Multiple Critical Vulnerabilities for Microsoft Exchange
IOCs and more context (Updated by Microsoft on 8 March 2021) - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Frequently Asked Questions (Updated by Microsoft on 8 March 2021) - https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
Extensive Incident Response guide (Updated by Microsoft on 16 March 2021) : https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/
Microsoft has detected multiple 0-day exploits being used to attack on-premise versions of Microsoft Exchange Server in limited and targeted attacks.
In the attacks observed, the threat actor used these vulnerabilities to access on-premise Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments. All this could be done without any need for authentication.
UPDATE 16/03/2021: It has been determined that malicious actors are installing web shells in vulnerable systems.
Organisations and companies that do not take action can become the victim of ransomware or data exfiltration.
Microsoft has released several security updates for Microsoft Exchange Server to address vulnerabilities that have been used in limited targeted attacks.
The report mentions 4 of the 7 vulnerabilities patched that are used in these attacks.
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858 & CVE-2021-27065 are post-authentication arbitrary file write vulnerabilities in Exchange. Authentication is possible by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
These vulnerabilities are used as part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.
On 8 March 2021, Microsoft released an update strategy to temporarily protect vulnerable machines until you are able to update the latest support CU and then apply the applicable SUs.
CERT.be recommends prioritizing installing updates (Updated on 8 March 2021) on Exchange Servers that are externally facing. All affected Exchange Servers should ultimately be updated with the highest priority.
After patching, Exchange administrators can run a Health Checker script to determine the status of each Exchange server.
Then remove all web shells.
Overview of all the steps to be followed: Multiple Security Updates Released for Exchange Server - updated March 12, 2021 - Microsoft Security Response Center
Update 16/03/2021 : Microsoft has launched a tool to automate things for customers with little expertise. One-Click Microsoft Exchange On-Premises Mitigation Tool - March 2021 - Microsoft Security Response Center
Companies and organisations that experience difficulties with these steps are advised to hire an ICT partner or external expert to perform these actions.
Check your environment for signs of compromise
- Scan Exchange server logs for Indicators of Comprise (IOCs)
- Scan hosts for IOCs such as web shell hashes, known paths and filenames, LSASS process memory dumps
For more information on how to check your environment and use the IOCs: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ (Updated by Microsoft on 8 March 2021)
For more information on how to investigate an remediate (Updated by Microsoft on 16 March 2021): Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities – Microsoft Security Response Center
Advanced hunting queries
- Microsoft Defender for Endpoint: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/
- Azure Sentinel: https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/