Executive Summary

The extensive breach of Microsoft Exchange Server earlier this year has been formally attributed to China by the United States and several allies following the indictment of four Chinese nationals.  Three of the individuals named in the indictment are alleged to be intelligence officers with China’s Ministry of State Security (MSS).  This report will serve to review the attack as well as seek to provide new context in light of these recent events.

Timeline of Events

In December of 2020 CVE-2021-26855 was discovered, which is a critical server-side request forgery (SSRF) flaw which allows for bypassing authentication in Microsoft Exchange Server by sending arbitrary HTTP requests. Later that month, the same researcher ‘Orange Tsai’ found CVE-2021-27065 which is a file-write exploit that allows for remote code execution. The researcher sent a report of their findings regarding these ‘Proxy Logon’ vulnerabilities to Microsoft on January 5th, 2021 — however, it is now believed that the exploitation of these vulnerabilities had already begun two days earlier.

On March 2, 2021, Microsoft announced that they had “detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks, and they quickly attributed these attacks to the Chinese APT ‘Hafnium’.  Although, in the days that followed, there was evidence that multiple actors were now exploiting these vulnerabilities.

On July 19th, the Department of Justice unsealed an indictment handed down in May which charged four Chinese nationals with committing dozens of cyber-crimes between 2011 and 2018 as part of the group APT40. That same day the UK, the EU, and NATO joined the US in publicly criticizing China for their cyber activities, and the Biden Administration formally blamed China “with a high degree of certainty” for the Microsoft Exchange Server hack.

Attribution and Impact

Attribution is one of the most difficult problems we face in cybersecurity.  When identity, location, and motivations can all be obfuscated, it becomes extremely difficult to assess who is behind a given action. Such assessments take time, and often consensus, and a ‘high degree of certainty’ is the most we’ll be able to achieve.

While this is not the first time the DOJ has indicted Chinese hackers accused of acting on behalf of the Chinese Government, this indictment seems to be a signal that the United States will be taking a stronger posture towards these matters moving forward. 

The related press release from the White House was rather extensive, and explicitly cites “the response to the Microsoft Exchange incident” as having “strengthened the USG’s Cyber Defenses”.  The NSA, FBI, and CISA have been collaborating on this effort and now hold the view that China’s “state-sponsored malicious cyber activity is a major threat to U.S. and Allied Cyberspace Assets”.

Microsoft Exchange Server Breach Tactics, Techniques, and Procedures

The vulnerabilities recently being exploited were:

The NSA, FBI, and CISA (The Cybersecurity & Infrastructure Security Agency) have now issued a joint advisory report which outlines the tactics, techniques and procedures of Chinese State-Sponsored Cyber Operations. As well as one specifically about APT40.

Our Recommendations

In March, Avertium released a guide on how to remediate this threat, and how customers could seek extra assistance in this report.

Sources

MITRE Mapping(s):

Supporting Documentation

 

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.