Microsoft has released several security updates due to targeted attacks against vulnerabilities found in Microsoft Exchange Server (versions 2013, 2016, and 2019). Though the attacks are said to have been limited, Microsoft is urging the immediate updating of all affected systems as to mitigate the vulnerabilities and further abuse within networking environments wherein Exchange servers are being used. Microsoft attributes the activity to a hacking group called “Hafnium.”
Technical Detail & Additional Information
WHAT IS THE THREAT?
At the time of this writing, there are four zero-day exploits that users of Microsoft Exchange Server 2013, 2016, and 2019 need to be aware of. They are described in detail in the following CVEs: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. These vulnerabilities include a server-side request forgery (SSRF) that would allow an attacker to send arbitrary HTTP requests and authenticate as the Exchange server, an insecure deserialization vulnerability in the Unified Messaging service that would give the attacker the ability to run code as SYSTEM on the Exchange server, and a post-authentication arbitrary write vulnerability that would allow the attacker to write a file to any path on the server. These vulnerabilities have previously been used by the state-sponsored actor Hafnium, which is the only actor that Microsoft has seen using the exploits.
WHY IS IT NOTEWORTHY?
It is believed that Hafnium is a state-sponsored actor operating out of China. But the group is also known to conduct operations over leased virtual private servers in the United States, which is where most of its targets and victims are located. It should also be noted that, since it is mostly businesses that use Microsoft Exchange Server, the attack vector is not aimed at individual consumers and no other Microsoft products are affected by the vulnerabilities. It is presumed that Hafnium primarily targets organizations based in the U.S. to steal data across multiple sectors of industry. U.S. government agencies have been notified and informed of the attacks, as well.
WHAT IS THE EXPOSURE OR RISK?
Though Microsoft believes at this point that Hafnium is the only group that has been exploiting the vulnerabilities, as knowledge of the exploit spreads, the software giant feels that the number of groups or individuals attempting to leverage the exploit could change. In response to the news of the zero-day exploit, SKOUT has already created and implemented event detection rules into its security monitoring solution using the IOCs made public by Microsoft and will continue to update the rules with any new threat intelligence made available. Even though Microsoft acted quickly in releasing patches for the exploits, it is expected that many bad actors will try to take advantage of the opportunity to exploit those systems that have not yet applied the prescribed updates. Microsoft also wanted to make it known that Exchange Online is not affected by the critical vulnerabilities.
WHAT ARE THE RECOMMENDATIONS?
SKOUT recommends the immediate patching of all affected versions of Microsoft Exchange Server (versions 2013, 2016, and 2019) with the latest updates. If you suspect that any of your Exchange servers have been compromised, then we highly recommend that you conduct the appropriate investigation and implement any necessary detection methods to identify any present and future targeted attacks. Please refer to the article published by Microsoft at https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ for a list of the web shell hashes and file names for known host IOCs, as well as other resources and detection techniques, including:
- How to check patch levels of Exchange Server;
- How to scan Exchange log files for indicators of compromise;
- Where to check for suspicious .zip, .rar, and .7z files that may indicate data exfiltration; and
- Microsoft Defender Antivirus detections, Microsoft Defender for Endpoint detections, Azure Sentinel detections, and advanced hunting queries.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.