![]() While you’re under the hood of that Universal Forwarder, you might as well ensure you’re collecting both Windows Security events of interest and process start events, as both of those are important for certain HAFNIUM detections. Yes, Yet Again, We Need Windows Events and Command Line Auditing Refer to the Volexity blog post for other interesting User-Agents seen both pre and post-exploit. You’ll also want to add a monitoring entry to capture log activity in C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy. This will let you search through the IIS access logs for unusual User-Agent string patterns known to be associated with this attack, as was mentioned earlier today by our friends at Red Canary. Next, add something like this to your nf file so that you can ingest all of the exciting logs in the C:\inetpub\logs\LogFiles directory in W3C format. Our recipe for success is to use the Splunk Universal Forwarder and add in a little bit of the Splunk-supported Technical Add-On for Microsoft IIS. Wait just a moment! Splunk is super good at ingesting logs from all sources and looking for patterns in them! All we need to do is ensure that logs are being ingested from our OWA servers appropriately. It just so happens that elements of this attack can be detected by looking for the appropriate POST requests in IIS logs. Underlying OWA is Microsoft’s venerable web server, Internet Information Services (IIS). Some of these vulnerabilities are being exploited via Outlook Web Services (OWA), a commonly enabled feature of Exchange Server 2013, 2016, and 2019. ![]() For more color, stealing the AD database implies that the adversary will have domain administrator privilege, so this is important to investigate. I don’t know about you, but whenever I see an adversary stealing copies of my Active Directory (AD) database, that sends chills down my spine because, at that point, I am rebuilding my entire AD from scratch as part of my remediation effort. You may be thinking, “another Tuesday filled with patches, just like any other month.” That may be true to some extent, but it is essential to point out based on Volexity’s blog that: “In all cases of RCE (remote code execution), Volexity has observed the attacker writing web shells (ASPX files) to disk and conducting further operations to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT), and move laterally to other systems and environments.” This does not, however, prevent an internal attacker from exploiting the vulnerability. This includes the ability to run code as SYSTEM and write to any path on the server.Ī temporary mitigation for these vulnerabilities from external threats is restricting access to OWA, such as placing the OWA server behind a VPN to prevent external access. When chained together along with CVE-2021-26855 for initial access, the attacker would have complete control over the Exchange server. Three additional vulnerabilities ( CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) were also identified as part of this activity. While the CVEs do not shed much light on the specifics of the vulnerabilities or exploits, the first vulnerability ( CVE-2021-26855) has a remote network attack vector that allows the attacker, a group Microsoft named HAFNIUM, to authenticate as the Exchange server. It is important to note that an Exchange 2010 security update has also been issued, though the CVEs do not reference that version as being vulnerable. These patches respond to a group of vulnerabilities known to impact Exchange 2013, 2016, and 2019. On Tuesday, March 2, 2021, Microsoft released a set of security patches for its mail server, Microsoft Exchange. ![]() ![]() Introduction to HAFNIUM and the Exchange Zero-Day Activity Otherwise, read on for a quick breakdown of what happened, how to detect it, and MITRE ATT
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |