by Paul Ducklin
Of course you do – it was the name behind a foursome of Exchange bugs that got patched in an emergency update early in March 2021.
Even though there was just a week to go until March 2021’s Patch Tuesday, Microsoft decided to issue what have become known as the “Hafnium fixes” in a so-called out-of-band update.
The fixes closed four security holes that could be chained together to produce an attack that has now been dubbed ProxyLogon.
Using the ProxyLogin trick, a cybercriminal outside your network could sneakily install malware onto your server without needing to go through any sort of authentication process or password check first.
“Out of band” is a metaphor borrowed from radio and network signalling, where it refers to a separate communication channel reserved for special data or commands in order to improve reliability. Usually, out-of-band data and commands are used to avoid to the dual risks that [a] the commands or urgent data might get missed if mingled with regular transmission, and [b] innocent data in regular transmission might dangerously be misrecognised as a command that was never actually issued. When referring to software updates, “out of band” simply means a patch or fix that unexpectedly arrives outside any pre-announced update schedule. Usually, that means it’s both urgent and important because it fixes a zero-day hole: a bug that attackers are already exploiting.
Remote code execution
Using the ProxyLogon attack, crooks can turn the trick of uploading an arbitrary file into a remote code execution exploit, so they can come back whenever they want and run code they uploaded earlier.
Even worse, the crooks don’t need to upload a single, specific command to run later, as harmful as that would be on its own.
By uploading what’s known as a webshell – a remotely executable command script that is programmed to run arbitrary additional commands provided at runtime – the crooks can come back whenever they want to execute whatever they want. (Read the boldfaced part of that sentence out aloud!)
Webshells provide attackers with same sort of general-purpose power as a local Command Prompt or a PowerShell window, but without requiring them to work their way past any firewall rules or logon prompts.
Life beyond HAFNIUM
Hafnium, as it happens, doesn’t refer to the attack described above, but merely to a specific gang of attackers who were using the ProxyLogon trick before Microsoft became aware of the bugs, and whose activities provoked the emergency patches.
Unfortunately, once news of the Hafnium attackers came out, interest in the exploits they had been using surged.
Ready-to-use attack code was soon made public, so that anyone could exploit the ProxyLogon hole, and a spate of “me-too” cyberattacks followed.
The original Hafnium gang seems to have been interested in stealing data, presumably for industrial espionage, but some of the follow-up attackers had different ideas, such as the BlackKingdom gang, who used ProxyLogon to spread their ransomware.
Lead, follow, or get out of the way
Despite several weeks of urgent warnings, not least from Naked Security (where we’ve preached about patching in articles, via podcast and on video), there are still plenty of unpatched servers out there just waiting to get pwned.
And the ProxyLogon hole gets attackers directly onto your Exchange server, which is a target that almost certainly contains what crooks think of as “trophy data”, so that’s not a good thing.
So, the FBI decided to act, and to turn attack into defence.
The Feds went to court for a warrant that authorised them to “exploit” the webshells visible on unpatched servers…
…and the remote code execution command they issued to those webshells was:
Many infected system owners successfully removed the webshells from thousands of computers. Others appeared unable to do so, and hundreds of such webshells persisted unmitigated. This operation removed one early hacking group’s remaining webshells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the webshell to the server, which was designed to cause the server to delete only the webshell (identified by its unique file path).
As the DOJ pointed out in its press release, the Hafnium gang’s webshell installations used a different filename and path on every server they attacked.
The DOJ rather politely suggested that this “may have been more challenging for individual server owners to detect and eliminate than other webshells.”
What to do?
- Check whether you have any Exchange servers on your network. Even if you consider yourself to be a “full cloud” organization these days, you may still have legacy servers on your own network that you’ve forgotten about. Those servers are never going to get patched unless you actively go looking for them.
- Check whether your servers are patched. Don’t leave it to chance, or assume that updates have been applied automatically.
- Check your network for indicators of compromise. Don’t just look for specific artifacts such as an individual filename that another victim may have reported, because the details vary from attack to attack. Use the most general threat-hunting techniques you can. Sophos has created a step-by-step guide to help you detect if you’ve been infiltrated.
If you’re infected, don’t wait for someone else to run the webshell for you, because it’s probably not going to be the FBI telling your server to disinfect itself.