On March 2, 2021, Microsoft released a new patch to address four zero-day exploits being used to attack on-premises Microsoft Exchange Servers. The United States Department of Homeland Security's Cybersecurity and Infrastructure Agency (CISA) has urged vulnerable businesses to read Microsoft's update and apply patches to their systems as necessary.
What Are The Vulnerabilities?
The four vulnerabilities – known as vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 – can allow threat actors to take control of an impacted system and access the victim's information. Specifically, these vulnerabilities allow threat actors to:
- Send arbitrary HTTP requests;
- Authenticate as the Exchange server;
- Run code on the Exchange server through use of administrator permissions; and
- Write a file to any path on the server by compromising legitimate administrator's credentials.
Who Is At Risk?
Businesses using the 2010, 2013, 2016, and the 2019 versions of on-premises Microsoft Exchange Servers are at risk. Internet-facing servers such as Outlook Web Access servers are particularly vulnerable while Exchange Online and Office 365 mailboxes are not believed to be affected by this vulnerability.
What Are The Risks?
Threat actors including the Hafnium group have used these vulnerabilities to access servers, and email accounts and to install additional malware to facilitate long-term access to victim business's environments.
After leveraging the vulnerabilities to gain access to environments, threat actors have deployed web shells on the compromised server, using these web shells to steal data and to use malware to facilitate long-term access. Additionally, threat actors can also download the Exchange offline address book, which contains information about an organization and its users.
Server access may allow threat actors to move into different systems and deploy malware, including ransomware that could affect system accessibility. Access to email environments could result in misuse of employee email accounts aiming to redirect financial transactions away from their legitimate recipients. Exposure of information gained from email systems and from affected Exchange offline address books may later result in phishing or spam campaigns targeting company contacts.
Who Is Exploiting These Vulnerabilities?
Microsoft disclosed that it has detected limited and targeted attacks by Hafnium, a group believed to be state-sponsored operating out of China, which targets industries including infectious disease researchers, institutions of higher education, law firms, think tanks, and non-government organizations.
Groups other than Hafnium may launch attacks using this vulnerability as it becomes more widely known.
What Can I Do?
Businesses using the 2010, 2013, 2016, and the 2019 Microsoft Exchange Servers are strongly urged to update these servers immediately to protect against these attacks. We also recommend:
- Staying alert to any unauthorized access to systems that may indicate exploitation of these vulnerabilities.
- Reinforcing protections associated with administrator accounts. Threat actors attempting to exploit these vulnerabilities will likely try to escalate privileges.
- Remaining vigilant to any suspicious code being run on the Exchange server and to the creation of any files not clearly associated with work product or management of your technical infrastructure. Ask your information technology personnel to assist you with the best methods to achieve these goals.
Originally Published by Lewis Brisbois, March 2021
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.