On January 6, 2021. Hafnium, a Chinese state-sponsored group known for notoriously targeting the United States, started exploiting zero-day vulnerabilities on Microsoft Exchange Servers.
The criminals launched a deluge of cyberattacks for almost 2 months without detection. On March 2, 2021, Microsoft finally became aware of the exploits and issued necessary security patches.
By that point, it was too late. About 60,000 organizations were comprised through the overlooked Exchange Server vulnerabilities, and tens of thousands are still unaware that they're currently exposed through these Microsoft Server flaws.
Since the Exchange security patches were released, cyberattacks targeting these vulnerabilities have drastically multiplied. Criminals know this window of exploit opportunity is closing, and they're breaching as many targets as possible before all vulnerable servers are patched.
Unprotected servers need to urgently be updated before they're discovered by cybercriminals. To learn how to best protect your organization against CVE-2021-26855, read on.
If you know you're impacted by the Microsoft Exchange Zero-Day exploits, Click Here for security patch download instructions.
Which Servers are Impacted by the Microsoft Zero Day Exploits?
The following Exchange servers are impacted by exploits discovered by the cybercriminal group Hafnium and need to be updated immediately.
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Though not directly impacted by the flaws discovered by Hafnium, there is also a new security update available for ME Server version 2010, to reinforce its threat defences.
Only Exchange software is affected by these vulnerabilities and not Exchange Online.
What are the Microsoft Exchange Server Zero-Day Exploits?
There are four Common Vulnerability Exposures (CVEs) currently being exploited by cyberattacks. To keep remediation efforts efficient, it's important to understand the details of each exposure.
- CVSS: 9.1 (critical)
The Microsoft Exchange server attack chain beings with the exploration of this flaw, also known as a server-side-request-forgery (SSRF) vulnerability.
When exploited, HTTPS connections are established to authenticate user access.
Besides installing all mandatory patches, such untrusted connections can be prevented by placing the Exchange server inside a VPN to separate port 443 from external connection requests.
Because CVE-2021-26855 is the entry point for exploiting each of the other three vulnerabilities outlined below, remediation efforts should be focused on this exposure first.
By doing so, all other secondary threats could be protected from exploitation.
What does CVSS mean?
The Common Vulnerability Scoring System (CVSS) is an open scoring framework for classifying the severity of each exposure. The CVSS has a maximum rating of 10.
CVE-2021-26855 has a CVSS value of 9.1 which places it in the highest severity category - critical.
- CVSS: 7.8 (high)
This is an insecure deserialisation vulnerability. Once exploited, an attacker would be granted arbitrary code execution privileges as SYSTEM.
This authentication level would then permit the injection of SOAP payload.
- CVSS: 7.8 (high)
Only after privileged access is authenticated can flaws CVE-2021-26858 and CVE-2021-27065 (see below) be exploited. Because of this essential prerequisite, these vulnerabilities are exploited in the final stages of the chain attack.
Access authentication could be achieved after exploiting the most critical vulnerability in this list, CVE-2021-26855.
Upon successful compromise, an attack will be permitted to inject malicious code into any path on the targeted Microsoft Exchange server.
After penetrating this final barrier, the HAFNIUM cybercriminals have been observed to deploy web shells.
Web shells establish backdoor connections to give threat actors remote access to a system. This makes injecting malicious commands, stealing user credentials, and the deployment of ransomware attacks possible.
The Hafnium threat actors have also been observed to exfiltrate the Offline Address Book (OAB) for Exchange. The OAB allows Microsoft Outlook users to access their address book while disconnected from their server.
Victims that have had their OAB comprised could be the targets of reconnaissance campaigns - where internal activity is monitored in preparation for future cyberattacks.
- CVSS: 7.8 (high)
Both CVE-2021-27065 and CVE-2021-26858 (above) offer attackers similar system compromise capabilities when they're exploited.
Is My Organization Impacted?
If your organization is using any of the following Microsoft Exchange Server versions, these Zero-Day exploits impact you and you must install all necessary patches.
- Microsoft Exchange Version 2013
If you're not sure whether your organization is impacted by the vulnerable Exchange server version, you can find out by completing a scan of our entire attack landscape.
How to Find Out if You're Affected by Microsoft Exchange Zero-Day Exploits
To check whether you're at risk you need to scan your ecosystem for the following flaw, CVE-2021-26855.
This is the only vulnerability that needs to be detected because all remaining 3 flaws can only be exploited after this one has been comprised.
If CVE-2021-26855 is detected, you can infer that all other vulnerabilities have been exploited.
There are X methods for testing whether you've been impacted by the Microsoft Exchange attack. The first method is both the easiest and the quickest. The other x require more technical erudition.
1. Scan you're entire threat landscape with UpGuard
UpGuard is an end-to-end attack surface risk management platform. The solution identifies key vulnerabilities in an ecosystem that could be exploited in a cyberattack.
UpGuard's propriety vulnerability detection engine has been recently updated to specifically detect the critical Microsoft Exchange flaw CVE-2021-26855.
The entire third-party network is also monitored to also identity any vendors that are impacted by this flaw.
It's very important for the vendor network to not be overlooked. Supply chain attacks are on the rise. A determined attacker could breach your organization by comprising a vendor with this vulnerability.
Click Here if you're not an UpGuard customer and you'd like a free demonstration of its vulnerability detection engine.
The instructions below describe how to use UpGuard to scan for CVE-2021-26855 both internally and throughout the vendor network.
How to detect CVE-2021-26855 internally
BreachSight customers can determine if they're currently impacted by this flaw by navigating to 'vulnerabilities' and searching CVE-2021-26855 in the vulnerability search field.
If detected, the search results will display this flaw as a 'verified vulnerability' with the following subtitle:
Microsoft Exchange Server Remote Code Execution Vulnerability.
How to detect CVE-2021-26855 in your vendor network
VendorRIsk customers can determine if any of their vendors are currently impacted by this flaw through the following sequence:
Step 1: Select "Portfolio Risk Profile" in the left-hand module menu.
Step 2: Select "Apply Filters" in the top right
Step 3: Create a search filter for CVE-2021-26855
When the side menu appears, click on "Filter by CVE ID" to display the search field for that filter category.
Search for CVE-2021-26855 and click on the result.
Then, click "Apply."
If this vulnerability is detected, a remediation workflow can be requested from each impacted vendor.
2. Check for Indicators Of Compromise (IOC)
You can check if your organization has already been exploited by running the Microsoft IOC detection tool.
Microsoft is continuously updating its feed of detected Malware hashes and malicious file paths associated with the latest Exchange Server exploits.
This information is also available on GitHub.
If an IOC scan reveals the presence of a threat in your ecosystem, response efforts should be conducted alongside the security update installation process outlined below.
Downloading patches for Microsoft Exchange Server version 2010, 2013, 2016, and 2019
If you discover that you're exposed by CVE-2021-26855, you must install the necessary patches immediately.
All impacted Microsoft Exchange servers that are externally facing, must be updated first.
For the latest Exchange patch releases, and detailed download and installation instructions, click here.
What to Do if You've Been Compromised
The United States Government Cybersecurity and Infrastructure Security Agency has created a victim response guide specifically for the Microsoft Exchange flaw CVE-2021-26855.
To respond more efficiently to this current Exchange threat and all future cyber threats, it's important to have a clear and up-to-date Incident Response Plan (IRP).
To assist with the development of a highly-effective IRP, refer to CISA Alert AA20-245A.