Contents:
Multiple zero-day vulnerabilities have been used to attack on-premises versions of Exchange Servers, according to Microsoft. Cybercriminals exploited these flaws to gain entry to servers, which allowed access to email accounts and the installation of additional malware, at the same time enabling long-term exploitation of the target environments.
Businesses who are running a vulnerable version of Exchange Server must update as soon as possible!
Based on observed psychology, strategies, and practices, the Microsoft Threat Intelligence Center (MSTIC) credits this operation to HAFNIUM, an organization suspected of being state-sponsored and working out of China.
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 were the recently exploited vulnerabilities that have been resolved in a Microsoft Security Response Center (MSRC) release. Microsoft’s customers are strongly encouraged to patch their on-premises applications as soon as possible. The functionality of Exchange Online was unaffected.
Volexity and Dubex privately disclosed the attacks to Microsoft, reporting different parts of the attack chain.
The attacks seemed to have started as early as January 6, according to Volexity.
In the following lines, you will find out more about how HAFNIUM exploited the vulnerabilities and how you can better defend your organization in the face of potential attacks against unpatched systems.
Who is HAFNIUM and how do they operate?
HAFNIUM mainly attacks groups in the United States, including infectious disease researchers, law firms, higher education organizations, defense contractors, policy think tanks, and non-governmental organizations, notes Microsoft.
HAFNIUM has historically exploited bugs in internet-facing servers and used legal open-source tools for command and control, such as Covenant. The group normally exfiltrates data to file sharing sites like MEGA after gaining access to a victim network.
“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,” noted Microsoft Corporate Vice President of Customer Security & Trust, Tom Burt, in a blog post.
The attack can be summarized in the following three steps, according to Burt:
- Gaining access to an Exchange server using leaked credentials or zero-day exploits to impersonate employees who had access.
- Building a web shell to remotely access the hacked server.
- Stealing data from a target’s network via remote control.
“The exploits we’re discussing today were in no way connected to the separate SolarWinds-related attacks. We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services.”, said Tom Burt.
The exploited vulnerabilities
- CVE-2021-26855 is an Exchange server-side request forgery (SSRF) vulnerability that permitted an attacker to transmit arbitrary HTTP requests while authenticating as the Exchange server.
- The CVE-2021-26857 flaw in the Unified Messaging service is an insecure deserialization vulnerability (this happens when a program deserializes untrusted user-controllable data). HAFNIUM was able to run code as SYSTEM on the Exchange server by exploiting this flaw. This necessitates admin permission or another vulnerability to exploit.
- The CVE-2021-26858 vulnerability in Exchange is a post-authentication arbitrary file write vulnerability. HAFNIUM could use it to write a file to any path on the Exchange server. They could gain access by leveraging the CVE-2021-26855 SSRF flaw or breaching the credentials of an administrator.
- The CVE-2021-27065 bug in Exchange is another post-authentication arbitrary file write flaw, which HAFNIUM could use to write a file to any path on the Exchange server, enabling them to gain access by leveraging the CVE-2021-26855 SSRF vulnerability or compromising the credentials of a legitimate administrator.
HAFNIUM operators used web shells on the infected server after leveraging these vulnerabilities to obtain initial access. Web shells may be employed by attackers to intercept data and carry out other malicious activities that lead to further exploitation. On Microsoft’s blog, you can find an example of an ASP-based web shell used by HAFNIUM.
Have you been affected?
You can investigate this by using Exchange server logs, Azure Sentinel, Microsoft Defender for Endpoint, and Microsoft 365 Defender. You are strongly advised to conduct inspections and introduce proactive detection methods to recognize previous campaigns and avoid future attacks on your network.
You can find more details, including IOCs, here and here.
Conclusion
As always, we’d like to highlight the severity of these vulnerabilities and the importance of patching as soon as possible to stay safe against potential exploits and avoid further misuse across your environment.
- Next-gen Antivirus & Firewall which stops known threats;
- DNS traffic filter which stops unknown threats;
- Automatic patches for your software and apps with no interruptions;
- Privileged Access Management and Application Control, all in one unified dashboard
With Heimdal™ Patch & Asset Management you can view and track your software inventory while achieving preemptive vulnerability management. This modular, scalable, and user-friendly tool can handle both Microsoft and third-party applications on the fly, from any place, and according to any schedule. This way, you ensure the software that is essential to the seamless running of your enterprise (internal, third-party, or Windows-related) is handled by a single, secure application. Furthermore, for vital protection against cyberattacks, your company will benefit from a fast rollout of security-critical fixes and upgrades.
In addition, by having an automated patch management process in place, your patching significantly improves, you achieve more granular control over your software environment, and your internal resources are freed up so they can work on more important issues.
Should you like to learn more, contact the Heimdal™ team at sales.inquiries@heimdalsecurity.com.
Enthusiastic about all things tech and content marketing.
