This latest blog is a game changer and a must-read. In March, Microsoft publicly disclosed the Exchange server zero-day – an ongoing campaign initiated by the Hafnium threat actor group. It has now come to light that Darktrace’s AI technology possibly detected a Hafnium attack three months before attribution.

As a result, we’re advising that your IT team may want to go as far back as early December to check security logs and tools for signs of initial intrusion into their Internet-facing Exchange services by the Hafnium campaign.

When did it all begin? 

Based on similarities in techniques, tools and procedures (TTPs) observed, Darktrace has now assessed with high confidence that an attack in December on one of their clients, was the work of the Hafnium group, suggesting that their campaign was active several months earlier than assumed.

Whilst Microsoft has warned that the vulnerability is also being rapidly weaponised by other threat actors, what is reassuring is that there is now evidence that these new, unattributed campaigns, which have never been seen before, can been disrupted by Darktrace’s Cyber AI technology in real time.

How to assess your risk

In this blog, we will analyse the attack to aid organisations in their ongoing investigations, and to raise awareness that the Hafnium campaign may have been active for longer than previously disclosed. To summarise, the campaign targets Internet-facing Microsoft Exchange servers, exploiting the recently discovered ProxyLogon vulnerability (CVE-2021-26855).

In the earlier attack detected by Darktrace, the threat actor used many of the same techniques that were observed in the later Hafnium attacks, including the deployment of the low-activity China Chopper web shell, quickly followed by post-exploitation activity – attempting to move laterally and spread to critical devices in the network.

The following analysis demonstrates how Darktrace’s Enterprise Immune System detected the malicious activity, how Cyber AI Analyst automatically investigated on the incident and surfaced the alert as a top priority, and how Darktrace Antigena would have responded autonomously to shut down the attack, had it been in active mode.

Initial compromise

Darktrace observed no signs of compromise or change in behavior from the Internet-facing Exchange server – no prior internal admin connections, no broad-scale brute-force attempts, no account takeovers, no malware copied to the server via internal channels – until all of a sudden, it began to scan the internal network. While this is not conclusive evidence that no other avenue of initial intrusion was present, the change in behavior on an administrative level points to a complete takeover of the Exchange server, rather than the compromise of a single Outlook Web Application account.

To conduct a network scan from an Exchange server, a highly privileged, operating SYSTEM-level account is required. The patch level of the Exchange server at the time of compromise appears to have been up-to-date, at least not offering a threat actor the ability to target a known vulnerability to instantly get SYSTEM-level privileges.

For this reason, Darktrace has inferred that the Exchange server zero-days that became public in early March 2021 were possibly being used in this attack observed in early December 2020.

Internal reconnaissance

As soon as the attackers gained access via the web shell, they used the Exchange server to scan all IPs in a single subnet on ports 80, 135, 445, 8080. This particular Exchange server had never made such a large number of new failed internal connections to that specific subnet on those key ports. As a result, Darktrace instantly alerted on the anomalous behavior, which was indicative of a network scan.

Lateral movement

Less than an hour after the internal network scan, the compromised Exchange server was observed writing further web shells to other Exchange servers via internal SMB. Darktrace alerted on this as the initially compromised Exchange server had never accessed the other Exchange servers in this fashion over SMB, let alone writing .aspx files to Program Files remotely.

A single click allowed the security team to pivot from the alert into Darktrace’s Advanced Search, revealing further details about the written files. The full file path for the newly deployed web shells was: Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\errorFS.aspx

The attackers thus used internal SMB to compromise further Exchange servers and deploy more web shells, rather than using the Exchange zero-day exploit again to achieve the same goal. The reason for this is clear: exploits can often be unstable, and an adversary would not want to show their hand unnecessarily if it could be avoided.

While the China Chopper web shell has been deployed with many different names in the past, the file path and file name of the actual .aspx web shell bear very close resemblance to the Hafnium campaign details published by Microsoft and others in March 2021.

As threat actors often reuse naming conventions / TTPs in coherent campaigns, it again indicates that this particular attack was in some way part of the broader campaign observed in early 2021.

Further lateral movement

Minutes later, the attacker conducted further lateral movement by making more SMB drive writes to Domain Controllers. This time the attackers did not upload web shells, but malware, in the form of executables and Windows .bat files.

Darktrace alerted the security team as it was extremely unusual for the Exchange server and its peer group to make SMB drive writes to hidden shares to a Domain Controller, particularly using executables and batch files. The batch file was called ‘a.bat’. At this point, the security team could have created a packet capture for the a.bat file in Darktrace with the click of a button, inspecting the content and details of that script at the time of the intrusion.

Darktrace also listed the credentials involved in the activity, providing context into the compromised accounts. This allows an analyst to pivot rapidly around the data and further understand the scope of the intrusion.

Bird’s-eye perspective

In addition to detecting the malicious activity outlined above, Darktrace’s Cyber AI Analyst autonomously summarised the incident and reported on it, outlining the internal reconnaissance and lateral movement activity in a single, cohesive incident.

The organisation has several thousand devices covered by Darktrace’s Enterprise Immune System. Nevertheless, over the period of one week, the Hafnium intrusion was in the top five incidents highlighted in Cyber AI Analyst. Even a small or resource-stretched security team, with only a few minutes available per week to review the highest-severity incidents, could have seen and inspected this threat.

How to stop a zero-day

Large scale campaigns which target Internet-facing infrastructure and leverage zero-day exploits will continue to occur regularly, and such attacks will always succeed in evading signature-based detection. However, organisations are not helpless against the next high-profile zero-day or supply chain attack.

Detecting the movements of attackers inside a system and responding to contain in-progress threats is possible before IoCs have been provided. The methods of detection outlined above protected the company against this attack in December, and the same techniques will continue to protect the company against unknown threats in the future.

If you would benefit from further advice or support, please click below or contact us: