SafeBreach Hacker’s Playbook Updated for US-CERT Alert (AA21-062A) Mitigate Microsoft Exchange Server Vulnerabilities
US Cert Alerts
SafeBreach Labs has updated the Hacker's Playbook™ with new attack methods for malware samples described in US-CERT Mitigate Microsoft Exchange Server Vulnerabilities which addresses multiple zero-day vulnerabilities that a newly identified Chinese state-sponsored threat group, Hafnium, has successfully exploited. The vulnerabilities are used against on-premise Microsoft Exchange Servers 2013, 2016, and 2019 to access all user email accounts. The attackers executed arbitrary code on vulnerable Exchange Servers, gaining persistent system access, as well as accessed files, mailboxes, credentials and moved laterally to exfiltrate data and added new users. The vulnerabilities are being used to steal the full contents of user mailboxes without requiring authentication.
Listen to the details of the attack from SafeBreach Labs’ Tomer Bar:
#5977 - Communication with exchange_exploit using HTTP (Infiltration)
#5978 - Write reGeorg_webshell malware to disk (Host-Level)
#5979 - Transfer of reGeorg_webshell malware over HTTP/S (Lateral Movement)
#5980 - Transfer of reGeorg_webshell malware over HTTP/S (Infiltration)
#5981 - Email reGeorg_webshell malware as a ZIP attachment (Lateral Movement)
#5982 - Email reGeorg_webshell malware as a ZIP attachment (Infiltration)
#5983 - Exploitation of CVE-2021-26855 external Exchange server (Infiltration)
#5984 - Exploitation of CVE-2021-26855 internal Exchange server (Infiltration)
#1338 - Remote command execution by PSExec (Infiltration)
#1339 - Remote command execution by PSExec (Lateral Movement)
#2189 - Account Manipulation (Host Level)
The new attack methods for US-CERT AA21-062A are already in the SafeBreach Hacker’s Playbook and ready to be run across your simulators. The Known Attack Series report is updated so you can run the specific attacks from this US-CERT alert. From the Known Attack Series report, select the US-CERT Alert AA21-062A (Hafnium) report and select Run Simulations which will run all the attack methods.