Microsoft has detected four 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server 2010-2019 in targeted attacks. The attacks observed, used the below vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.
Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
Four Zero Days in Exchange Server (On-premise)
Microsoft is providing the following details to help our customers understand the techniques used by HAFNIUM to exploit these vulnerabilities and enable more effective defense against any future attacks against unpatched systems.
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
- Exchange 2010 <= UR31
- Exchange 2013 <= CU23
- Exchange 2016 <= CU19
- Exchange 2019 <= CU8
Patch, and patch now!
Microsoft also recommends running this Healthchecker script:
If you have not been regulary upgrading and patching you have a much bigger job ahead than you may think. For the patches to apply correctly you need to be on the latest CU upgrade. This means for many organisations (that have fallen behind on updates and patching), a lengthy install, or the development of new up-to-date Exchange servers is required inorder to mitigate the risk of exploitation.
Our Collection of IOCs
Web shell hashes
We observed web shells in the following paths:
In Microsoft Exchange Server installation paths such as:
- %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
The web shells we detected had the following file names:
Check for suspicious .zip, .rar, and .7z files in C:\ProgramData\, which may indicate possible data exfiltration.
Customers should monitor these paths for LSASS dumps:
- rundll32 C:\windows\system32\comsvcs.dll
Exfiltration useragent strings