Criticized removing exchange exploit from

Then on March 4, 2020, Rapid7 released a module that would incorporate this exploit into the Metasploit penetration testing framework.

APT Exploitation

Volexity has observed multiple APT actors exploiting or attempting to exploit on-premise Exchange servers. In some cases the attackers appear to have been waiting for an opportunity to strike with credentials that had otherwise been of no use. Many organizations employ two-factor authentication (2FA) to protect their VPN, e-mail, etc., limiting what an attacker can do with a compromised password. This vulnerability gives attackers the ability to gain access to a significant asset within an organization with a simple user credential or old service account. This issue further underscores why changing passwords periodically is a good best practice, regardless of security measures like 2FA.

Exchange Online customers are already protected and do not need to take any action.

For additional information, please see the Microsoft Security Response Center (MSRC) blog. More details about specific CVEs can be found in Security Update Guide (filter on Exchange Server under Product Family).

Two update paths are:

Inventory your Exchange Servers

Use the Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release), to inventory your servers. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs and SUs).

Update to the latest Cumulative Update

Go to and choose your currently running CU and your target CU.

Name, spj.pathname processPath, sfj.pathname filePath, sfj.sophosPID FROM sophos_file_journal sfj LEFT JOIN sophos_process_journal spj ON spj.sophosPID = sfj.sophosPID AND spj.time = replace(sfj.sophosPID, rtrim(sfj.sophosPID, replace(sfj.sophosPID , ‘:’, ”)), ”)/10000000-11644473600 WHERE sfj.time strftime(‘%s’, ‘now’, ‘-1 days’) AND sfj.eventType IN (0) AND sfj.pathname LIKE ‘%.aspx’;

Similarly, the sophosPID of suspect processes, especially w3wp.exe, should be pivoted from and the process activity history reviewed to determine other actions the adversary may have taken.

Modified applicationHost.config physicalPaths

Threat actors have also been observed modifying the Exchange configuration, typically located at C:\Windows\System32\inetsrv\Config\applicationHost.config, to add new virtual directory paths to obfuscate the location of web shells.

While it’s possible that those four groups reverse-engineered the fixes, developed weaponized exploits, and deployed them at scale, those types of activities usually take time. A 24-hour window is on the short side.Advertisement

There’s no clear explanation for the mass exploitation by so many different groups, leaving researchers few alternatives other than to speculate.

“It would seem that while the exploits were originally used by Hafnium, something made them share the exploit with other groups around the time the associated vulnerabilities were getting patched by Microsoft,” Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, told me.

But in some of these new campaigns, the attacker used certutil to download the malicious script and executables to the disk, and then used PowerShell to execute them.

We found several different flavors of the Lemon Duck attack targeting vulnerable Exchange Server instances. All exploited the IIS worker process (w3wp.exe) to execute commands on the vulnerable Exchange Server target. The first method, which downloads a malicious PowerShell script from a URL ending in /mail.jsp?mail, is similar in attack vectors and code flow to the previously existing Lemon Duck campaign.
This was the most common attack seen in our telemetry.

But a few customers were targeted with other approaches—two of which abused the certutil.exe utility. In the first of those, diagrammed above, certutil was abused to download a PowerShell script.

Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange.
If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server.

As we discussed in a previous blog, web shells allow attackers to steal data or perform malicious actions for further compromise.

Behavior-based detection and blocking of malicious activities on Exchange servers

Adversaries like using web shells, which are relatively small pieces of malicious code written in common programming languages, because these can be easily modified to evade traditional file-based protections. A more durable approach to detecting web shell activity involves profiling process activities originating from external-facing Exchange applications.

Behavior-based blocking and containment capabilities in Microsoft Defender ATP, which use engines that specialize in detecting threats by analyzing behavior, surface suspicious and malicious activities on Exchange servers.

If you believe your Exchange Server was compromised, we recommend investigating to determine the scope of the attack and dwell time of the threat actor.

Furthermore, as system and web server logs may have time or size limits enforced, we recommend preserving the following artifacts for forensic analysis:

  • At least 14 days of HTTP web logs from the inetpub\Logs\LogFiles directories (include logs from all subdirectories)
  • The contents of the Exchange Web Server (also found within the inetpub folder)
  • At least 14 days of Exchange Control Panel (ECP) logs, located in Program Files\Microsoft\Exchange Server\v15\Logging\ECP\Server
  • Microsoft Windows event logs

We have found significant hunting and analysis value in these log folders, especially for suspicious CMD parameters in the ECP Server logs.

If the system is in a single-system domain, it will execute on the local computer.

Per Microsoft’s blog, they have identified additional post-exploitation activities, including:

  • Credential theft via dumping of LSASS process memory.
  • Compression of data for exfiltration via 7-Zip.
  • Use of Exchange PowerShell Snap-ins to export mailbox data.
  • Use of additional offensive security tools Covenant, Nishang, and PowerCat for remote access.

The activity we have observed, coupled with others in the information security industry, indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments. This activity is followed quickly by additional access and persistent mechanisms.

Github didn’t respond to an email seeking comment.

A dissenting view

Marcus Hutchins, a security researcher at Kryptos Logic, pushed back on those critics. He said Github has indeed removed PoCs for patched vulnerabilities affecting non-Microsoft software. He also made a case for Github removing the Exchange exploit.

“I’ve seen Github remove malicious code before, and not just code targeted at Microsoft products,” he told me in a direct message.
“I highly doubt MS played any role in the removal and it just simply fell afoul of Github’s ‘Active malware or exploits’ policy in the [terms of service], due to the exploit being extremely recent and the large number of servers at imminent risk of ransomware.”

Responding to Kennedy on Twitter, Hutchins added, “‘Has already been patched.’ Dude, there’s more than 50,000 unpatched exchange servers out there.

However, I think it is safe to say that this exploit is now in the hands of operators around the world and unfortunately some companies that have not patched yet or did not patch quickly enough are likely to pay the price.”

Attacks first started late February and targeted “numerous affected organizations,” researchers said. They observed attackers leverage the flaw to run system commands to conduct reconnaissance, deploy webshell backdoors and execute in-memory frameworks post-exploitation.

The Flaw

After Microsoft patched the flaw in February researchers with the Zero Day Initiative (ZDI), which first reported the vulnerability, published further details of the flaw and how it could be exploited.

Volexity believes these efforts to be sourced from known APT groups due to IP address overlap from other attacks and, in some cases, due to the targeting of credentials that would only be known from a previous breach.


If you have concerns that your Exchange server has been targeted or may be compromised, there are a handful of directories and resources on your Exchange server that can be examined. Use the details below to search for signs of suspicious or malicious activity. Note: Volexity has primarily investigated incidents involving Exchange 2013 and 2016 servers.

It is possible certain log files or data may be different on Exchange 2010 or 2019.

Exchange Server Exception Log

When something goes wrong with ECP, a folder named ServerException may get created in the ECP Logging directory.

Leave a Reply

Your email address will not be published.