Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft attributes the attacks to a group they have dubbed Hafnium.
“HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”
The Hafnium attack group
Besides a rare metal that chemically resembles zirconium, Hafnium is a newly identified attack group that is also thought to be responsible for other attacks on internet-facing servers, and typically exfiltrates data to file sharing sites. Despite their use of leased servers in the US, the group is believed to be based in China (as most security researchers will tell you, attribution is hard, especially when it involves international espionage).
In many organizations, internal cooperation depends on groupware solutions that enable the central administration of emails, calendars, contacts, and tasks. Microsoft Exchange Server is software that offers this functionality for Windows-based server systems.
In this case the attacker was using one of the zero-day vulnerabilities to steal the full contents of several user mailboxes from such servers.
Not one, but four zero-days
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The CVE’s (with descriptions provided by Microsoft) used in these attacks were:
- CVE-2021-26855: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
- CVE-2021-26857: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
- CVE-2021-26858: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
- CVE-2021-27065: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
They all look the same. Boring you said? Read on!
The attack chain
While the CVE description is the same for the 4 CVE’s we can learn from the report by the security firm that discovered the attacks, Volexity, that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The Remote Code Execution (RCE) vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws — CVE-2021-26858 and CVE-2021-27065 — would allow an attacker to write a file to any part of the server.
Together these 4 vulnerabilities form a powerful attack chain which only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, Hafnium operators deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.
Urgent patching necessary
Even though the use of the vulnerabilities was described as “limited”, now that the information has been made public, we may see a quick rise in the number of attacks. Especially since the attack does not require a lot of information about the victim to start with.
Or as Microsoft’s vice president for customer security Tom Burt put it:
“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.”
Users of Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019 are advised to apply the updates immediately to protect against these exploits, prioritizing the externally facing Exchange servers.
Microsoft also advises that the initial stage of the attack can be stopped by “restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access”, although the other parts of the attack chain can still be exploited, if other means of access are used.
Update March 4, 2021
The Cybersecurity and Infrastructure Security Agency issued an emergency directive after CISA partners observed active exploitation of vulnerabilities in Microsoft Exchange on-premises products. The directive gives detailed instructions for agencies to follow immediately after identifying all instances of on-premises Microsoft Exchange Servers in their environment.
For readers that are interested in the more technical details of the attack chain, Veloxity published a blog that provides details about their investigation, the vulnerabilities, and which also includes IOCs.
Update March 5, 2021
It turns out that CVE-2021-26855 was discovered in December of 2020 by DEVCORE who named the vulnerability ProxyLogon. They called it ProxyLogon because this bug exploits against the Exchange Proxy Architecture and Logon mechanism. After DEVCORE chained the bugs together to a workable pre-auth RCE exploit, they sent an advisory and exploit to Microsoft through the MSRC portal. The entire timeline can be found here.
Stay safe, everyone!
The post Patch now! Exchange servers attacked by Hafnium zero-days appeared first on Malwarebytes Labs.