Published March 2021
Microsoft discloses four zero-day vulnerabilities being used to remotely compromise Exchange Server.
Threatscape recommends that clients urgently patch Microsoft Exchange Server to address vulnerabilities being used in targeted attacks by a China-linked group. These vulnerabilities allow attackers to remotely compromise Exchange servers and steal the full contents of mailboxes without requiring any server authentication.
“We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately”. They attribute the attacks to “a group assessed to be state-sponsored and operating out of China” which typically targets “entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”
MICROSOFT
The security response team at Threatscape have commented as follows about this issue:
- The attack combines multiple zero-day (i.e. previously unknown) vulnerabilities in Microsoft Exchange email server software versions 2010, 2013, 2016 and 2019 which are very widely used by organisations around the world. Used together these vulnerabilities make it possible to remotely compromise an Exchange server and gain full access to mailboxes, and to deploy additional attack scripts. The team who discovered the flaw (which they first spotted almost two months ago on Jan 6th!) describe the severity well:
Adair said while the exploits used by the group may have taken great skills to develop, they require little technical know-how to use and can give an attacker easy access to all of an organization’s email if their vulnerable Exchange Servers are directly exposed to the Internet.
“These flaws are very easy to exploit,” Adair said. “You don’t need any special knowledge with these exploits. You just show up and say ‘I would like to break in and read all their email.’ That’s all there is to it.”
- Microsoft consider these vulnerabilities sufficiently serious and urgent to have released patches immediately, not waiting until their next routine monthly release of patches. They don’t do that very often.
- One of the vulnerabilities has been assigned a CVSS risk score of 9.1. That is very high – anything scoring 9.0 or higher is ‘critical’. In other words, it’s a ‘drop everything else you are working on and fix this now’ level of threat.
- While the vulnerability only affects on-premise Exchange servers, many organisations who use Office 365 follow Microsoft’s recommendations to install an on-premise Exchange server for password syncing between Active Directory and Office 365. Organisations with this type of hybrid deployment may incorrectly think of their email infrastructure as being entirely ‘in the cloud’ and may overlook the urgent need to patch their on-premise Exchange server.
- While the attacks to date have been very limited and targeted, and are believed to be the work of Chinese government hackers suspected of having discovered the vulnerabilities, the release of the patches makes other hacking groups and cyber criminals aware of the flaws. Multiple threat groups will now be scrambling to develop their own attack code so that they can try to exploit these flaws against organisations who are slow to deploy the patches. Therefore organisations need to patch NOW.
If you require further assistance from Threatscape in relation to this issue, please contact us by email at support@threatscape.com or by phone (UK – 0203 653 0000, Ireland – 01 901 7000).
Further reading:
MICROSOFT — March 2021 Exchange Server 2010, 2013, 2016 and 2019 Security Updates
Because we are aware of active exploits of related vulnerabilities in the wild (limited targeted attacks), our recommendation is to install these updates immediately to protect against these attacks. The vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected. For more information, please see the Microsoft Security Response Center (MSRC) blog. For technical details of these exploits and how to help with detection, please see HAFNIUM Targeting Exchange Servers.
Volexity determined attackers were exploiting a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855). The attacker was using the vulnerability to steal the full contents of several user mailboxes.
This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail.