[ALERT] Advisory on Emergency patches for zero-day exploits in Microsoft Exchange

Background

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactic, and procedures.

Impact

Attacker can gain access to an Exchange server either with stolen passwords or by using the zero-days to disguise the hackers as personnel who should have access.
Attacker can create a web shell to control the compromised server remotely, and use that remote access to steal data from a target’s network.
These vulnerabilities are actively being exploited in limited and targeted attacks:
- CVE-2021-26855 – A server-side request forgery (SSRF) vulnerability that could allow an attacker to use specially crafted web requests and authenticate as the Exchange Server
- CVE-2021-26857 – An insecure de-serialization vulnerability in the Unified Messaging service that could allow an attacker to run code with escalated privileges on the Exchange Server
- CVE-2021-26858 and CVE-2021-27065 – Post-authentication arbitrary file-write vulnerabilities that could allow an authenticated attacker to upload files onto the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Affected Systems

Microsoft Exchange Server 2010 (Service Pack 3)
Microsoft Exchange Server 2013
Microsoft Exchange Server 2016
Microsoft Exchange Server 2019

Recommendations

Administrators are strongly urged to install and patch to the latest Exchange Server security updates:
- Exchange Server 2010 (RU 31 for Service Pack 3 – this is a Defense in Depth update)
- Exchange Server 2013 (CU 23)
- Exchange Server 2016 (CU 19, CU 18)
- Exchange Server 2019 (CU 8, CU 7)

References

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-s…

https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberatta…

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-e…

https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-excha…

https://arstechnica.com/information-technology/2021/03/microsoft-issues-emergen…