CISA Urges Patch, as Hackers Exploit Zero-Day Flaws in Microsoft Exchange

March 03, 2021 - The Department of Homeland Security Cybersecurity and Infrastructure Security Agency alerted to an out-of-band software update issued by Microsoft, which will patch four zero-day vulnerabilities found in certain Exchange servers. The flaws are already under active exploit.

The flaws are found in Microsoft Exchange Servers versions 2013, 2016, and 2019. CISA warns that an attacker can exploit three remote code execution flaws to take control of an impacted system.

Meanwhile, an exploit of the CVE-2021-26855 flaw will give the attacker access to the victim’s information.

Microsoft issued its own alert “to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem.”

The CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability that enables an attacker to send arbitrary HTTP requests and authenticate as the Exchange server. 

READ MORE: NIST Shares Risk-Based Guide to Information Exchange Security

The second flaw, CVE-2021-26857, is an insecure deserialization vulnerability found in the Unified Messaging service, which allows the deserialization of untrusted user-controllable data. 

The CVE-2021-26858 and CVE-2021-27065 post-authentication arbitrary file write flaws that can allow an authenticated attacker to write a file to any path on the server.

If an attacker exploits the SSRF flaw, they could authenticate on the network. The flaws can also be exploited if an attacker obtains legitimate admin credentials.

The flaws were found by Volexity researchers who detected anomalous activity on the Microsoft Exchange servers of two clients. An analysis of the suspicious activity showed a large amount of data being sent to IP addresses not tied to legitimate results.

Further analysis of the IIS logs revealed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access (OWA).

READ MORE: Phishing Campaigns Targeting Office 365 Credentials, Spoofing Exchange

“It was initially suspected the servers might be backdoored and that webshells were being executed through a malicious HTTP module or ISAPI filter,” researchers explained. 

The team launched incident response processes and initiated a forensics investigation that determined hackers were exploiting a zero-day server flaw: SSRF. The attackers used the exploit to steal the full contents of several user mailboxes.

The vulnerabilities are remotely exploitable and do not require authentication of any kind. What’s more, the attacker does not need special knowledge or access to exploit the targeted environment.

The hacker only needs to know the server is running Exchange and the account from which they want to extract the emails, in order to exploit the vulnerabilities.

“Exploiting this vulnerability gave [the attacker] the ability to run code as SYSTEM on the Exchange server,” Microsoft noted. “This requires administrator permission or another vulnerability to exploit.”

READ MORE: 61% Microsoft Exchange Servers Are Unpatched, Vulnerable to Attack

A further analysis from Volexity determined the attacker also managed to chain the SSRF flaw with one of the other Exchange vulnerabilities, which allowed remote code execution on the targeted servers.

In all of the remote code execution attacks used against these flaws, the researchers observed hackers writing webshells (ASPX files) to disk and conducting a host of other nefarious activities, including dumping credentials, adding user accounts, and stealing copies of the Active Directory database (NTDS.DIT).

The hackers also used these exploits to move laterally to connected systems and environments on the victims’ networks.

According to Microsoft, the Chinese nation-state hacking group HAFNIUM is actively exploiting these flaws against on-premise servers in limited and targeted attacks. HAFNIUM operates primarily from leased virtual private servers (VPS) in the US.

The hacking group has been primarily targeting US entities across a range of industries, including infectious disease researchers, law firms, higher education institutions, and defense contractors, among others.

In the past, HAFNIUM compromised a range of victims through the exploit of flaws found in internet-facing servers. The group has also used legitimate open-source frameworks for command and control. In all cases, HAFNIUM exfiltrated data to file sharing sites like MEGA, upon successful exploits.

In previous exploits not tied to the current Exchange campaign, the attackers interacted with victim Office 365 tenants. Though the compromises were unsuccessful, the reconnaissance activities allowed the attackers to identify further details about the targeted environments.

All customers are being urged to immediately update on-premise servers. Online Exchange servers are not impacted by these vulnerabilities or attacks.

Patching of these flaws is critical for the healthcare sector, given the rise in the demand and sale of backdoor access to healthcare networks. Groups of threat actors, including Initial Access Brokers (IABs), scan for known flaws and other exposed endpoints to gain a foothold onto the network. That access is then sold online to the highest bidder.

Despite these risks, urgent patching continues to challenge organizations in all sectors. A previously disclosed set of Exchange server vulnerabilities were left unpatched by at least 61 percent of entities, several month after the disclosure. Effective and prompt patch management is crucial for preventing long-term, detected intrusions.