A state-sponsored threat group from China has aggressively exploited four zero-day flaws in Microsoft Exchange Server. Worryingly, these vulnerabilities appear to have been adopted by other threat actors in extensive attacks.
The hack is not believed to be linked to the SolarWinds supply chain attack that has affected roughly 18,000 companies globally, but there are fears that lags in fixing exposed servers could have a similar, or more severe, effect on businesses.
Here is a detailed chronology of what exactly happened.
What occurred?
Microsoft said that the company came to know of four zero-day bugs in January.
On March 2, the tech giant issued patches to deal with the four critical flaws in Microsoft Exchange Server software. Microsoft said that the bugs were being aggressively exploited in limited but targeted attacks.
Ten days later, Microsoft focused its probe on whether the threat actors acquired the credentials needed to gain access to the Exchange Server by a Microsoft partner, either deliberately or inadvertently. It is alleged that the cybercriminals had “proof of concept” attack code that the software behemoth shared with antivirus firms as part of the company’s Microsoft Active Protections Program (Mapp).
Microsoft Exchange Server is an email inbox, calendar, and collaboration solution. Users of Microsoft Exchange Server — an email inbox, calendar, and collaboration solution — come from diverse backgrounds, from corporate giants to small and medium enterprises worldwide.
While patches have been issued, the possibility of potential Exchange Server compromise hinges on the speed and approval of fixes, with the number of potential victims constantly on the rise.
The vulnerabilities and their significance
While Exchange Online is not impacted, the severe flaws affect on-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.
CVE-2021-26855: CVSS 9.1: a Server Side Request Forgery (SSRF) flaw leading to crafted HTTP requests being sent by unverified hackers. Servers should be able to accept unreliable connections over port 443 for the bug to be activated.
CVE-2021-26857: CVSS 7.8: an uncertain deserialization flaw in the Exchange Unified Messaging Service, letting random code deployment under SYSTEM. Nevertheless, this flaw needs to be combined with another or pilfered IDs must be used.
CVE-2021-26858: CVSS 7.8: a post-authentication random file write flaw to write to paths.
CVE-2021-27065: CVSS 7.8: a post-authentication arbitrary file write flaw to write to paths.
Used in an attack chain, all of these flaws can lead to Remote Code Execution (RCE), server capture, backdoors, data holdup, and possibly further malware deployment.
Simply put, Microsoft says that invaders obtain access to an Exchange Server either through these bugs or pilfered credentials and they can then produce a web shell to capture the system and perform commands remotely.
The company has said that the vulnerabilities are used as part of an attack chain, adding that the first attack needs the capacity to make an unreliable connection to Exchange server port 443. This, Microsoft said, can be protected against by limiting unreliable connections, or by establishing a VPN to separate the Exchange server from external access.
On March 10, Proof-of-Concept (PoC) code was released.
Attack traced back to Hafnium
The tech giant says that attacks using the zero-day vulnerabilities have been traced back to Hafnium, a state-sponsored advanced persistent threat (APT) group from China that Microsoft said is as a highly accomplished and sophisticated actor.
While Hafnium initiates in China, the group uses a web of virtual private servers (VPS) located in the US to try and hide its true location. Entities formerly targeted by the group include think tanks, non-profits, defense outworkers, and researchers.
- Deploy updates to compromised Exchange Servers
To successfully respond to the situation that could snowball into a serious crisis, deployment of updates to the affected Exchange Servers can be the first key step.
- Investigate for exploitation or indicators of persistence
This can be managed by examining the Exchange product logs for evidence of exploitation and skimming for identified web shells. In addition, using the Microsoft IOC feed for newly observed indicators and leveraging other organizational security capabilities may also help
- Remediate and mitigate any known exploitation
Microsoft suggests that you investigate your environment for indicators of lateral movement or further compromise. Also, you must update or mitigate your affected Exchange deployments immediately. Several rival groups are also actively exploiting these vulnerabilities, so to ensure the utmost security, you should block access to susceptible Exchange servers from unreliable networks until your Exchange servers are fixed or mitigated.
Some of the noted cybersecurity companies in Pakistan, including AMSAT Managed Security Services (MSS), provide services appropriate for different environments related to Exchange Server, including support and services in vulnerability & threat management and governance, risk management & compliance, and penetration testing. The company also provides customized security strategy and mitigation techniques to help prepare organizations for potential threats.
