Out of Band Patches Released for Active Exploitation of Microsoft Exchange Server

Description

On March 2nd, Microsoft released out of band patches for on-premise Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. This response was in relation to the in the wild exploitation of four vulnerabilities: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.


The attack chain targets a Microsoft Exchange server that is able to receive untrusted connections from an external source. Microsoft attributes this latest attack to the threat actor known as HAFNIUM.


Who is HAFNIUM?

According to Microsoft - HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.


HAFNIUM'S modus operandi is to gain access to the victim network where victim data is then exfiltrated to file sharing sites like MEGA for possible Cyber Espionage.


What are the Technical Details of the Threat?

Four specific vulnerabilities (Microsoft Exchange Server Remote Code Execution Vulnerability) were chained together to allow the threat actor to exploit on-premise Exchange servers.


They are:


CVE-2021-26855

A remote code execution vulnerability exists in Microsoft Exchange Server where a server side request forgery (SSRF) vulnerability allows an attacker to send arbitrary HTTP requests to authenticate as the Exchange server. This vulnerability is part of an attack chain and to be successful, an attempt to connect on an untrusted connection on Exchange server port 443 must be allowed.


CVE-2021-26857

A remote code execution vulnerability exists in Microsoft Exchange Server where an insecure deserialization vulnerability exists in the Unified Messaging service. Exploiting this vulnerability will give an attacker the ability to run code with elevated privileges (SYSTEM) on the Exchange server. In order for this vulnerability to be leveraged, certain criteria must be available such as existing administrator permissions or the chaining of another vulnerability in parallel.


CVE-2021-26858

A remote code execution vulnerability exists in Microsoft Exchange Server where an attacker can perform a post authentication arbitrary file write. Once authentication is made with the server, an actor can place a file to any location on a server. This vulnerability can be chained by compromising known Exchange administrator credentials or authenticating by exploiting CVE-2021-26855 (SSRF).


CVE-2021-27065

A remote code execution vulnerability exists in Microsoft Exchange Server where an attacker can perform a post authentication arbitrary file write. Once authentication is made with the server, an actor can place a file to any location on a server. This vulnerability can be chained by compromising known Exchange administrator credentials or authenticating by exploiting CVE-2021-26855 (SSRF).


What Platforms are Affected?

On-premise Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 are affected. Exchange Server online is unaffected. Although not listed as affected, Exchange Server 2010 has mitigation guidance available for it. Please refer to the APPENDIX for more details.


How Serious of an Issue is This?

HIGH.


Is this Being Exploited in the Wild?

Yes. According to recent media reports, in the wild attacks have been observed to affect potentially over 30,000 customers.


How Widespread is this Attack?

Global. Attacks have been observed to affect multiple verticals and targets worldwide.


Are Patches Available?

Yes. Out of Band patches were available from Microsoft for download on March 2nd, 2021. It is recommended that all available patches for affected Microsoft Exchange servers are applied immediately, if feasible.


What is the Status of Coverage?

FortiGuard Labs has the following AV coverage in place for publicly known samples as:


ASP/WebShell.cl!tr

ASP/Chopper.A!tr

HTML/Agent.A121!tr


FortiGuard Labs has the following IPS coverage in place as:


MS.Exchange.Server.ProxyRequestHandler.Remote.Code.Execution

MS.Exchange.Server.UM.Core.Remote.Code.Execution

MS.Exchange.Server.CVE-2021-27065.Remote.Code.Execution

MS.Exchange.Server.CVE-2021-26858.Remote.Code.Execution


All known network IOC's related to this threat are blocked by the FortiGuard WebFiltering Client.


We will update this threat signal with any other feasible updates once they become available.


Any Other Suggested Mitigation?

According to Microsoft and to protect against this attack, it is recommended to restrict untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack. Other portions of the chain still can be triggered if an attacker already has access or can convince an administrator via social engineering methods to open a malicious file. it is recommended to prioritize installing the available patches on Exchange Servers immediately.


Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.


Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.

description-logoOutbreak Alert

Firstly, if you are running an un-patched on-premise Microsoft Exchange version, you should upgrade immediately! This is a critical vulnerability that allows an attacker to access a desired user’s mailbox, requiring only the e-mail address of the user they wish to target! These details and more were disclosed by Volexity here. https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ The vulnerabilities affect Exchange Server 2013, 2016 and 2019. Exchange Online is not affected.

View the full Outbreak Alert Report