Engineers write off GC abuse because Spectre broke everything anyway
In early November, a developer contributing to Google’s open-source Chromium project reported a problem with Oilpan, the garbage collector for the browser’s Blink rendering engine: it can be used to break a memory defense known as address space layout randomization (ASLR).…
Tripwire’s February 2021 Patch Priority Index (PPI) brings together important vulnerabilities from Apache, VMware and Microsoft. First on the patch priority list this month is a patch for Apache Tomcat. The Apache Tomcat “Ghostcat” vulnerability, identified as CVE-2020-1938, has been recently added to the Metasploit Exploit Framework. Next on the list are patches for ESXi […]… Read More
The post Tripwire Patch Priority Index for February 2021 appeared first on The State of Security.
Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft attributes the attacks to a group they have dubbed Hafnium.
“HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”
The Hafnium attack group
Besides a rare metal that chemically resembles zirconium, Hafnium is a newly identified attack group that is also thought to be responsible for other attacks on internet-facing servers, and typically exfiltrates data to file sharing sites. Despite their use of leased servers in the US, the group is believed to be based in China (as most security researchers will tell you, attribution is hard, especially when it involves international espionage).
In many organizations, internal cooperation depends on groupware solutions that enable the central administration of emails, calendars, contacts, and tasks. Microsoft Exchange Server is software that offers this functionality for Windows-based server systems.
In this case the attacker was using one of the zero-day vulnerabilities to steal the full contents of several user mailboxes from such servers.
Not one, but four zero-days
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The CVE’s (with descriptions provided by Microsoft) used in these attacks were:
- CVE-2021-26855: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
- CVE-2021-26857: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
- CVE-2021-26858: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
- CVE-2021-27065: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
They all look the same. Boring you said? Read on!
The attack chain
While the CVE description is the same for the 4 CVE’s we can learn from the report by the security firm that discovered the attacks, Volexity, that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The Remote Code Execution (RCE) vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws — CVE-2021-26858 and CVE-2021-27065 — would allow an attacker to write a file to any part of the server.
Together these 4 vulnerabilities form a powerful attack chain which only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, Hafnium operators deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.
Urgent patching necessary
Even though the use of the vulnerabilities was described as “limited”, now that the information has been made public, we may see a quick rise in the number of attacks. Especially since the attack does not require a lot of information about the victim to start with.
Or as Microsoft’s vice president for customer security Tom Burt put it:
“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.”
Users of Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019 are advised to apply the updates immediately to protect against these exploits, prioritizing the externally facing Exchange servers.
Microsoft also advises that the initial stage of the attack can be stopped by “restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access”, although the other parts of the attack chain can still be exploited, if other means of access are used.
Update March 4, 2021
The Cybersecurity and Infrastructure Security Agency issued an emergency directive after CISA partners observed active exploitation of vulnerabilities in Microsoft Exchange on-premises products. The directive gives detailed instructions for agencies to follow immediately after identifying all instances of on-premises Microsoft Exchange Servers in their environment.
For readers that are interested in the more technical details of the attack chain, Veloxity published a blog that provides details about their investigation, the vulnerabilities, and which also includes IOCs.
Update March 5, 2021
It turns out that CVE-2021-26855 was discovered in December of 2020 by DEVCORE who named the vulnerability ProxyLogon. They called it ProxyLogon because this bug exploits against the Exchange Proxy Architecture and Logon mechanism. After DEVCORE chained the bugs together to a workable pre-auth RCE exploit, they sent an advisory and exploit to Microsoft through the MSRC portal. The entire timeline can be found here.
Stay safe, everyone!
The post Patch now! Exchange servers attacked by Hafnium zero-days appeared first on Malwarebytes Labs.
Microsoft has released emergency security patches for four zero-day vulnerabilities in its Exchange email server software, widely used by businesses.
Microsoft got an early start on Patch Tuesday, releasing a series of out-of-band security updates this week to address four zero-day vulnerabilities in Exchange Server. There’s been a lot of security activity in the news, so I’m sure it is going to be a busy Patch Tuesday. The Microsoft Security Response Center reported known attacks against Exchange Server by the hacking group Hafnium. The four vulnerabilities involved in the exploit are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and … More
The post March 2021 Patch Tuesday forecast: Off to an early start appeared first on Help Net Security.