Marc Laliberte, senior security analyst at WatchGuard Technologies, explains what’s behind the attacks on Microsoft Exchange servers and how companies can mitigate the risks.
Hot on the heels of the SolarWinds cyber attack, the Microsoft Threat Intelligence Center (MSTIC) released information about another widespread campaign targeting Exchange servers at the beginning of March. It was found that a state-sponsored threat actor operating out of China, named as HAFNIUM, was exploiting 0-day vulnerabilities in on-premise Exchange server software. So far, four known vulnerabilities have been identified by the MSTIC since the incident occurred, which target on-premise servers only. Cloud Exchange servers are not affected.
The UK National Cyber Security Centre (NCSC) estimated that 7,000 servers had been affected by the flaw. It said malicious software had been detected on 2,300 machines and that it was ‘vital’ that all affected businesses took action to secure their email servers.
The NCSC is particularly concerned about small and medium-sized businesses and has urged companies to download the latest Microsoft security updates immediately. While the flaw was initially exploited by HAFNIUM to gain remote access to email servers to steal sensitive data, the announcement by Microsoft has resulted in multiple hacking groups all trying to find unpatched email servers to attack, including those looking to install ransomware.
The attack is performed by first exploiting a server-side request forgery (SSRF) vulnerability allowing for the full contents of a user’s mailbox to be stolen. The attacker only needs to know the server running the Exchange software and the account they want to steal from (CVE-2021-26855). The attacker then chains this exploit with a secondary exploit that allows for remote code execution on the targeted Exchange server (CVE-2021-27065). Another vulnerability is also part of this chained exploit allowing attackers to write a file to any path on the server (CVE-2021-26858). The fourth vulnerability allows attackers to run code as SYSTEM after exploiting an insecure deserialisation vulnerability in the Unified Messaging service (CVE-2021-26857).
In addition to the four primary Indicators of Compromise (IoCs), Microsoft has released PowerShell scripts and various tools on GitHub to help identify these IoCs within Exchange servers. Volexity, who spotted these attacks occurring in the wild, also released an in-depth write-up on various IoCs, proofs-of-concept, and demonstrations to assist with this detection effort. A similar write-up can be found by Microsoft as well.
Microsoft has released a patch for all four vulnerabilities, as well as some others, and they urge everyone with on-premise Exchange servers to patch their systems immediately. Information about the security updates can be found here.
Threat Response Measures
- Identify and patch vulnerable Exchange Server systems with the Microsoft-issued security updates
- Utilize alternative mitigations provided by Microsoft where you cannot immediately deploy patches.
- Use Microsoft’s PowerShell script to search for indicators of compromise on your Exchange server.
The scale of this problem is still emerging and it is not clear what the overall impact will be, with many systems still at risk and thousands with malicious software already installed. These latest high-profile attacks demonstrate the importance of good patch management and multiple layers of defence to make sure the doors are closed before the cyber criminals can get in.