Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft attributes the attacks to a group they have dubbed Hafnium. Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software.The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.
We’re focused on protecting customers from the exploits used to carry out these attacks. Today, we released security updates that will protect customers running Exchange Server. We strongly encourage all Exchange Server customers to apply these updates immediately. Exchange Server is primarily used by business customers, and we have no evidence that Hafnium’s activities targeted individual consumers or that these exploits impact other Microsoft products.
In many organizations, internal cooperation depends on groupware solutions that enable the central administration of emails, calendars, contacts, and tasks. Microsoft Exchange Server is software that offers this functionality for Windows-based server systems.
In this case the attacker was using one of the zero-day vulnerabilities to steal the full contents of several user mailboxes from such servers.
Not one, but four zero-days
Typical zero-day attacks usually take place using a single vulnerability. However, widespread attacks by Hafnium (rumored to be state-run) have taken advantage of four previously unknown vulnerabilities in Microsoft’s “on-premise” versions of Exchange Server.
Tens of thousands of companies are at risk in the US and internationally. Time is of the essence and action must be taken immediately to protect your data.
Short-term “Defense”: Patch, Block Ports and Change Passwords
- Reset all users’ Active Directory passwords with an Exchange mailbox.
- Disable Outlook Web Access and related public-facing ports.
- Download the Microsoft Safety Scanner (MSERT) tool and scan for potential open Web Shell connections to your Exchange Server(s) for these four zero-day vulnerabilities. If the tool reports unknown connections; BLOCK these connections, and perform a forensic investigation to confirm origin and act accordingly.
- Disable any single-factor login entry points and employ two-factor authentication with VPN. Close out all direct access to your Exchange Server.
- Monitor ingress and egress points for unusual activity; block IPs and firewall ports that show higher-than-normal traffic.
- Validate that your incident response playbooks contain both business- and IT-related measures to appropriately defend and stop an email breach.
Long-term “Offense”: Layer Your Security, Deploy DLP and Encrypt Your Data
- Employ additional services, such as Exchange Online Protection, Microsoft Defender, ProofPoint, Mimecast and other solutions to provide greater protection for targeted attacks, phishing, ransomware/malware and much more.
- Configure “conditional location-based access” policies in addition to VPN.
- Configure your CASB and SIEM solutions with the appropriate controls to block and disable risky and potentially compromised accounts.
- Ensure your DLP solutions are configured to block critical data from being stolen and or mistakenly exfiltrated by employees.
- Encrypt your data using Azure Information Protection. In the event of a worse-case scenario where your data is stolen, it’s worthless to the attacker if properly encrypted.
Is there any version of Exchange that is safer or less vulnerable than others?
After the original webcast, Microsoft confirmed that the vulnerability was first introduced in Exchange 2013, so older versions aren’t vulnerable to the full attack. Although it is out of support, Exchange 2010 is still used by some companies so it needs to be patched because it’s vulnerable to CVE-2021-26857, one of the four Hafnium vulnerabilities. Microsoft hasn’t patched any version earlier than Exchange 2010.
What about Exchange Online?
Exchange Online uses a different code base than the on-premises servers and is not vulnerable to the current attack. For one thing, Exchange Online does not allow insecure connections over TCP/443 to Exchange virtual directories like OWA and ECP, which were exploited in the attack.
Currently, the following vulnerabilities are exploited by adversaries:
CVSS 3.0 Base Score
|Gain access to mailboxes, read the full contents.||SSRF (Server-Side Request Forgery)||
|CVE-2021-26857 ||Arbitrary code execution as SYSTEM user, compromise the system||Insecure Deserialization||7.8 High|
|CVE-2021-26858 ||Arbitrary code execution, compromise the system||Post-Authentication Arbitrary File Write||7.8 High|
|CVE-2021-27065 ||Arbitrary code execution, compromise the system||Post-Authentication Arbitrary File Write||7.8 High|
Affected Microsoft Exchange Server Versions
|Exchange 2019||Affected (all CVEs)||Immediately deploy the updates.|
|Exchange 2016||Affected (all CVEs)||Immediately deploy the updates.|
|Exchange 2013||Affected (all CVEs)||Immediately deploy the updates.|
|Exchange 2010||Affected (CVE-2021-26857)||Immediately deploy the updates.|
|Exchange 2007||Unknown, stated as ”not believed to be affected” by Microsoft.||Unsupported version by Microsoft. Upgrade to a supported version.|
|Exchange 2003||Unknown, stated as ”not believed to be affected” by Microsoft .||Unsupported version by Microsoft. Upgrade to a supported version.|
|Exchange Online / Office 365||Not Affected|