Microsoft software products are a connective tissue of many organizations, from online documents (creating, sharing, storing), to email and calendaring, to the operating systems that enable business operations on the front and back ends, both in the cloud and on premises.
Over 1 million companies worldwide and over 731,000 companies in the U.S. use Office 365, and though Microsoft offers no hard stats, some sources suggest there are over 90,000 Microsoft partners facilitating services and products for clients. It’s no wonder, then, that vulnerabilities in Microsoft solutions are an attractive attack vector.
So far in 2021, the 12 most notable critical Microsoft vulnerabilities fall within five major threat categories:
- Exchange vulnerabilities
- Print Spooler vulnerabilities
- Sensitive Windows Registry database files vulnerabilities
- Encrypting File System Remote Protocol (MS-EFSRPC) and Active Directory Certificate Services (AD CS) vulnerabilities, and
- ActiveX vulnerabilities.
Let’s break them down.
Microsoft Exchange comprises the back end of integrated messaging, calendaring, tasks, and email. Exchange Server is among the most widely used and well-known mail solutions for governments and enterprises across the globe. Managing Exchange Server in-house is a complex task, and misconfigured Exchange servers are especially troubling because threat actors actively scan and exploit vulnerable Exchange servers that aren’t configured correctly or have the most current security patches and updates.
Recent Microsoft Exchange Server vulnerabilities include ProxyLogon, ProxyOracle and ProxyShell.
ProxyLogon (CVE-2021-26855 and CVE-2021-27065) targets on-premise Exchange servers. This bug exploits the Exchange Proxy Architecture and its Logon mechanism, allowing the threat actor to bypass authentication on the Exchange Server, impersonate an admin and gain code execution abilities.
ProxyOracle (CVE-2021-31196 and CVE-2021-31195) is a bit trickier than ProxyLogon in that threat actors must trick users into clicking on a malicious link to steal the user’s password. The form-based authentication used to manage user logins for Outlook Web Access saves credentials and passwords in a user’s browser cookies, which are encrypted. To work around those measures, threat actors use a padding oracle attack to help decrypt the user’s cookies and get the plaintext passwords.
ProxyShell (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) is another on-prem Exchange Server vulnerability on unpatched servers with Internet access. ProxyShell works by abusing the Client Access Service URL normalization that’s triggered by logon requests. When logon requests are initiated, Exchange normalizes the request URL and nixes the portion containing the mail address before routing the logon request to the backend. With ProxyShell, threat actors can remove part of the URL during the normalization process, grant access to an arbitrary backend URL, and execute commands on the Exchange Server by using an exposed 443 port with Exchange PowerShell Remoting. In simple terms, this allows threat actors to act as an Exchange Admin and execute PowerShell commands remotely.
Print Spooler vulnerabilities
Printers in general and Print Spooler in particular have been targeted for exploitation by threat actors for many years. For example, the infamous 2010 Stuxnet worm – the one used against Iranian nuclear facilities – used a Print Spooler vulnerability.
PrintNightmare (CVE-2021-34527) is a vulnerability that lets attackers with a low-privilege domain user account take control of a server running on the Print Spooler service and add dynamic link library (DLL) files as printer drivers, which they later execute via SYSTEM. Once the threat actor exploits this vulnerability, they can install programs, manipulate data, and create new users with full permissions.
Sensitive Windows Registry database files vulnerabilities
Windows Registry stores information about configurations, parameters and preferences for Windows OS and applications. It contains a set of files called hives, such as SYSTEM and SECURITY hives, and the Windows Security Accounts Manager (SAM) database. A threat actor who abuses the sensitive Windows Registry database files vulnerability and successfully authenticates to a machine can run arbitrary code with SYSTEM privileges.
HiveNightmare aka SeriousSAM (CVE-2021-36934) is one such vulnerability. Using a low-privileged account, a threat actor can use the pass the hash method to authenticate a remote server with hashed credentials they got from the database. (You read that correctly – default Windows 10 and 11 configurations grant all non-admin users read rights on key registry hives; it’s a known error.) This allows them to retrieve all Registry hives in Windows 10 and 11. That includes SAM data, which the attacker can use to execute code as SYSTEM. Once their machine is authenticated, the attacker gains full control, can run commands, drop extra payloads, spread over the network, and create users with full permissions.
MS-EFSRPC & AD CS vulnerabilities
Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) takes care of your data that is encrypted, remotely stored and accessed over a network. It performs maintenance and management operations. Active Directory Certificate Services (AD CS) is a server role that lets users create a public key infrastructure (PKI) and provides public key cryptography, digital certificates and signature capabilities and other security functions.
PetitPotam (CVE-2021-36942) is an example of a new technology LAN manager (NTLM) relay attack. PetitPotam is a type of relay attack in which threat actors that have already accessed the victim’s machine gain the ability to take over an Active Directory with AC DS in use. In this type of attack, rather than taking advantage of one specific vulnerability, threat actors exploit the authentication method in the MS-EFSRPC to yield an authentication certificate, which leads to domain compromise and the ability to elevate privileges within the domain.
ActiveX controls are program parts used to create and execute applications that work over a network. Applications rely on ActiveX to share functionality and data over web browsers, so this vulnerability can be exploited through online Microsoft Office documents.
MSHTML (CVE-2021-40444) is a highly sophisticated remote code execution vulnerability that lets an attacker run arbitrary code on a victim’s machine through ActiveX control that is typically sent to the victim through spear-phishing. The threat actor lures the user to open the malicious document, and once the file is opened and the code is executed, the threat actor performs malicious activities such as running commands remotely, dropping extra payloads and gaining persistence.
According to IBM’s Cost of a Data Breach Report 2021, the average cost of a data breach increased by the largest year-over-year margin in seven years, from $3.86M in 2020 to $4.24M in 2021. The average time elapsed before a breach was detected in 2021 was 212 days with an additional 75 days to contain it!
The attack types we’ve explored in this article lead to compromised domains and the ability for criminals to create their own accounts with full admin credentials. And according to the report, compromised credentials were the most common attack vector, responsible for 20% of breaches and costing an average of $4.37M per breach.
Each of these Microsoft vulnerabilities has grave implications for organizations of all sizes. For example, PrintNightmare is critical because the Print Spooler service runs by default on all Windows servers and clients. It’s alarming that this iteration evolved from an earlier vulnerability that was patched but edited to reduce the patch to only half effective. And HiveNightmare (aka SeriousSAM) works because of a vulnerability in a company’s Windows OS. It also doesn’t require unencrypted credentials. These attack types justify the need to keep all systems updated in addition to staying up to date on Microsoft vulnerabilities.
Cybersecurity leaders must ensure they are deploying detection rules designed to detect and prevent exploitation attempts of these vulnerabilities and create additional detection rules to place more focus on the risk. Push all patches available for Microsoft products and keep an eye out for not only newly discovered vulnerabilities but also evolutions of known ones.