Microsoft Exchange Server administrators are being urged to update their on-premise installations immediately following the discovery of serious four zero-day vulnerabilities.
“We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem,” the company said in a blog Tuesday.
A China-based threat actor Microsoft calls Hafnium has been exploiting the bugs to access email and additional malware to enable long-term access to victim environments. Microsoft believes Hafnium is state-sponsored.
The vulnerabilities are addressed in a Microsoft Security Response Center (MSRC) release –
Microsoft isn’t even waiting until next week’s Patch Tuesday to distribute them, signalling the vulnerabilities’ seriousness. The update fixes Exchange Server 2013, 2016 and 2019. There is also a Defense in Depth update for Exchange Server 2010 with Service Pack 3.
The alert was also echoed by the federal government’s Canadian Centre for Cyber Security and the U.S. Cybersecurity and Infrastructure Security Agency.
Microsoft notes that to limit an initial compromise from occurring, systems can be hardened through the restriction of untrusted connections by isolating Exchange servers from external-facing connections or using a Virtual Private Network (VPN). However, this will only protect against the initial portion of the compromise. Other portions of the chain can be triggered if an actor already has access or can convince an administrator to run a malicious file.
Information on Indicators of Compromise (IOCs), such as what to search for and how to find evidence of successful exploitation (if it happened), can be found in HAFNIUM Targeting Exchange Servers.
Organizations running Exchange Server in a hybrid with Exchange Online should also install the updates.
The bugs are:
CVE-2021-26855, a server-side request forgery (SSRF) vulnerability in Exchange which allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server;
CVE-2021-26857, an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gives attackers the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit;
CVE-2021-26858, a post-authentication arbitrary file write vulnerability in Exchange. If attackers can authenticate with the Exchange server, then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials;
CVE-2021-27065, a post-authentication arbitrary file write vulnerability in Exchange. If attackers can authenticate with the Exchange server, then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
Microsoft says Hafnium primarily attacks organizations in the U.S. in many industries, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks, and NGOs (non-government organizations). This attacker primarily operates from leased virtual private servers in the U.S.
Among Hafnium’s tactics are exploiting vulnerabilities in internet-facing servers, sometimes using legitimate open-source frameworks, like Covenant, for command and control. It has also been seen “interacting” with victim Office 365 tenants. “While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments,” Microsoft noted.
Satnam Narang, a staff research engineer at Tenable, wrote in an email that while Microsoft says Hafnium primarily targets entities within the United States, other researchers say they have seen these vulnerabilities being exploited by different threat actors targeting other regions.
“Based on what we know so far, exploitation of one of the four vulnerabilities requires no authentication whatsoever and can be used to potentially download messages from a targeted user’s mailbox,” Narang wrote. “The other vulnerabilities can be chained together by a determined threat actor to facilitate a further compromise of the targeted organization’s network. We expect other threat actors to begin leveraging these vulnerabilities in the coming days and weeks, which is why it is critically important for organizations that use Exchange Server to apply these patches immediately.”
UPDATE: Security firm Huntress says the vulnerabilities are being actively exploited. “At the moment, we’ve discovered 300+ webshells across roughly 2,000 vulnerable servers,” it said Wednesday. Its team “is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses.”
Microsoft credits security companies Volexity and Dubex for reporting different parts of the attack chain and collaborating in the investigation.
Volexity published a blog post with an analysis saying that it noticed a large amount of data being sent to IP addresses it believed were not tied to legitimate users in January. A closer inspection of the IIS logs from the Exchange servers revealed what it called “rather alarming results.”
They discovered inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access (OWA). It was initially suspected the servers might be backdoored and that web shells were being executed through a malicious HTTP module or ISAPI filter. What it found was a zero-day exploit (now called CVE-2021-26855) being used in the wild.