Channel, Networking

HAFNIUM: First of Many Threat Actors to Exploit ProxyLogon

I’ve spent a lot of time talking about HAFNIUM over the past few weeks. (Here’s a video and webinar as proof.) It’s not a surprise given the scale of the attack. As I discussed in a previous blog post, the threat actor compromised tens of thousands of organizations in the United States and abroad by misusing four Exchange Server software 0-day vulnerabilities identified by Microsoft. How could it not warrant so much of our attention—even all of our attention at times?

But the story of HAFNIUM and those security weaknesses didn’t end there. It grew to include other malicious actors, new threats and a concerted response effort from Microsoft. Provided below are just some of those updates.

ProxyLogon: Putting a Name to the 0-Day Chain

In the first half of March, researchers at DEVCORE dubbed one of the Exchange Server software vulnerabilities as “ProxyLogon.” They explained that this designation reflects the way in which the vulnerability works. As quoted on their ProxyLogon website:

We call it ProxyLogon because this bug exploits against the Exchange Proxy Architecture and Logon mechanism.

The researchers found that an attacker could use the ProxyLogon vulnerability, CVE-2021-26855, to bypass authentication and impersonate an admin. They could then chain that weakness together with CVE-2021-27065, another 0-day identified by Microsoft in its security advisory, in order to achieve code execution. All by just exploiting Microsoft’s Exchange Server software through an opened 443 port.

Some security researchers responded to this news by attempting to craft proof-of-concept (POC) exploits to ProxyLogon. For instance, one researcher named Nguyen Jang posted to GitHub a version of a POC exploit he had developed. That version required additional modifications before an attacker could begin targeting vulnerable Exchange servers, but it still gave malicious actors enough to work with in order to develop functional exploit code.

Not long thereafter, Microsoft-owned GitHub informed Jang that it had decided to remove the POC exploit from its site because it violated its Acceptable Use Policies.

“We understand that the publication and distribution of proof of concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the broader ecosystem safe,” GitHub said in a statement, as quoted by Malwarebytes. “In accordance with our Acceptable Use Policies, GitHub disabled the gist following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited.”

Malwarebytes wrote that GitHub subsequently received criticism for removing the POC exploit.

But that didn’t stop others from developing their own POC exploits and publishing them online. According to Bleeping Computer, one researcher posted their code over the March 12-14 weekend. Two security analysts tested the POC exploit, and though one of them found that it still required some modifications in the realm of modifying some Active Directory settings, both agreed that it enabled “script kiddies” with low levels of technical expertise to begin going after Exchange Servers vulnerable to ProxyLogon.

Microsoft’s Customer Awareness Blitz

Following the release of its security advisory, Microsoft released an update in which it explained that it had directed its customer service team to work with hosting companies and the broader partner community on a customer awareness campaign. Their aim was to raise awareness about HAFNIUM and ProxyLogon with over 400,000 Exchange Server customers. This effort bore fruit, as the tech giant explained in its blog:

To illustrate the scope of this attack and show the progress made in updating systems, we’ve been working with RiskIQ. Based on telemetry from RiskIQ, we saw a total universe of nearly 400,000 Exchange servers on March 1. By March 9 there were a bit more than 100,000 servers still vulnerable. That number has been dropping steadily, with only about 82,000 left to be updated. We released one additional set of updates on March 11, and with this, we have released updates covering more than 95% of all versions exposed on the Internet.

The tech giant didn’t stop there. Just three days later, the company announced the creation of its Microsoft Exchange On-Premises Mitigation Tool. Microsoft explained that the purpose of the tool was to help companies that lack dedicated security or IT teams to protect themselves against attacks exploiting ProxyLogon. Towards that end, the Redmond-based company designed the tool as an interim fix to ProxyLogon so that customers could automatically mitigate their Exchange Servers against this vulnerability with one click. Microsoft explained that using that tool would then give customers time to familiarize themselves with the patch/update process so that they could then apply the on-premises Exchange security update.

Other Threat Actors Begin Exploiting ProxyLogon

In the meantime, other threat actors didn’t waste any time capitalizing on the media attention surrounding ProxyLogon to craft their attacks. ESET wrote in early March that at least 10 APT groups had begun using the vulnerabilities to compromise Microsoft Exchange email servers around the world. Those groups included LuckyMouse, Tick, Winnti Group and Calypso at the time of the security firm’s reporting.

The malicious actors that jumped on the exploit-wagon used a variety of digital threats to target vulnerable Exchange servers. Some turned to threats with an established record of malicious activity. For instance, security experts at ESET tweeted out that they had spotted the Lemon_Duck cryptocurrency mining botnet using ProxyLogon along with two domains to install the XMRig Monero (XMR) CPU cryptominer onto infected devices. Others turned to new threats. In particular, Bleeping Computer reported that digital attackers began using a new strain of ransomware called “DEARCRY” in order to encrypt vulnerable organizations’ files and demand up to $16,000 in ransom.

HAFNIUM and the Future of the Security Industry

Many of history’s most noteworthy digital attacks have helped to change the security industry. Remember the Mellissa virus? As explained by the FBI, a programmer used the promise of free passwords to fee-based websites containing adult content in order to infect interested parties with Mellissa. That virus used malicious macros to hijack victims’ Outlook email systems and self-propagate by sending out malicious messages to the first 50 entries in their contact lists. The malware spread around the web, an event which arguably gave the multi-billion-dollar antivirus (AV) industry its spark.

WannaCry and the hack of Hillary Clinton’s email accounts by Russian actors had a similar effect on the industry. In 2017, the WannaCry ransomware strain used a Microsoft exploit to infect organizations around the world, prompting the back-up and recovery market to grow and thereby meet organizations’ growing adoption of the cloud. Meanwhile, the Clinton email breach accelerated the growth of the phishing awareness training market.

The exact impact of HAFNIUM remains to be seen. But one thing is clear: organizations can’t rely on the built-in threat protection measures that come with Office 365 and similar email platforms. As Zix CEO David Wagner explained to me in an email, “The thing that Hafnium most importantly highlights is the risk of putting all of your eggs in the Microsoft basket. Layering security defenses is a tried-and-true strategy….”

To protect themselves against threat actors like HAFNIUM, organizations need to make sure they invest in an email threat protection solution that can analyze incoming email messages for indicators of malicious activity. It should do this while allowing legitimate business correspondence to reach its intended destination.


Author David Bisson is a security expert and journalist writing for Zix AppRiver. Read more guest blogs from Zix AppRiver here.