Update - Detection and Response for HAFNIUM Activity

Executive summary

Elastic Security Intelligence & Analytics has identified additional behaviors related to or inspired by HAFNIUM activity, as outlined in the prior post. This update contains additional post-exploitation details observed in Elastic telemetry indicating successful exploitation of recently-disclosed Microsoft Exchange vulnerabilities. While the details of this activity may resemble that attributed to the HAFNIUM threat group, we assess with moderate confidence that opportunistic or other threats are responsible.

Details

On March 4, 2021, Elastic Security identified evidence that Microsoft Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) were being exploited via telemetry; with evidence of compromise as early as February 28, 2021. As we have continued to monitor telemetry for evidence these vulnerabilities were being exploited, we wanted to provide the community with additional information around this cluster of emerging threat activity.

The earliest evidence of observed post-exploitation for this cluster of activity occurred on February 28, 2021. Elastic observed a significant increase in post-exploitation activity related to compromised environments from last week’s published Microsoft Exchange Server vulnerabilities. Threat researchers found inconsistent methodologies present in this activity, which may indicate more than one group pursuing reconnaissance and credential-harvesting objectives.

In several customer environments, adversaries deployed batch scripts that automated several functions including account enumeration, credential-harvesting and network discovery. The Security Account Manager (SAM), System and Security hives can be used to obtain plaintext or other credentials. Data staged and stolen from enterprises included similar materials, example commands are depicted in Figure 1:

cmd /c reg save hklm\sam C:\windows\temp\debugsms\sam
cmd /c reg save hklm\system C:\windows\temp\debugsms\system
cmd /c reg save hklm\security C:\windows\temp\debugsms\security

Figure 1 - Commands used to dump sensitive data from Windows Registry

By collecting this data, the adversary obtains Windows account password hashes and sensitive data that may provide insights into the environment and opportunities for additional lateral movement pivots within the network. Figure 2 depicts a process tree of this activity

Figure 2 - Process tree of SAM registry hive being dumped

Along with the captured registry hives, network enumeration and discovery data was collected using the following commands in Figure 3.

cmd /c ipconfig /all
cmd /c arp -a

Figure 3 - Network discovery commands

Reconnaissance output was being staged and compressed on March 8 and March 9 using the Windows makecab utility. Using this tool, adversaries compressed reconnaissance output and hive data together then altered output files to masquerade as GIF or PNG image files. An example of this command appears in Figure 4.

cmd /c makecab /f c:\windows\temp\REDACTED.log /d compressiontype=lzx /d compressionmemory=21 /d maxdisksize=10240000000 /d diskdirectorytemplate="C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth" /d cabinetnametemplate=REDACTED.gif

Figure 4 - makecab command used to compress collected data

Below is an image showing the typical contents of these cabinet files in Figure 5.

Figure 5 - CAB contents including registry hives and network information

During these periods of activity, adversaries also removed malicious and staged files to prevent their discovery. This behavior was executed through the Exchange IIS webserver process (“w3wp.exe”) and executed almost 24 hours after the registry hives were stolen in some cases. Figure 6 depicts a process lineage in which the adversary uses scripts to clean up after themselves.

Figure 6 - Process tree of cleanup command

Threat researchers identified evidence of adversaries modifying the configuration of Windows Remote Management to enable compatibility listeners, a setting which allows traffic on port 443 as well as starting the WinRM service using the quickconfig command as seen in Figure 7.

cmd /c winrm set winrm/config/service @{EnableCompatibilityHttpsListener="true"}
cmd /c winrm quickconfig -q

Figure 7 - WinRM configuration commands

Each of the previously discussed commands were executed in succession triggered through a scheduled task named “WwanSvcdcs” created from the batch file as depicted in Figure 8.

schtasks /create /ru system /tn "\Microsoft\Windows\WwanSvcdcs" /tr "cmd /c c:\windows\temp\TMP23875.bat" /sc once /st 23:59

Figure 8 - Scheduled task set-up and execution

Overview

• Elastic Security confirmed that recently disclosed Microsoft Exchange vulnerabilities were being exploited by at least one and possibly several threat groups
• Analysis suggests that batch scripts used in more than one instance performed automation of host/network discovery, account enumeration, credential-harvesting, data staging, data theft and tidying functions
• Organizations were targeted in several industries including technical consulting, financial services and entertainment

Timeline of events

• February 28, 2021 - Earliest evidence of Exchange Organization administrator enumeration
• March 2, 2021 - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 issued to vulnerability
• March 2, 2021 - Microsoft releases patch
• March 3, 2021 - Earliest attempted post-exploitation activity in several customer environments
• March 4, 2021 - Elastic releases initial Discuss post and public detection logic
• March 5-9, 2021 - Additional post-exploitation activity in customer environments
• March 10, 2021 - Elastic releases follow-up describing newly-observed activity with detection logic

Impact

The post-exploitation behaviors observed leverage multiple tactics and techniques categorized by the MITRE ATT&CK® framework:

• Tactics

  • Credential Access
  • Collection
  • Discover
  • Execution
  • Persistence
  • Defense Evasion

• Techniques

  • Automated Collection
  • System Network Configuration Discovery
  • OS Credential Dumping
  • Scheduled Task/Job
  • Indicator Removal on Host
  • Archive Collected Data

Detection

Detection logic

On March 10, 2021, Elastic released guidance describing Elastic Endpoint rules that target this post-exploitation activity described in the public repository:

• Credential Acquisition via Registry Hive Dumping
• Local Scheduled Task Commands
• Microsoft Exchange Worker Spawning Suspicious Processes

The following supplemental queries for Elastic Endgame may also be recommended:

Suspicious Microsoft Cabinet Maker execution (Endgame EQL)

Identifies the execution of Microsoft Cabinet Maker from suspicious directories or with suspicious process argument, this may indicate data staging activity as a preparation step for exfiltration:

process where subtype.create and original_file_name = “makecab.exe” and wildcard(command_line, “*Microsoft\\Exchange Server\\*”, “*inetpub\\wwwroot*”)

Figure 9-1 - Suspicious Microsoft Cabinet Maker execution directory

process where subtype.create and original_file_name = “makecab.exe” and wildcard(command_line, "*cabinetnametemplate=*.png", "*cabinetnametemplate=*.jpg", "*cabinetnametemplate=*.gif", "*cabinetnametemplate=*.jpeg", “*cabinetnametemplate=*.jpe”, “*cabinetnametemplate=*.bmp”

Figure 9-2 - Suspicious Microsoft Cabinet Template Extensions

Suspicious Scheduled Task Creation (Endgame EQL)

Identifies the creation of a scheduled task with suspicious path (tasks within \Microsoft\Windows path are rarely created using schtasks.exe utility):

process where subtype.create and original_file_name = “schtasks.exe” and command_line == “*create* \\Microsoft\\Windows\\*”

Figure 10 - Suspicious Scheduled Task Creation

For additional detection logic, our first post related to the HAFNIUM activity is strongly recommended for review.

References

1. Detection and Response for HAFNIUM Activity

2. HAFNIUM targeting Exchange Servers with 0-day exploits

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Indicators of Compromise

Table 1 describes atomic indicators of compromise (IOCs) observed in this intrusion-set. IOCs observed by Elastic have been included for the community, and don't represent all IOCs associated with HAFNIUM or HAFNIUM-inspired intrusions.