Microsoft has launched out-of-band security adjustments to resolve four zero-day Microsoft Exchange Server vulnerabilities that a Chinese Advanced Persistent Threat (APT) group called Hafnium is actively exploiting.
The attacks have been taking place starting early January, as the APT group is targeting defense contractors, law agencies, colleges and universities, NGOs, think tanks, and infectious disease research organizations in the USA. Vulnerabilities exploitation enables the attackers to exfiltrate mailboxes and other information from vulnerable Microsoft Exchange servers, run practically any code on the servers, and add malware for continual access.
Hafnium is used to be an unidentified sophisticated APT group that is thought to be aided by the Chinese government. The group is chaining together the 4 zero-day vulnerabilities to steal sensitive files held in email messages. While developing the exploits needed skills, utilizing those exploits is easy and permits the attackers to exfiltrate big quantities of sensitive data easily. Although the APT group is in China, virtual private servers in America are hired for use in the attacks, which aids the group to remain under the radar.
The flaws are found in Exchange Server 2010 and all supported Microsoft Exchange Server versions (2013, 2016, 2019). There were patches released to repair the vulnerabilities in Exchange Server 2010, 2013, 2015, and 2019. The flaws have no effect on Exchange Online and personal email accounts, merely on-premises Exchange servers.
Microsoft has credited the cybersecurity companies Volexity and Dubex for assisting to uncover the attacks, which were initially identified on January 6, 2021. Now that the patches were introduced, attacks are likely to increase as the group rushes to obtain access to a lot of vulnerable Exchange servers before the patch application.
The vulnerabilities identified are:
- CVE-2021-26855: A server-side request forgery (SSRF) vulnerability that enables HTTP requests to be sent to an on-premises Exchange Server to authorize as the Exchange server itself.
- CVE-2021-26857: An insecure deserialization vulnerability found in the Unified Messaging service that may be exploited to execute any arbitrary code as SYSTEM on the Exchange server.
- CVE-2021-26858 and CVE-2021-26865 – These two file write vulnerabilities enable an authenticated person to write files to any path on the server. The vulnerabilities are chained with CVE-2021-26855, though it can also be taken advantage of utilizing stolen credentials.
Once initial access to the Exchange server is acquired, the attackers release a web shell that permits them to gather cached credentials, upload files like malware for persistent access, perform essentially any command on the compromised system, and exfiltrate inboxes and other information.
Exploits for the vulnerabilities are not believed to have been available publicly, with the attacks presently merely being carried out by Hafnium, even though that may not stay so for long.
Microsoft is informing all customers of the vulnerable Microsoft Exchange versions to utilize the patches right away. After implementing the patches, an investigation must be done to know if the vulnerabilities were already exploited, as patching won’t prevent any further malicious activity or data exfiltration in case the attackers have actually breached the server.
Microsoft has offered Indicators of Compromise (IoCs) to assist clients to determine whether the vulnerabilities were already exploited.