2021 Microsoft Exchange Hack: Everything you need to know about hacking Microsoft Exchange Server.
First and foremost: To minimize or avoid impacts from this situation, Microsoft recommends that you please take immediate steps to apply patches to the on-premises Exchange deployments you have or are managing. The first priority is servers that are accessible from the Internet (for example, servers that publish Outlook to the web/OWA and ECP).
What is the massive hacking attributed to Hafnium that affected some 30,000 US organisations?
The vulnerabilities are being exploited by Hafnium. Other cyber attackers are following suit.
Four zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited by a state-sponsoredthreat group in China and appear to have been adopted by other cyber attackers in widespread attacks.
While it is not believed to be related to the SolarWinds supply chain attack, which has affected some 18,000 organizations worldwide - so far - there is concern that delays in patching vulnerable servers could have a similar, or worse, impact on businesses.
What are the vulnerabilities in the Microsoft Exchange Hack and why are they important?
The critical vulnerabilities affect on-premises Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. However, Exchange Online is not affected.
The attack is performed by first exploiting a server-side request forgery (SSRF) vulnerability that allows stealing the entire contents of a user's mailbox. The attacker only needs to know the server running the Exchange software and the account he wants to steal.
CVE-2021-26855CVSS 9.1: A server-side request forgery (SSRF) vulnerability that leads to unauthenticated attackers sending forged HTTP requests. Servers must be able to accept untrusted connections over port 443 for the flaw to be triggered.
CVE-2021-26857: CVSS 7.8: An insecure deserialization vulnerability in the Exchange unified messaging service, allowing arbitrary code to be deployed under SYSTEM. However, this vulnerability must be combined with another vulnerability or stolen credentials must be used.
CVE-2021-26858: CVSS 7.8: An arbitrary write to file vulnerability after authentication to write to paths.
CVE-2021-27065: CVSS 7.8: An arbitrary write to file vulnerability after authentication to write to paths.
If used in an attack chain, all of these vulnerabilities can lead to remote code execution (RCE), server hijacking, backdoors, data theft, and potentially further malware deployment.
In short, Microsoft claims that attackers secure access to an Exchange server through these flaws or stolen credentials and can then create a web shell to hijack the system and execute commands remotely.
"These vulnerabilities are used as part of an attack chain," Microsoft says. "The initial attack requires the ability to make an untrusted connection to port 443 on the Exchange server. This can be protected against by restricting untrusted connections, or by configuring a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial part of the attack; other parts of the chain can be triggered if an attacker already has access or can convince an administrator to execute a malicious file."
Who is responsible for the known attacks?
Microsoft claims that attacks using zero-day flaws have been traced back to Hafnium.
Hafnium is a Chinese state-sponsored advanced persistent threat (APT) group that is described by the company as a "highly skilled and sophisticated actor."
Although Hafnium originates in China, the group uses a network of virtual private servers (VPS) located in the United States to try to hide its true location. Entities that have been targeted by the group include think tanks, non-profit organizations, defense contractors, and researchers.
We recommend that you take both preventive and investigative measures.
How can I check my servers and their vulnerability status? What do I do now?
Microsoft has urged IT administrators and customers to apply the security fixes immediately. Just because the fixes are being applied now, however, doesn't mean that the servers haven't already been backdoored or otherwise compromised.
Interim mitigation option guides are also available if patching is not possible immediately.
The Microsoft team has posted a script on GitHub available for IT administrators to run, which includes indicators of compromise (IoCs) linked to the four vulnerabilities. The IoCs are listed separately here.
On March 8, Microsoft released an additional set of security updates that can be applied to older, unsupported Cumulative Updates (CU) as a temporary measure.
CISA issued an emergency directive on March 3 requiring federal agencies to immediately scan any server running Microsoft Exchange and implement the fixes provided by the company.
If there are any indicators of suspicious behavior dating back to September 1, 2020, the CISA requires agencies to disconnect them from the Internet to mitigate the risk of further damage. The FBI has also issued a statement on the situation.
Microsoft is still investigating and as more information comes to light, we will update.
Source: Microsoft
You can contact our security specialists without obligation so that we can analyze how your organization is protecting itself in the different layers of corporate security.
If you're not sure how to get started, leave your details and we'll contact you as soon as possible.
Error: Contact form not found.
We can accompany you in your end-to-end projects. Let's work together.
