HAFNIUM, ProxyLogon, and DearCry
We explained what zero-day vulnerabilities and zero-day attacks are in a previous article. New examples were provided early this month. On March 2, Tom Burt, Corporate Vice President of Customer Security and Trust at Microsoft, announced that HAFNIUM—a state-sponsored hacker group operating out of China—had been exploiting zero-day vulnerabilities within on-premises Microsoft Exchange Server software. The zero-day vulnerabilities that were exploited by HAFNIUM are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The first of the listed vulnerabilities was named ProxyLogon. Fortunately, security patches and technical details about the attacks were provided by Microsoft. The Microsoft Security Team mentioned that 400,000 Exchange Servers were vulnerable on March 1, but on March 12, only 82,000 servers were vulnerable. Note that only on-premises Exchange Servers are vulnerable; ProxyLogon does not affect Exchange Online.
HAFNIUM used ProxyLogon to attack thousands of Exchange Servers. Each attack against an Exchange Server took three steps: the exploitation of the four zero-day vulnerabilities to gain access, the deployment of a web shell, and finally, the exfiltration of sensitive data. According to MITRE, a web shell “is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network.” In general, a shell is a program that serves as an interface between users and some system, typically the operating system of a computer. Unix shells, which have command-line interfaces, are popular examples of legitimate shells. Web shells are used to control web servers. Attackers use them for exfiltrating sensitive data, uploading malware, sending commands to other machines on the network, and sending commands to machines outside of the network. The web shell that HAFNIUM placed in victimized Exchange Servers is called China Chopper. This web shell is a popular tool for attackers. It is only 4 kilobytes in size and has a graphical interface as opposed to a command-line interface. Tony Lee, Ian Ahl, and Dennis Hanzlik of FireEye Labs wrote an in-depth report about China Chopper.
Unfortunately, remediating ProxyLogon is not enough to protect on-premises Exchange Servers. Victimized organizations must also remove the web shells planted in their servers by HAFNIUM. Microsoft and Kryptos Logic announced that these web shells are being used to deploy DearCry, a new family of ransomware. However, although HAFNIUM is responsible for deploying the web shells, they are not solely responsible for the ransomware being uploaded to Exchange Servers. Matthieu Faou, Mathieu Tartare, and Thomas Dupuy of ESET Research discovered that at least 10 other groups are attacking the compromised servers. Some of these groups are using the web shells left behind by HAFNIUM to deploy their own malware, including DearCry.
DearCry shares similarities with WannaCry. A detailed analysis of DearCry was published by Mark Loman of Sophos. In general, there are two types of ransomware: Copy ransomware and In-Place ransomware. Copy ransomware makes encrypted copies of original files before deleting them, but this leads to the possibility of recovering deleted data through undelete tools. In-Place ransomware overwrites the original files with encrypted versions of their data to prevent recovery via undelete tools. According to Mark Loman, DearCry uses a hybrid approach: It makes encrypted copies of the original files, then overwrites and deletes the original files. WannaCry also used this rare approach. However, Mark notes that this does not mean that DearCry and WannaCry share the same creator; in fact, DearCry has attributes that distinguish it from WannaCry. Unlike WannaCry, DearCry does not spread itself to other machines on the same network. WannaCry used a command-and-control (C2, also abbreviated as C&C) server to receive the keyused for encrypting files. A C2 server is used to send commands to malware running on infected machines. DearCry does not rely on a C2 server because the symmetric key used for encryption is embedded within each installation of the ransomware, and each symmetric key has been encrypted by a separate public-key encryption algorithm. (A previous blog post about encryption explains the difference between symmetric encryption and public-key encryption.) Attackers who use DearCry do not need their own server for their ransomware to work; everything the ransomware needs to encrypt everything in the victim machine is inside the ransomware itself. However, like always, a victim’s data can only be decrypted with the private key held by the attacker.
Organizations who have on-premises Exchange Servers should take immediate action. Security patches should be applied immediately, and servers should be inspected for malware. CISA has provided multiple resources to help organizations safeguard their on-premises Exchange Servers, including a web page for remediating Microsoft Exchange vulnerabilities. Alert AA21-062A from CISA provides indicators of compromise (IOCs) as well as tactics, techniques, and procedures (TTPs) associated with ProxyLogon and the China Chopper web shells. CISA has also published ransomware guidance. Recently, we published an article about recent ransomware trends. One particular trend that organizations should keep in mind is that sensitive data may be disclosed regardless of whether or not the ransom is paid. Organizations should always make backups of important data and apply security patches as soon as possible.