Urgent patching necessary. Microsoft continues to see increased attacks targeting unpatched systems by multiple malicious actors beyond Hafnium attack group.
What you need to know about the Microsoft Exchange Server hack.
A sophisticated attack on Microsoft’s widely used business email software, Microsoft Exchange Server, is shifting into a global cybersecurity crisis, as hackers race to infect as many victims as possible before companies can secure their computer systems.
Four ‘zero-day’ vulnerabilities in Microsoft Exchange Server are being actively exploited by Hafnium, a state-sponsored advanced persistent threat (APT) group from China that is described by Microsoft as a "highly skilled and sophisticated actor."
The attacks include three steps.
- They gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access.
- They create a web shell to control the compromised server remotely.
- They use that remote access, which is operating from U.S.-based private servers, to steal data from an organization’s network.
Microsoft is urging customers to apply the updates as soon as possible due to the critical rating of the flaws.
“We released security updates that will protect customers running Exchange Server. We strongly encourage all Exchange Server customers to apply these updates immediately” Microsoft said.
What are the Microsoft Exchange Server vulnerabilities?
The flaws affected Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Exchange Online is not affected.
- CVE-2021-26855: CVSSv3 9.1:a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
- CVE-2021-26857: CVSS 7.8:an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. However, this vulnerability needs to be combined with another or stolen credentials must be used.
- CVE-2021-26858: CVSS 7.8:a post-authentication arbitrary file write vulnerability to write to paths.
- CVE-2021-27065: CVSS 7.8:a post-authentication arbitrary file write vulnerability to write to paths.
Bloomberg estimates approximately 60,000 organizations as known victims, as of March 8, many of which are small or medium-sized businesses.
Check to see if you’re vulnerable to Microsoft Exchange Server zero-days.
Microsoft's Exchange Server team has released a script for IT admins to check if systems are vulnerable to recently-disclosed zero-day bugs.
As noted in an alert published by the US Cybersecurity and Infrastructure Security Agency (CISA) on Saturday, Microsoft's team has published a script on GitHub that can check the security status of Exchange servers.
The script has been updated to include indicators of compromise (IOCs) linked to four zero-day vulnerabilities found in Microsoft Exchange Server.
Recommended response steps for Microsoft Exchange hack.
Microsoft recommends that you update and investigate in parallel, but if you must prioritize one, prioritize updating and mitigation of the vulnerability.
Successful response should consist of the following steps:
- Deploy updates to affected Exchange Servers.
- Investigate for exploitation or indicators of persistence.
- Remediate any identified exploitation or persistence and investigate your environment for indicators of lateral movement or further compromise.
These vulnerabilities are being actively exploited by multiple rival hacking groups. Block access to vulnerable Exchange servers from untrusted networks until your Exchange servers are patched or mitigated.
Microsoft’s most recent update as of 3/8/2021 is as follows:
“Microsoft continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Server. To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.”
Server vulnerabilities resources:
For more information about these vulnerabilities and how to defend against their exploitation, see:
- Microsoft Advisory: Multiple Security Updates Released for Exchange Server
- Microsoft Blog: HAFNIUM targeting Exchange Servers with 0-day exploits
- Microsoft GitHub Repository: CSS-Exchange
- CISA Alert: Mitigate Microsoft Exchange Server Vulnerabilities
- CISA Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
If you’re looking for IT services in the Tri-Cities or Yakima, Washington or Bend, Oregon areas, or concerned about the Exchange attack, give us a call at 541.848.6072 in Oregon or 509-396-6640 in Washington.