Analysis of the Hafnium attack on MS Exchange Servers

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone and thanks for joining us again this is another in our series of vulnerability analysis videos from the versex security lab i'm joined as always by satya gupta our founder and cto hello satya how are you hey well how are you doing good uh so more craziness in the world of cyber attacks um we're changing our format a little bit rather than going through a series of vulnerabilities we're going to tackle some big ones that have been in the news all around microsoft exchange servers if you remember microsoft exchange seemed to be part of both the solarwinds attack and the centrion attack and now there's been announcements that as many as 30 000 organizations might be vulnerable to these significant gaps so uh we're going to do a little bit of a deep dive into it we've got some technical diagrams in terms of our understanding and our labs recreation of how this probably occurred and we'll also be producing a demo in the next few days so saki why don't you give us the overview of what's been happening here and what we know yes absolutely so very early this month um you know on the second of march uh seven new vulnerabilities were exposed so three of them had been uh uh are sort of allocate sort of been identified with a with source inside and the other four are you know some unknown attack group they were basically zero day attacks at the and now of course it's public news that the chinese group called hafiyum or who's been called hafnium by microsoft has been exploiting these vulnerabilities in the y for a while looks like and so these four vulnerabilities that uh the happium team has been exploiting is um you know i can basically bend them into three different categories so number one would be a ssrf vulnerability but basically what it does is it allows a user who's sending a a crafted request to the exchange server they can identify themselves as so so because of the vulnerability the uh the exchange server basically returns back a token which is associated with the privileges of uh admin so in other words uh you know now the for all practical purposes the attacker is now has privileges of the admin they have the security token so the next request that they send they can actually use that uh information to bury that token in there and the exchange server will know that you know it is not the admin but somebody else who's kind of uh pretending to be the admin so once the second request goes in uh it has uh so that brings me to the second vulnerability that is the deserialization vulnerability so what that attack uh is all about it that you know the attacker sends this uh specially crafted serialized data and um in that embedded is uh and that is embedded or rce so you know there's something that will uh that will execute on that extend server and you know you can actually plant uh you know and then in return you get system privileges which is the highest level of privileges that you can get um so you can actually when you have system privileges you can do really crazy things you know even uh processes that are very uh microsoft uh specific processes uh you know the init process and the lsas process which has um all kinds of credits in it uh they will all get uh you know somebody with that privilege can read all those uh process memory and so you know uh everything is off the table at that point you know you can really get very deep into the system you pretty much own the box at that point in time you can choose to keep on extracting stuff you know confidential material out of it or you could completely uh you know own the box and turn it into a brick if you wanted to do that that's the power of the system privileges essentially so once you've got these i've got you sorry to interrupt a couple things that seem to be kind of um common themes here maybe if i can draw a through line from solarwinds and some of these others and now first of all nation state attackers seem to be you know russia china it's probably not limited to that but well-funded large organizations constantly changing what they're doing that seems to be a common thread here also you mentioned remote code execution we've heard a lot about that in various attacks and then the fact that it seems like conventional tools have not been catching this either at the perimeter or detecting it afterwards with enormous dwell times are those all fair to say absolutely and you know as we all discussed uh previously these um other tools the conventional edr type uh solution they're looking for behavioral um you know telltale clues essentially and you know they kind of associated uh you know associate a certain malware with a certain set of behavior patterns and all that and if you don't have any knowledge about that particular uh new malware that got created uh there's obviously a stats reason that you cannot really identify if uh if that particular application is uh is active and is performing malicious actions so you know until somebody publishes the uh the indicators of compromise um you know you're kind of blindsided in this particular case a company called valet city and um you know has published uh they were called in to do almost like a you know like a 9-1-1 operation on there so they were able to identify you know some signatures the signatures for the file signatures for some telltale aspects of this attack but now i have to tell you you know the attackers are salivating at this kind of behavior because you know they just have to make a small tweak and everybody thinks that they have a good protection built in out there but you know all the attackers to change is a comma in their um you know in their code and you know the signatures completely you know 100 different and all so you know good at modifying and multiple variants and you know changing it thousands of times over so the exactly requiring prior knowledge just seems like a losing proposition totally incorrect it's like that arcade game that we keep talking about right you killed one you know yeah yes so so that's that's the very losing strategy as we've discussed many times before and so you know what happened with this particular case is that the rc basically ended up creating a reverse channel back into the attackers command