Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactic, and procedures.
- Attacker can gain access to an Exchange server either with stolen passwords or by using the zero-days to disguise the hackers as personnel who should have access.
- Attacker can create a web shell to control the compromised server remotely, and use that remote access to steal data from a target’s network.
- These vulnerabilities are actively being exploited in limited and targeted attacks:
- CVE-2021-26855 – A server-side request forgery (SSRF) vulnerability that could allow an attacker to use specially crafted web requests and authenticate as the Exchange Server
- CVE-2021-26857 – An insecure de-serialization vulnerability in the Unified Messaging service that could allow an attacker to run code with escalated privileges on the Exchange Server
- CVE-2021-26858 and CVE-2021-27065 – Post-authentication arbitrary file-write vulnerabilities that could allow an authenticated attacker to upload files onto the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
- Microsoft Exchange Server 2010 (Service Pack 3)
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
- Administrators are strongly urged to install and patch to the latest Exchange Server security updates:
- Exchange Server 2010 (RU 31 for Service Pack 3 – this is a Defense in Depth update)
- Exchange Server 2013 (CU 23)
- Exchange Server 2016 (CU 19, CU 18)
- Exchange Server 2019 (CU 8, CU 7)