Since January '21, hackers have been exploiting multiple vulnerabilities in Microsoft Exchange Server to infiltrate a broad range of systems. Here's what you need to know.
On March 2, Microsoft announced that multiple zero-day vulnerabilities had been exploited to infiltrate on-premises versions of Microsoft Exchange Servers. This in turn enabled the attackers to establish web shells on compromised servers, access email accounts and install additional malware to facilitate long-term access to victim environments.
Microsoft released the following list of zero-days which enabled the attack:
WCVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave the attackers the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858 and CVE-2021-27065 are post-authentication arbitrary file write vulnerabilities in Exchange. If the attackers could authenticate with the Exchange server then they could use these vulnerabilities to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin's credentials.
Confirmed victims include local governments, academic institutions, non-governmental organizations, and business entities in multiple industry sectors, including agriculture, biotechnology, aerospace, defense, legal services, power utilities, and pharmaceutical.
Based on observed victimology, tactics and procedures, Microsoft and their partners have concluded with a high degree of certainty that these attacks are being conducted by HAFNIUM, a China-based actor, believed to be state-sponsored.
The targets are consistent with previous targeting activity by Chinese cyber actors. Illicitly obtained business information, advanced technology, and research data may undermine business operations and research development of many U.S. companies and institutions.
HAFNIUM primarily operates via US-based virtual private servers.
In addition, once the initial attacks were made public, dozens of other malicious actors have swarmed to the scene to try and exploit the same vulnerabilities in un-patched systems.
China, for their part, released the following statement of denial: "[China] firmly opposes and fights all forms of cyber-attacks and thefts in accordance with the law. Connecting cyberattacks directly to the government is a highly sensitive political issue. China hopes that relevant media and companies will adopt a professional and responsible attitude."
What To Do
If your organization uses an on-premises Microsoft Exchange Server, we recommend the following steps to be taken immediately:
We advise all entities to implement Microsoft's patch as soon as possible to avoid being compromised.
If patching is not an immediate option, we strongly recommend following alternative mitigations found in Microsoft's blog on Exchange Server Vulnerabilities Mitigations. However, these options should only be used as a temporary solution, not as a replacement for patching.
Disconnect vulnerable Exchange servers from the internet until a patch can be applied.
Limit or block external access to internet-facing Exchange Servers via the following:
Restrict untrusted connections to port 443, or set up a VPN to separate the Exchange Server from external access; note that this will not prevent an adversary from exploiting the vulnerability if the attacker is already in your network.
Block external access to on-premises Exchange.
Restrict external access to OWA URL: /owa/.
Restrict external access to Exchange Admin Center (EAC) aka Exchange Control Panel (ECP) URL: /ecp/.
Indicators of Compromise (IOCs), Detection Opportunities, and Mitigation Recommendations are being documented by Microsoft and CISA.
How We Can Help
Silent Breach can help conduct an immediate triage as well as a full audit of your infrastructure to determine whether any malicious activity took place and, if so, how you should respond.
About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.
Our security team is fully briefed on HAFNIUM's TTPs (tools, techniques and procedures), IOCs, and fingerprints. This ensures that if there is anything to be found, we'll be
able to locate it. This is particularly important with attacks of this level of sophistication, where extreme care is spent not only in penetrating the target,
but also in hiding all traces of an attack.
At the same time, it's important to evaluate the risks and impacts of a potential attack. Importantly, even if Microsoft mitigates their own vulnerabilities,
attackers may still retain access to your networks. Consequently, a BIA and Cyber Incident Response Plan must be created, reviewed, and/or evaluated in tandem with
the above security audit.
In the event that malicious activity is identified on your network, our forensics team will be able to carefully capture and preserve that evidence for further
analyses and legal processes. And, in either case, a full report detailing steps taken, discoveries made, and recommended mitigation steps (both short term quick
wins and a long term roadmap) will be compiled for internal guidance as well as external stakeholder reassurance.
For more detailed descriptions of Silent Breach's Incident Response programs, please see our Incident Response and Managed Response pages. Or, for more information
on how your organization may be impacted by the Microsoft Exchange Server Hack or for additional guidance, please contact Silent Breach at email@example.com.
Cybersecurity Survival Guide for Remote Working
Guide to Business Continuity Planning
How to Prepare for the Inevitable Global Cyberattack