Purpose
With the Hafnium “incidents” and Exchange vulnerabilities I wanted to help people with ruling in or out compromise of their Exchange 2010 environments. At the time of writing, I don’t believe that Hafnium affected Exchange 2010 via the reported kill chain, I believe that BEC would be required but this is a theory, my general view is Exchange 2010 might be ‘safe’ from this kill chain. This is due to the initial stage leveraging CVE-2021-26855 which is an SSRF vulnerability which only affectes the new architecture (2013+). However, this is an unsupported platform so I wanted to help with some baselines and talk about how I would approach ruling compromise in or out (at least with regards to these vulnerabilities). The key impact area is a web shell. I’ve made some baselines to help people look for abnormalities.
Disclaimer
This document was made with limited time and without full Whitebox access to source code and engineering expertise. The areas we are checking for IOCs appear to make logical sense, but the OS and APP (Exchange 2010) are unsupported, and we are not the vendor. So, I am afraid your hunting responsibility is on you, this is just my opinions and thoughts from a very fast analysis. Use at your own risk.
Resources
Lots of sources are available, to the point I have not read all of them. I have however made an exchange 2010 lab with RTM and SP3 and dumped some hash data as a baseline of known OK. Any mods or patches can affect file hashes so please bear that in mind.
Exchange 2010 Hashes
https://github.com/PwnDefend/Exchange2010_hashes
Microsoft Resources
https://github.com/microsoft/CSS-Exchange/tree/main/Security
Considerations for malicious Activity related to web services with Exchange 2010
- IIS Logs
- Windows Event Logs – Security Event Logs
IIS Logs Default Location
C:\inetpub\logs\LogFiles\
File type: *.log
IOC types:
- IP Addresses
- User Agents
Evidence of Web Shells
Check the following paths for rogue .aspx files:
C:\inetpub\wwwroot\aspnet_client
C:\inetpub\wwwroot\aspnet_client\system_web
And subfolders of C:\inetpub\wwwroot\aspnet_client\
Look for suspicious or rogue .aspx files in this path (and sub paths)
C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess
Key here is to have a known baseline. We have made a few baselines in the LAB:
https://github.com/PwnDefend/Exchange2010_hashes
Considerations
Remember I am showing default paths here, your installation configuration may change this e.g., for IIS or Exchange.
Exchange 2010 Updates
Microsoft have released a Rollup 32 For Exchange 2010 SP3 (KB5000978)
https://www.microsoft.com/en-us/download/details.aspx?id=102774
So just to be clear:
Update Rollup 32 is patched
https://www.microsoft.com/en-us/download/details.aspx?id=102774
Update Rollup 31 is not patched
https://www.microsoft.com/en-us/download/details.aspx?id=102519
Key thoughts
I think to exploit the available vulnerabilities on Exchange 2010 you likely would have to be authenticated as the authentication bypass does not apply due to the CAS architecture.
- If you are on 2010 it is a good idea to check your IIS paths, logs and exchange installation files against the baselines.
- Review your security logs
- Make sure you are patched to Roll up 32
- Migrate as soon as possible to a supported platform
This is a fast publish, with all these things they can be fast moving. This is what I think at this point in time based on what I have manged to read, investigate and from talking to other people in the industry.
There’s also great work from so many people in the industry. Ollie from NCC has been creating file lists and hashes related to Exchange 2013+ install/update files.
https://github.com/nccgroup/Cyber-Defence/tree/master/Intelligence/Exchange