Detection of Microsoft Exchange Zero-Day Vulnerabilities

Description

Over the last week the global news has been covering a very serious Microsoft Exchange Server Hack. This blog outlines how we are helping our clients protect themselves.

https://www.zdnet.com/article/everything-you-need-to-know-about-microsoft-exchange-server-hack/

The Idappcom Threat Detection team has been looking into the recent Microsoft Exchange Server exploit. At the time of writing this there is limited information but we were able to gather enough to create some mitigation for our customers.


Identification

The Exchange Server team has created an ‘nmap’ (Network Mapper) script which has been written to check if the specified Exchange Server is vulnerable to the exploit. We were able to execute this script and discover how it worked.


Once the script is run it sends a GET request:

GET /owa/auth/x.js

Using the following cookies:

Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;

Depending on the response it can tell whether the server is vulnerable to the attack or not.


Detection

By turning this into a traffic file and matching rule we are now able to detect attempts from hostile actors performing reconnaissance on the Exchange servers on networks that are being protected by our rules.


Extraction

There have been reports of requests to extract email identifiers with a further view to download emails using these extracted email identifiers.


By sending a specially crafted XML payload it is possible to obtain email identifiers for a particular email address.

POST /ecp/poc.js

Using particular Cookie information:

Cookie: X-BEResource=localhost/EWS/Exchange.asmx?a=

By including parameters like:

<t:RequestServerVersion Version="Exchange2016" />
<t:DistinguishedFolderId Id="inbox">
<t:EmailAddress>test@test.com</t:EmailAddress>

We can detect this request coming across the network and craft our rules to mitigate against the threat.


Coverage

Idappcom has created signatures 8020961 and 8020962 along with their respective traffic files. As more information becomes available we will be able to update and produce more traffic files and rules for protection.


References:

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can test your defences and report any issues. Learn more here https://www.idappcom.co.uk/traffic-iq-professional