control center and now from there um you know because they had elevated privileges admin privileges they were able to drop any kind of file what they chose to do here was they were able to drop a web shell uh on an exchange server runs on a a well-known server called the iis information server that is used by microsoft a lot it's a very traditional application server that you know hosts a whole bunch of uh microsoft products and all so so the ia server was actually you know the attackers use some some aspx files which is basically a net file that dropped on the server and then that got included into um you know the functionality of the is server so now the attackers are able to send requests to that particular option and the web shell based on what you send out there is able to perform a whole bunch of uh command injection type operations and extract all kinds of information from that box and send it back so you can run any powershell taking ownership over the whole exchange server yeah he likes to have a hacker have ownership totally totally that box is completely owned it has the highest privileges you can run the attacker can run arbitrary code on it and um so you know you just don't know about it but you know you don't own the box anymore right so maybe sanji can you step us through the diagrammatic view here and uh step by step of what you were describing absolutely let me share my screen here so um you know this is a sequel diagram that we put together on the left hand side is the attacker which uh has been called the hafnium group so what they do is they'll first send uh you know a malicious request as we discussed you know with um you know they don't really have the credit but because of that vulnerability in the microsoft exchange server they are able to take advantage of a ssrf server-side request forgery flaw in the application logic and then that flaw basically gets exploited and the admin tokens are sent back to the uh to the haftium attacker essentially on the afm side so this is our initial infiltration and exploitation phase and then once the attacker has the security token what they do next is really very interesting they send malformed serialized data to the exchange server which basically uh allows them to escalate privileges but also execute some code on the server so now once that code is executed it basically ends up creating a whole bunch of things but you know one notable thing is that it establishes a reverse shell back uh to the hafnium attacker essentially and so next uh the attacker basically uses that reversion to launch various processes and various uh you know commands and perform some recognizance and looking for uh things like you know looking for new or elevated password you know people's passwords essentially and uh looking for other critical data who knows what they'll find kind of thing right so they're looking around performing you know snooping around trying to look for this look for that and when they find uh everything that's kind of that looks interesting to them they will zip it and they'll send it back to their command control center then the next stage is the real uh exfiltration stage where they can actually now drop a web shell because they have admin privileges as we saw in step number four they had gained uh privileges so they ended up dropping a web shell on the is server and then you know the web shell will execute like a normal uh http request is sent to the web shell the web shell does whatever it is that is being asked for in that os command that the attacker wants to be able to run they are able to run a whole bunch of powershell commands they can snoop at um you know pretty much any process and go and read the memory use block dump and tools like those to um and run mini cats and all that kind of uh you know all the possibilities are endless here at that point yeah whatever it is that um you know that they're looking for gets uh encrypted and sent back to their command control center that's in step 14. so a couple thoughts here the the reconnaissance that you know normally you think of that as being the first stage where they're snooping around but this is with system privilege right so kind of privileged right in reconnaissance ways reconnaissance can be you know described at two levels right i'm kind of doing a record on what do i attack is this a server that i want to attack or not that's one stage of reconnaissance but you know in this you know we are now already inside the box now they're surveying you know what else can i snatch and grab out here that's another level of reconnaissance essentially and i would believe that an exchange server would have a huge amount of valuable data to put it mildly absolutely i mean that is uh you know the entire enterprises emails uh can be exposed here if the attacker uh wants to look at that you know they can actually extract a whole bunch of very valuable business information and um you know uh who knows what the organization is you know the folks inside the organization are talking about you know so a lot of the yes and all the you know code and all kinds of information can get compromised and as we saw with solar winds they were able to do spearfishing based on kind of insider information and and insider email addresses things like that yes so it's you know we've said repeatedly really that you know once you let the burglar inside your home and there's no you know no uh oversight on that burglar who knows what the burglar will do right so you know all bets are off at that point you know you should expect the worst now if there's a smart burglar which a lot of these nation state attackers are all about they will uh you know they will be very very precise and very you know mercenary about what they do essentially this seems like letting the burglar in your house and having the code to your alarm system on a post-it sitting on it so exactly exactly effectively you know they've turned it off and there's nobody coming to your head right so uh let's talk about where versace can um detect and stop some of these steps right so um so these are uh you know several places where versace will uh stop the attack if now you know this rce when uh a piece of malware will uh want to run uh that will absolutely get blocked by uh verse x so you know at step six uh end of story