Zero-day vulnerabilities Exchange Server

I have been investigating the impact of four zero-day vulnerabilities in Microsoft Exchange Server vulnerabilities that were exploited in the wild by a nation-state threat actor known as HAFNIUM. Multiple reports have emerged that over 30,000 organizations may have been compromised as a result of these flaws

If you are impacted and have not patched here are three easy way to find out find if you are compromised.

Microsoft

Microsoft has released a script that scans Exchange log files for IOCs. CISA strongly encourages organizations to run the Test-ProxyLogon.ps1 script — https://github.com/microsoft/CSS-Exchange/tree/main/Security as soon as possible—to help determine whether their systems are compromised.

Administrators should search the ECP server logs for the following string (or something similar): S:CMD=Set-OabVirtualDirectory.ExternalUrl=’ The logs can be found at <exchange install path>\Logging\ECP\Server\.

YARA Scan

rule webshell_aspx_simpleseesharp : Webshell Unclassified
{
meta:
author = “threatintel@volexity.com”
date = “2021-03-01”
description = “A simple ASPX Webshell that allows an attacker to write further files to disk.”
hash = “893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2”

strings:
$header = “<%@ Page Language=\”C#\” %>”
$body = “<% HttpPostedFile thisFile = Request.Files[0];thisFile.SaveAs(Path.Combine”

condition:
$header at 0 and
$body and
filesize < 1KB
}

2.
rule webshell_aspx_reGeorgTunnel : Webshell Commodity
{
meta:
author = “threatintel@volexity.com”
date = “2021-03-01”
description = “A variation on the reGeorg tunnel webshell”
hash = “406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928”
reference = “https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx”

strings:
$s1 = “System.Net.Sockets”
$s2 = “System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get”
// a bit more experimental
$t1 = “.Split(‘|’)”
$t2 = “Request.Headers.Get”
$t3 = “.Substring(“
$t4 = “new Socket(“
$t5 = “IPAddress ip;”

condition:
all of ($s) or all of ($t)
}

3
rule webshell_aspx_sportsball : Webshell Unclassified
{
meta:
author = “threatintel@volexity.com”
date = “2021-03-01”
description = “The SPORTSBALL webshell allows attackers to upload files or execute commands on the system.”
hash = “2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a”

strings:
$uniq1 = “HttpCookie newcook = new HttpCookie(\”fqrspt\”, HttpContext.Current.Request.Form”
$uniq2 = “ZN2aDAB4rXsszEvCLrzgcvQ4oi5J1TuiRULlQbYwldE=”

   $var1 = “Result.InnerText = string.Empty;”
   $var2 = “newcook.Expires = DateTime.Now.AddDays(”
   $var3 = “System.Diagnostics.Process process = new System.Diagnostics.Process();”
   $var4 = “process.StandardInput.WriteLine(HttpContext.Current.Request.Form[\””
   $var5 = “else if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form[\””
   $var6 = “<input type=\”submit\” value=\”Upload\” />”

condition:
any of ($uniq) or all of ($var)
}

How to Mitigate

Use alert feature in Splunk if any of the following IP hit the external perimeter. Attackers are leveraging the following IP addresses. Although these are tied to virtual private servers (VPSs) servers and virtual private networks (VPNs), responders should investigate these IP addresses on their networks and block it.

· 103.77.192[.]219

· 104.140.114[.]110

· 104.250.191[.]110

· 108.61.246[.]56

· 149.28.14[.]163

· 157.230.221[.]198

· 167.99.168[.]251

· 185.250.151[.]72

· 192.81.208[.]169

· 203.160.69[.]66

· 211.56.98[.]146

· 5.254.43[.]18

· 5.2.69[.]14

· 80.92.205[.]81

· 91.192.103[.]43