Exchange Zero Day Vulnerabilities Should be Patched ASAP
Microsoft said Tuesday that attackers operating out of China have been exploiting four zero days in Microsoft Exchange enterprise email servers to steal email and that administrators should patch systems immediately.
The latest issue, involving multiple zero day exploits in Microsoft Exchange Server, led to several intrusions in January and forced the company to issue an out of band patch for the vulnerabilities, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, on Tuesday.
Exchange Server, a popular cloud-based mail server, can run a handful of different email clients but is included with Microsoft's Office 365 Business Essentials and Office 365 Premium. Microsoft said Exchange Online is not affected and that it's not likely the attacks affected individual consumers.
Microsoft said the attacks, which have been limited and targeted, have been carried out to bypass authentication, access on-premises Exchange servers, and steal emails. Once the attackers secure access to email accounts, they can install malware and access victim environments at a later date.
In some scenarios they've been using web shells on servers in order to dump process memory, and compress and steal inbox data like address books, which contain information about the compromised organization and its users.
The company attributed the attacks to Hafnium, a state-sponsored group it believes operates out of China and has been spotted targeting a variety of different organizations. Some of those targets include infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
Among the bugs fixed by Microsoft are vulnerabilities that allowed attackers the ability to send arbitrary HTTP requests and authenticate as the Exchange server (CVE-2021-26855), run code as SYSTEM on the Exchange server (CVE-2021-26857), and write a file to any path on the server (CVE-2021-26858).
The fact the attackers are bypassing authentication like two-factor in order to steal email inboxes is concerning. It's also how they've flown under the radar according to Volexity, a threat intelligence and incident response firm that assisted Microsoft in uncovering and researching one of the bugs, the server-side request forgery (SSRF) vulnerability, CVE-2021-26855.
It's worth noting that while the other vulnerabilities require some conditions be in place, the SSRF vulnerability is remotely exploitable and does not require authentication - something that could easily open the door for the other vulnerabilities. According to Volexity, all an attacker needs to know is the server running Exchange and the account they want to extract email from. For the other vulnerabilities, conditions need to exist in order to be exploited. Naturally, the file write vulnerabilities (CVE-2021-26858 and CVE-2021-27065) can only be exploited if attackers can authenticate with the server in the first place. To run code as SYSTEM, attackers would need administrator permission or another vulnerability to be exploited first.
According to Volexity's write up, through remote access, via leased U.S.-based private servers, the group launched exploits, many using legitimate tools like PsExec, webshells, and WinRar, that helped it become more known. The firm realized something was afoot after it detected anomalous activity from two of its customers’ Microsoft Exchange servers, then noticed large amounts of data being sent to suspicious IP addresses.
The fact that attackers are using web shells to carry out attacks goes along with Microsoft's narrative that their usage is on the rise; it said last month that from August 2020 to January 2021 it saw 140,000 instances of web shells in attacks, double the monthly average, 77,000, before that.
In addition to information on the vulnerabilities, Microsoft also shared indicators of compromise (IOCs), Azure Sentinel advanced hunting queries, and other tools to help administrators hunt for activity in their environment.
While finding time to patch systems can be a tall order for administrators, many who are already juggling a long list of updates and software remediations for systems they oversee, Microsoft is stressing these updates should be a priority.
“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack,” Tom Burt, Microsoft's Corporate Vice President, Customer Security & Trust, said in a separate blog post on Tuesday.