out there um you know none of these other subsequent steps will actually occur out there and then but let's say for a moment just for argument's sake let's uh uh you know put that aside for a moment then uh you know another opportunity for versace to jump in is when you know the reconnaissance steps are being made those are all powershell scripts and all that you know are not authorized to run on those boxes so so those reconnaissance steps and nine and nine here uh will get blocked absolutely and then you know this critical uh data that it gets uh zipped as uh using some uh tools like 7-zip or some other uh you know turning facility some some tool that performs start so that can be actually you know that's something that you can make sure that you know that doesn't get to run on the server um and um so versace um acp policy application control policies will pick up all of that and terminate those steps as well and then let's assume for a moment uh you know that that's just for argument saying this doesn't really going to happen but you know just for an argument if let's say the acp policy doesn't kick in at step number 10 then you know at the step number 13 where uh you know the user drops a web shell that's a new file that gets written on the desktop that will get detected and blocked and potentially a protection action would be that you know to move this particular file out of the web route so that the attacker doesn't get to run anything so in that case you know once the file is gone then step 14 uh is also automatically disabled so step 13 and 14 both can be stopped step 10 and step 6 uh are the four places we can stop the attack without any knowledge base without any knowing anything at all about the application or the signature and all it's not you know as you know verse x attacks are not contingent on any indicator of compromise or signature it's a really contingent of you know on is the sport that is running did it come from a developer or did it come from an attacker and this follows our kind of the zero trust model that people have been talking about in depth right where rather than looking at what's possibly bad coming in we're just making sure we're guard railing all of these steps if any illicit code is running we can detect it and stop it immediately absolutely so the principle of zero trust is you know you don't trust anything right so what what is coming in is basically data that's coming in from an attacker and you know when the application consumes it turns into poison and it tips over and lets uh the attacker gain control and then the attacker holds that box so you know um one of the things that happened at step six was that the attacker was able to push um some really bad nasty uh malware through step six and so you know as soon as the attacker attempted to run that particular uh you know that remote port that they dropped in there that would get picked up so that that's really important that you know when uh developer when attacker provided uh data turned into code uh that is the moment of inflection where you know it's like the seminal moment where all hell will break loose and we are we detect those kind of situation where the attacker's data cannot be trusted anymore and it turns into code that's what uh hero trust is all about and that's what versace is all about sure and and quite unique in having this visibility and control during runtime right absolutely and this requires the the deepest level of application awareness you have to be able to look at the code every line of code and be able to watch and be able to tell you know who provided this piece of code did it come from a developer or did it come from an attacker and uh you know reading through like the nist zero trust documents and others it's a common statement that assume the attackers are already inside which i guess means that assume that half of the perimeter security that exists has already failed and um and i guess we can add on that you know assume maybe the attackers have been in are inside and may have been dwelling for long periods of time so in in run time as they execute bad code seems to be critical absolutely and you know we're not uh you know with this new innovation and with these application aware control you don't have to live with that um assumption anymore you know we are basically the attacker gets into your uh enterprise through the millions of vulnerabilities that exist in your code essentially you know in your public facing code and it's really really difficult to be able to shut those things down so if you have an application aware uh protection solution like versace you know it'll make sure that the attacker it makes it horrendously difficult for the attacker to be able to get into your enterprise in the very first place so you know no it's like you know we've talked about this in the past it's a you know a vulnerable application is like a hanging a lock on your door um you know which as you breathe on that lock it open you know it kind of gives up on you so um so you know this is uh where uh you know with versailles running protecting that that lock it's not going to be easy to break in anymore so that is the big difference you know then any new attackers will not necessarily go in and any attacker that are on the inside will not be able to execute arbitrary code on that on any endpoint so effectively we've neutered the attacker essentially and of course we're only showing vulnerabilities here that have been disclosed so there may be you know 10x a number that have not been disclosed or not been but are being exploited so uh the ability to stop that bad behavior regardless of what vulnerability is causing it seems to be essential here absolutely just a very sobering thought here you know almost like uh 20 25 000 vulnerabilities get exposed you know currently that get uh that get written out into the national vulnerability database and many people believe that you know the numbers actually many times more because you know as a nation-state attacker i mean no obligation to go and deposit my or to go and convey to national vulnerability database hey i found a vulnerability in such and such application the goals and the objectives of nation-state attackers are very very different from white hat uh you know hackers uh who's uh whose sort of