Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft attributes the attacks to a group they have dubbed Hafnium.
“HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”
The Hafnium attack group
Besides a rare metal that chemically resembles zirconium, Hafnium is a newly identified attack group that is also thought to be responsible for other attacks on internet-facing servers, and typically exfiltrates data to file sharing sites. Despite their use of leased servers in the US, the group is believed to be based in China (as most security researchers will tell you, attribution is hard, especially when it involves international espionage).
In many organizations, internal cooperation depends on groupware solutions that enable the central administration of emails, calendars, contacts, and tasks. Microsoft Exchange Server is software that offers this functionality for Windows-based server systems.
In this case the attacker was using one of the zero-day vulnerabilities to steal the full contents of several user mailboxes from such servers.
Not one, but four zero-days
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The CVE’s (with descriptions provided by Microsoft) used in these attacks were:
- CVE-2021-26855: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
- CVE-2021-26857: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
- CVE-2021-26858: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
- CVE-2021-27065: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
They all look the same. Boring you said? Read on!
The attack chain
While the CVE description is the same for the 4 CVE’s we can learn from the report by the security firm that discovered the attacks, Volexity, that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The Remote Code Execution (RCE) vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws — CVE-2021-26858 and CVE-2021-27065 — would allow an attacker to write a file to any part of the server.
Together these 4 vulnerabilities form a powerful attack chain which only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, Hafnium operators deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.
Urgent patching necessary
Even though the use of the vulnerabilities was described as “limited”, now that the information has been made public, we may see a quick rise in the number of attacks. Especially since the attack does not require a lot of information about the victim to start with.
Or as Microsoft’s vice president for customer security Tom Burt put it:
“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.”
Users of Microsoft Exchange Server 2010, Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019 are advised to apply the updates immediately to protect against these exploits, prioritizing the externally facing Exchange servers.
Microsoft also advises that the initial stage of the attack can be stopped by "restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access", although the other parts of the attack chain can still be exploited, if other means of access are used.
Update March 4, 2021
The Cybersecurity and Infrastructure Security Agency issued an emergency directive after CISA partners observed active exploitation of vulnerabilities in Microsoft Exchange on-premises products. The directive gives detailed instructions for agencies to follow immediately after identifying all instances of on-premises Microsoft Exchange Servers in their environment.
For readers that are interested in the more technical details of the attack chain, Veloxity published a blog that provides details about their investigation, the vulnerabilities, and which also includes IOCs.
Update March 5, 2021
It turns out that CVE-2021-26855 was discovered in December of 2020 by DEVCORE who named the vulnerability ProxyLogon. They called it ProxyLogon because this bug exploits against the Exchange Proxy Architecture and Logon mechanism. After DEVCORE chained the bugs together to a workable pre-auth RCE exploit, they sent an advisory and exploit to Microsoft through the MSRC portal. The entire timeline can be found here.
Update March 8, 2021
Microsoft has released an updated script that scans Exchange log files for indicators of compromise (IOCs) associated with the vulnerabilities disclosed on March 2, 2021. The US Cybersecurity & Infrastructure Security Agency (CISA) has issued a warning that it is aware of widespread domestic and international exploitation of these vulnerabilities and strongly recommends organizations run the script as soon as possible.
Microsoft has also added definitions to its standalone malware scanner, the Microsoft Safety Scanner (also known as the Microsoft Support Emergency Response Tool or MSERT), so that it detects web shells.
Malwarebytes detects web shells planted on compromised Exchange servers as Backdoor.Hafnium. You can read more about the use of web shells in Exchange server attacks in our article Microsoft Exchange attacks cause panic as criminals go shell collecting.
Update March 12, 2021
The abuse of these vulnerabilities has sky-rocketed, and the first public proof-of-concept (PoC) exploit for the ProxyLogon flaws has appeared on GitHub, only to be taken down by the site. In spite of Microsoft's efforts, cybercriminals have shown in numbers that they are exploiting this opportunity to the fullest.
A new form of ransomware has also entered the mix. Detections for DearCry, a new form of human-operated ransomware that's deployed through compromised Exchange servers, began yesterday. When the ransomware was still unknown, it would have been detected by Malwarebytes proactively, as Malware.Ransom.Agent.Generic.
You can read more about DearCry ransomware attacks in our article Ransomware is targeting vulnerable Microsoft Exchange servers.
Update March 16, 2021
Microsoft has released a new, one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.
Update March 23, 2021
After the release of the mitigation tool, the number of systems still vulnerable fell by 45% last week, as per a National Security Council spokesperson.
But there are still thousands of cyberattacks targeting the vulnerabilities every single day as cybercriminals target organisations that have not applied the patches yet, according to ZDNet.
Added to the number of malware infections using these vulnerabilities is a scareware variant calling itself Black Kingdom ransomware. Fortunately for the victims, all it does is drop ransom notes in every directory. No real encryption has been observed.
Discussions about how it is possible for massive attacks to have started shortly before the patch was released are heating up. MAPP partners that get a heads up from Microsoft before patches are released are under the microscope.
Update March 25, 2021
The Black Kingdom ransomware turned out to be real ransomware after all. The first batch had a bug preventing the ransomware from encrypting files, but later versions did work.
We will keep you posted as we gather more information about the attacks using these vulnerabilities.
Update April 14, 2021
While you are here, we are assuming you are interested in Exchange updates and patches. So you may appreciate to learn that Microsoft has released security updates for vulnerabilities found in:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
Again Microsoft urges users to patch immediately to protect your environment. You can find more details on the Exchange Team Blog.
Stay safe, everyone!