Patch Tuesday, March 2021: Microsoft Releases Several Out-of-Band Patches for Windows Exposures, Including Four Documented Zero-Day Server Exchange Vulnerabilities
Microsoft Patches Four Zero-Day Vulnerabilities
On the 2ndof March, Microsoft rolled out several out-of-band patches for minor and medium Windows vulnerabilities and exposures. Of particular interest are the mitigations for CVE-2021-27065, CVE-2021-26858, CVE-2021-26857, and CVE-2021-26855, discovered at the end of February and attribute to the Hafnium Big-game Hunter. Microsoft’s Security Response Center stated that the newly-discovered attack vectors impacted the Exchange Server and that they have been previously employed by Hafnium to exfiltrate valuable data from Mega, a file-sharing site, and several other VPSs (virtual private servers) located in the United States.
Who is Hafnium?
There’s insufficient documentation on the Hafnium threat actor, but according to several media outlets, this particular Big Game Hunter may have or have had ties with the Chinese Government. Greenberg and Krebs declared for The Verge that an allegedly nation-sponsored group may have compromised as many as 30,000 US companies and 60,000 Exchange Server customers from around the world. The White House went on high alert, with the Press Secretary Jen Psaki urging Homeland Security’s cyber-threat agency to take action against the group.
Cleaving into the Vulnerabilities
The four Zero-Days vulnerabilities affected customers running 2019, 2016, 2013, and 2010 versions of Microsoft’s Exchange Server. Subsequent pen-testing proved that Exchange Online was immune to these exploits. This patching bout has focused on closing the gaps used by Hafnium and collaborators to compromise its victims. In the security blog post dedicated to Hafnium and the zero-day Exchange exploits, MSTIC pointed out that the exposures would later be used for persistence, lateral movement, future data exfiltration actions, malware deployments, or surgical DDoS Strikes.
The overall infiltration methodology involved ‘hitting’ the on-premises, Internet-facing Microsoft Exchange Servers in short bursts. This would have granted the threat actors to the email information hosted on those servers and the ability to exfiltrate sensitive information via command & controls servers. MSTIC also noted that Hafnium utilizes open-source tools and frameworks for data exfiltration and C&C.
Upon gaining access to the on-premises Exchange Servers, the attackers would drop web shells for lateral movement and to perform even more actions on target: dump the LSASS memory for credential dumping, create password-protect archives of stolen information, utilizing PowerShell to export confidential data found inside the mailboxes, open and maintain a connection to the remote C&C server via open-source tools like PowerCat.
All of the vulnerabilities have been addressed in the latest patch round. Considering that all four zero-days have high CVSS v3 scores, we strongly encourage you to update your Exchange Servers immediately. Microsoft also advises system owners running the vulnerable Exchange Server versions to download and deploy the cumulative updates prior to the security patches.
The technicalities behind the fixed CVEs are described below:
Manipulating an arbitrary file-write after the authentication process takes place. The attacker would have been able to write a file to any path that is located on the on-premises server. Fake authentication could have carried out either by stealing or compromising the credentials of a legit administrator or via SSRF.
Presents the same auth and post-authentication procedures as in the case of CVE-2021-27056.
Earmarked as “an insecure serialization vulnerability in the UMS”. As MSTIC explains, insecure deserialization can occur when user-owned data coming from an untrusted source is deserialized by a process or software. By taking advantage of this vulnerability, the threat actor can gain SYSTEM-type permissions.
The base of the attack. Known as Server-Side Request Forgery, this attack exploited a vulnerability in Exchange Server which would have allowed the threat actor to pose as the Exchange Server via forged HTTP requests.
Heimdal® Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Protecting your corporate assets against Hafnium Signatures
The best way to counter Hafnium’s signature attacks is to deploy Microsoft’s latest security patches. However, it is essential to discover whether or not your Exchange Server has been compromised. Microsoft has created a script that will help you mitigate any post-attack memory and performance issues and detect the Indicators of Compromise associated with Hafnium. The script in question is available in GitHub’s repository. Checking the logs for Application Event, Windows Application event, and Exchange can also help you detect Hafnium activity.
Meanwhile, Heimdal™ Security advises all Exchange owners to install the latest security patches, review Exchange security policies, and deploy additional countermeasure to seal all attack venues. Cybersecurity solutions such as Heimdal™ Security Threat Prevention – Network can aid in countering forge HTTP requests, filter out malicious packets, and prevent threat actors from establishing a connection to the command-and-control server.