If your organization runs a Microsoft Exchange server on site, your IT professionals need to be up to date on the latest security-related developments, especially since the recent discovery of several vulnerabilities.
It is believed that there are hundreds of thousands of vulnerable Exchange servers, compromised by the threat group known as “Hafnium.” Multiple observers blame this group for the initial attacks and the resulting fallout. However, some analysts believe that there might also be multiple malicious actors at work, as not all exploits show the same Hafnium indicators.
Following widespread domestic and international reports of attacks targeting unpatched systems running Microsoft Exchange, national security agencies and private sector groups are calling on companies, organizations and institutions to take the potential for disruptions to technology services and infrastructure seriously, and to respond with changes to their security posture as quickly as possible.
What is Hafnium?
According to an assessment from the Microsoft Threat Intelligence Center (MSTIC), the threat actor Hafnium is a group based and operated out of China with some form of state sponsorship.
This group has shown itself to be capable of exploiting vulnerabilities in internet-facing servers and using open-source frameworks for command and control operations. Once they achieve access to victim networks, Hafnium usually exfiltrates private data to file sharing sites, operating primarily from leased virtual private servers in the United States.
Hafnium primarily targets entities and organizations across a number of industry sectors, ranging from higher education institutions to defense contractors and policy think tanks.
Other Threat Actors
Some cybersecurity and infrastructure security researchers believe that multiple malicious actors beyond Hafnium are currently taking advantage of Microsoft Exchange server vulnerabilities. This assumption is based on the observed difference in techniques in certain attacks, but the truth is far from clear at this point.
Two plausible scenarios are that the exploit code was shared or sold with other groups, or that Microsoft patches have been successfully reverse engineered.
Canadian & American Government Recommendations
In Canada, the Canadian Centre for Cyber Security issued a series of alerts throughout March, recommending that organizations should prioritize external facing Microsoft Exchange servers and immediately apply necessary updates. Furthermore, any affected external servers should have remote access temporarily disabled until properly analyzed and patched.
In the United States, Cybersecurity and Infrastructure Security Agency (CISA) released emergency directive 21-02 on March 3, which required federal civilian departments and agencies running Microsoft Exchange on-premises products to update or disconnect the products from their networks until updated with the Microsoft patch.
How the Saga Unfolded
On March 2, Microsoft announced that on-premise versions of Microsoft Exchange Server were being attacked using multiple zero-day vulnerabilities. Using these vectors, the attackers accessed on-premises Exchange servers, through which they gained access to all email accounts and the remote code execution abilities within this context. In cases where arbitrary code execution occurs, the attackers will be able to achieve persistence on the affected server.
The vulnerabilities affect Exchange Server versions 2013, 2016, and 2019, while Exchange Online remains unaffected.
The initial part of the attack chain requires the ability to make an untrusted connection to the Exchange server, however, other portions of the attack can be triggered through access by other means. Measures to prevent access, such as restricting untrusted connections or the use of a VPN, are only effective against the first part of the attack chain, which means that complete mitigation is only achievable through patching.
Exploited Vulnerabilities
According to the latest information from the Microsoft Security Response Center, the recently exploited vulnerabilities were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
In order to help gain a better understanding of the techniques used and help organizations improve their security posture, here is a breakdown of the recently exploited vulnerabilities.
CVE-2021-26855
A server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857
An insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave bad actors the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858 & CVE-2021-27065
Both are a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
Have Your Systems Been Compromised?
The domestic and international exploitation of these vulnerabilities reached such a level that the default assumption for a company that uses Exchange should be that their servers are compromised unless updated with the latest patches or protected by third party software.
The following indicators of compromise (IOCs) can help inform detection and mitigation guidance using Exchange server event logs and other Microsoft products, like Azure Sentinel, Microsoft Defender for Endpoint, and Microsoft 365 Defender.
Many of the currently known IOCs rely on finding file remnants based on web shells. If you have an endpoint detection and response (EDR) product installed, you can also review logs and process command execution.
The specific order of actions taken to achieve complete threat mitigation is situational and depends on the outcomes of the environment-specific investigation.
Which Servers Should be Updated First?
Because exploitation relies on HTTPS access over the internet, it is recommended to first update any Exchange servers that are exposed to the internet before updating the rest of the internal environment.
Check Microsoft Exchange Server Patch Levels & Scan Exchange Log Files
Running this Exchange Server Health Checker script, will let you know if your Exchange servers are up to date. The script scans Exchange log files for any indicator of compromise associated with the vulnerabilities that were first disclosed on March 2.
Install Cumulative Security Updates
Microsoft has released the following cumulative updates (CU) to Exchange.
- Exchange Server 2010 (update requires SP 3 or any SP 3 RU – this is a Defense in Depth update)
- Exchange Server 2013 (update requires CU 23)
- Exchange Server 2016 (update requires CU 19 or CU 18)
- Exchange Server 2019 (update requires CU 8 or CU 7)
Stay Current with Cybersecurity Best Practices
International-level cybersecurity threats are a new and emerging issue that large-scale companies and organizations must be prepared to face. Although it seems that the proposed mitigation techniques effectively limit the risk to most systems, it is only a matter of time before a new threat with a greater ability to compromise
Firewall Management Services
Modern enterprise networks can include a combination of IT security controls, but efficiently managing these systems can be a major operational challenge. This is particularly true in the context of a major global security threat that relies on HTTPs access.
Firewall management services can help your company efficiently oversee firewall rules, configurations, logs and alerts to improve overall effectiveness.
Managed Detection and Response Services
Many exploits take place because internal IT teams simply don’t have the time, resources and expertise to implement the right detection and mitigation techniques when needed. For most organizations, the best way to keep operations secure and stay protected against future threats lies with a managed network security and incident response partner.