp.exe, (the IIS process associated with the Exchange web front-end) spawning cmd.exe to write a file to disk. The file, depicted in Figure 3, matches signatures for the tried-and-true China Chopper.

, Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
Figure 3: Snippet of China Chopper web shell found on a compromised Exchange Server system

We observed that in at least two cases, the threat actors subsequently issued the following command against the Exchange web server:

net group “Exchange Organization administrators” administrator /del /domain.

This command attempts to delete the administrator user from the Exchange Organizations administrators group, beginning with the Domain Controller in the current domain. If the system is in a single-system domain, it will execute on the local computer.

Per Microsoft’s blog, they have identified additional post-exploitation activities, including:

  • Credential theft via dumping of LSASS process memory.
  • Compression of data for exfiltration via 7-Zip.
  • Use of Exchange PowerShell Snap-ins to export mailbox data.
  • Use of additional offensive security tools Covenant, Nishang, and PowerCat for remote access.

The activity we have observed, coupled with others in the information security industry, indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments. This activity is followed quickly by additional access and persistent mechanisms. As previously stated, we have multiple ongoing cases and will continue to provide insight as we respond to intrusions.

Investigation Tips

We recommend checking the following for potential evidence of compromise:

  • Child processes of C:WindowsSystem32inetsrvw3wp.exe on Exchange Servers, particularly cmd.exe.
  • Files written to the system by w3wp.exe or UMWorkerProcess.exe.
  • ASPX files owned by the SYSTEM user
  • New, unexpected compiled ASPX files in the Temporary ASP.NET Files directory
  • Reconnaissance, vulnerability-testing requests to the following resources from an external IP address:
    • /rpc/ directory
    • /ecp/DDI/DDIService.svc/SetObject
    • Non-existent resources
    • With suspicious or spoofed HTTP User-Agents
  • Unexpected or suspicious Exchange PowerShell SnapIn requests to export mailboxes

In our investigations to date, the web shells placed on Exchange Servers have been named differently in each intrusion, and thus the file name alone is not a high-fidelity indicator of compromise.

If you believe your Exchange Server was compromised, we recommend investigating to determine the scope of the attack and dwell time of the threat actor.

Furthermore, as system and web server logs may have time or size limits enforced, we recommend preserving the following artifacts for forensic analysis:

  • At least 14 days of HTTP web logs from the inetpubLogsLogFiles directories (include logs from all subdirectories)
  • The contents of the Exchange Web Server (also found within the inetpub folder)
  • At least 14 days of Exchange Control Panel (ECP) logs, located in Program FilesMicrosoftExchange Serverv15LoggingECPServer
  • Microsoft Windows event logs

We have found significant hunting and analysis value in these log folders, especially for suspicious CMD parameters in the ECP Server logs. We will continue updating technical details as we observe more related activity.

Technical Indicators

The following are technical indicators we have observed, organized by the threat groups we currently associate with this activity. To increase investigation transparency, we are including a Last Known True, or LKT, value for network indicators. The LKT timestamp indicates the last time Mandiant knew the indicator was associated with the adversary; however, as with all ongoing intrusions, a reasonable time window should be considered.

UNC2639

Indicator

Type

Note

165.232.154.116

Network: IP Address

Last known true: 2021/03/02 02:43

182.18.152.105

Network: IP Address

Last known true: 2021/03/03 16:16

UNC2640

Indicator

Type

MD5

help.aspx

File: Web shell

4b3039cf227c611c45d2242d1228a121

iisstart.aspx

File: Web shell

0fd9bffa49c76ee12e51e3b8ae0609ac

UNC2643

Indicator

Type

MD5/Note

Cobalt Strike BEACON

File: Shellcode

79eb217578bed4c250803bd573b10151

89.34.111.11

Network: IP Address

Last known true: 2021/03/03 21:06

86.105.18.116

Network: IP Address

Last known true: 2021/03/03 21:39

Detecting the Techniques

FireEye detects this activity across our platforms. The following contains specific detection names that provide an indicator of Exchange Server exploitation or post-exploitation activities we associated with these threat actors.

Platform(s)

Detection Name

  • Network Security 
  • Email Security 
  • Detection On Demand 
  • Malware File Scanning 
  • Malware File Storage Scanning 
  • FEC_Trojan_ASPX_Generic_2_FEBeta
  • Exploit.CVE-2021-26855

Endpoint Security

Real-Time (IOC)

  • SUSPICIOUS CODE EXECUTION FROM EXCHANGE SERVER (EXPLOIT)
  • ASPXSPY WEBSHELL CREATION A (BACKDOOR)
  • PROCDUMP ON LSASS.EXE (METHODOLOGY)
  • TASKMGR PROCESS DUMP OF LSASS.EXE A (METHODOLOGY)
  • NISHANG POWERSHELL TCP ONE LINER (BACKDOOR)
  • SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)
  • POWERSHELL DOWNLOADER (METHODOLOGY)
  • SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)

Malware Protection (AV/MG)

Module Coverage

  • [Process Guard] – prevents dumping of LSASS memory using the procdump utility.

Helix

  • WINDOWS METHODOLOGY [Unusual Web Server Child Process]
  • MICROSOFT EXCHANGE [Authentication Bypass (CVE-2021-26855)]