Microsoft Exchange Security Alert
The Microsoft Threat Intelligence Center (MSTIC) has released information about another widespread campaign targeting Exchange servers. It has been found that a state-sponsored threat actor operating out of China, which they are calling HAFNIUM, has been exploiting 0-day vulnerabilities in on-premise Exchange server software. There are four known vulnerabilities identified by the MSTIC since the incident occurred which target on-premise Exchange servers only. Cloud Exchange servers are not affected by these vulnerabilities.
The attack is performed by first exploiting a server-side request forgery (SSRF) vulnerability allowing for the full contents of a user’s mailbox to be stolen. The attacker only needs to know the server running the Exchange software and the account they want to steal from (CVE-2021-26855). The attacker then chains this exploit with a secondary exploit that allows for remote code execution on the targeted Exchange server (CVE-2021-27065). Another vulnerability is also part of this chained exploit allowing attackers to write a file to any path on the server (CVE-2021-26858). The fourth vulnerability allows attackers to run code as SYSTEM after exploiting an insecure deserialization vulnerability in the Unified Messaging service (CVE-2021-26857).
In addition to the four primary Indicators of Compromise (IoCs), Microsoft has released PowerShell scripts and various tools on their GitHub to help identify these IoCs within your Exchange servers. Volexity, who spotted these attacks occurring in the wild, also released an in-depth write-up on various IoCs, proofs-of-concept, and demonstrations to assist with this detection effort. A similar write-up can be found by Microsoft as well.
Microsoft has released a patch for all four vulnerabilities, as well as some others, and they urge everyone with on-premise Exchange servers to patch their systems immediately. Information about the security updates can be found here. Although HAFNIUM is attributed to be the first known entity to exploit these vulnerabilities, Microsoft continues to see increased attacks on unpatched systems by actors beyond this actor.
Threat Response Measures
- 1. Identify and patch vulnerable Exchange Server systems with the Microsoft-issued security updates.
- 2. Utilise alternative mitigations provided by Microsoft where you cannot immediately deploy patches.
- 3. Use Microsoft’s PowerShell script to search for indicators of compromise on your Exchange server.