Exchange Servers targeted via zero-day exploits, have yours been hit?

Microsoft has released out-of-band security updates for seven bugs affecting Microsoft Exchange Servers, four of which are zero-day vulnerabilities being exploited by attackers in the wild to plunder on-premises machines.

Exchange Servers zero-day

According to Volexity, the attacks have been going on for nearly two months, possibly even longer.

Despite Microsoft saying that a threat actor (dubbed Hafnium) has been using the vulnerabilities to primarily target infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs in the U.S., Huntress Labs says that they’ve identified 176 of their partners’ servers having been saddled with a web shell after having been popped through the vulnerabilities.

“These companies do not perfectly align with Microsoft’s guidance as some personas are small hotels, an ice cream company, a kitchen appliance manufacture, multiple senior citizen communities and other ‘less than sexy’ mid-market businesses,” they noted. “With that said, we have also witnessed many city and county government victims, healthcare providers, banks/financial institutions, and several residential electricity providers.”

So, if you use on-prem Microsoft Exchange Servers, you might want to assume you’ve been hit and start checking and then updating.

The zero-day bugs affecting Exchange Servers

Four zero-day vulnerabilities are being leveraged by the Hafnium threat actor to pop Microsoft Exchange Servers:

  • CVE-2021-26855, a server-side request forgery (SSRF) vulnerability in Exchange that allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server
  • CVE-2021-26857, an insecure deserialization vulnerability in the Unified Messaging service that gave the threat actor the ability to run code as SYSTEM on the Exchange server (this requires administrator permission or another vulnerability to exploit)
  • CVE-2021-26858 and CVE-2021-27065, two post-authentication arbitrary file write vulnerabilities in Exchange that allowed the group to write a file to any path on the server (after authenticating by exploiting CVE-2021-26855 or by compromising a legitimate admin’s credentials)

“[CVE-2021-26855] is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail,” Volexity researchers explained.

About the attacks

Microsoft shared that, after gaining initial access, Hafnium operators deployed web shells on the compromised servers to steal data and perform additional malicious actions, and they were “able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users.”

Microsoft also explained that the Hafnium group is state-sponsored, operates from China, is a “highly skilled and sophisticated actor,” and it conducts its operations primarily from leased virtual private servers (VPS) in the United States.

While there is currently no publicly available attack code that would help other threat actors exploit these Exchange vulnerabilities, it is expected that some will be made available soon.

ESET researchers say that “CVE-2021-26855 is actively exploited in the wild by several cyber-espionage groups.”

Microsoft security expert Kevin Beaumont expects more threat actors, including those wielding ransomware, to start using these vulnerabilities soon.

What to do?

The vulnerabilities affect Microsoft Exchange Server 2013, 2016 and 2019. Exchange Online is not affected.

“We recommend prioritizing installing updates on Exchange Servers that are externally facing. All affected Exchange Servers should ultimately be updated,” Microsoft advised.

They also pointed out that the initial portion of the attack, which depends on attackers making an untrusted connection to Exchange server port 443, can be blocked by restricting untrusted connections or by setting up a VPN to separate the Exchange server from external access. Nevertheless, “other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.”

Patches are provided only for supported cumulative updates so admins will have get to a supported level before implementing them. More information about what should be done and how is available here.

Beaumont has provided a “quick and dirty nmap script” admins can use for checking for potentially vulnerable servers in their environments.

The Exchange Team has shared the Exchange Server Health Checker script. “Running this script will tell you if you are behind on your on-premises Exchange Server updates (note that the script does not support Exchange Server 2010),” they noted.

But before even thinking about patching, admins should check whether their on-prem Exchange servers have been compromised – patching won’t “clean up” an already compromised installation.

Microsoft has provided advice on how to do that and what IoCs to look for. Volexity has also published actionable information for those who have SIEM or network logs.

Finally, after remediation and patching is done, you might want to review Microsoft’s advice on how to improve defenses against Exchange server compromise.

UPDATE (March 5, 2021, 04:15 a.m. PT):

FireEye/Mandiant researchers have released details about the multiple instances of abuse of Microsoft Exchange Server they observed within client environments, as well as investigation tips.

The U.S. CISA published a security alert with helpful guidance on how to conduct forensic analysis in case your organization discovers evidence of compromise.

UPDATE (March 5, 2021, 23:40 a.m. PT):

Microsoft has released alternative mitigation techniques for Exchange Server customers who can’t immediately apply the critical updates.

Don't miss