motivation is to help uh improve the applications um that are being used by the public you know they don't have nation state attackers don't have that um you know utopian kind of one attitude where they love you know their goals are to go and grab and snatch as much as they can before you discover them yeah and there seems to be uh maybe i'm speculating a bit but last year we had this whole wave of ransomware attacks and and those seem more like almost kind of vandalism i mean i know they can be serious and costly but this seems to be at a different level whether it's the chinese or the russians where it appears that stealing data is the goal and the hackneym group has been organized around stealing uh intellectual property from from companies so that is should also be sobering absolutely and you know the this whole notion about uh creating um you know like a profile for every human uh is uh very ambitious but now you know now with all these vulnerabilities it is entirely possible to be able to do that um you know and you know the idea is that you know you'll build enough data about uh you know every individual so you can compromise them when the time comes you can actually use that information to compromise them completely and um you know it's uh it's very troubling in uh a thought process that you know uh they say that you know there are these uh claims in the dark uh web that you know everybody has a profile for them you know that supposedly the chinese have profiles for everybody um you know and they can trace your behavior pattern very very easily so the last point i just wanted to reinforce um back to zero trust i think zero trust has a bad reputation of being very difficult to do in practice it sounds like a good idea but if you're you know and it's mostly been viewed as a kind of an access control thing for users and devices and networks but um i think it's critical here everything that versace does the application awareness is automated right there's no uh tuning or tweaking or manual intervention and that seems like the only way we're gonna make this make this work at scale yes and you know it's very interesting that you mentioned that you know there's a you know if i give you a binary for an application you know there's tons of information um you know living in that binary or the package you know that you might give me i can extract so much information out of it that now you know it's this is where the application awareness comes from you know it's i can just simply decompose the application without asking a user a single question i can extract you know all the executables i can find out all the checksums of all the executables you know that the developer released i can find out all libraries that you know are given executable will load i can find out you know what processes which files will get um you know loaded into memory at runtime i can you know pretty much find where all the all the sockets you know that the application will connect to and on so you know and i can establish you know what we call the control flow you know how an application will execute you know it's like you know almost like a google map you know it basically says that you'll take road number one for five miles and then turn left until road number two kind of thing you know so you can create all that linkages so you know we pretty much the developers intent can be extracted and captured beyond we call those you know that databases as our app maps and there's ten of those very highly precise app maps that we are able to maintain about the application and without asking the users a single question without asking them for source code or all of this is extractable from you know just the binaries that the developer releases right and uh for the audience we have multiple webinars where we go into depth on that whole process well good satya any any other closing thoughts here that um you know where do you where do you see this going more of the same so you know we've talked up the power of the rce out here right so if you look at step six this is where everything all hell started breaking loses so the for me it's a really you know it's not so much about the microsoft um uh you know vulnerability but it's about any vulnerability that has um you know potential for rce you know the end result will be pretty much be the same you know the attacker gets in then they perform all kinds of you know malicious actions uh after that like we saw they can extract they can perform recognizance inside and steal and what makes this particular attack a little bit nastier than the other rc attacks is because you know the attacker has been able to get system privileges that makes it uh you know um you the in the other attacks that you might have seen you know we want we didn't have step nine out there where you know you could actually get into the memory of uh elevated privileged processes and steal passwords and all but that is being made possible because the rc run that uh you know with system privileges essentially so you know in if i were to summarize i would say you know uh any vulnerability that has an rc associated with it be aware be very wary and you know be very very careful about that you know if you do not use application aware workload protection kind of tools out there then now you know you're almost like playing russian roulette with your own you know infrastructure all right i think we'll leave it at that satya obviously we will continue to uh analyze as more news becomes available or other exploits happen uh unfortunately all indications are this is going to continue to be an epic year in terms of large-scale vulnerabilities and really requiring really rethinking our security model in many ways uh thanks again satya and we also stay tuned we'll be producing a live demo our research lab specializes in recreating these vulnerabilities and we will be demonstrating a live vulnerability probably within a few days thanks again and thank you to the audience for joining us thank you [Music]

Info

Channel: Virsec Systems

Views: 596

Rating: undefined out of 5

Keywords: Hafnium, cyber attack, remote code execution, MS Exchange vulnerability, memory attack, SolarWinds, email server attack

Id: RvSCJPHBykc

Channel Id: undefined

Length: 25min 51sec (1551 seconds)

Published: Wed Mar 17 2021