Microsoft Exchange Servers Zero-Day Vulnerability

Risk:
high
Damage:
high
Platform(s):
Microsoft Exchange Servers
Advisory ID:
ngCERT-2021-0032
Version:
N/A
CVE:
CVE-2021-26855, CVE-2021-26857, CVE-2021-2688, CVE-2021-27065
Published:
March 8, 2021

Summary


Microsoft has confirmed the attacks against the Exchange servers aimed at stealing email addresses and installing malware to gain persistence in the target networks. This attacks campaign has been attributed to China-based hacker group called HAFNIUM who were exploiting unknown software bugs in Exchange Server to steal sensitive data from select targets. The vulnerability is being actively exploited in the wild by several cyber espionage groups, including LuckyMouse, Tick, and Calypso targeting servers around the world.

Description & Consequence


In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

However, if your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03, check for 8 character aspx files in C:\\inetpub\wwwroot\aspnet_client\system_web\. If you get a hit on that search, you’re now in incident response mode.

The attackers are using the vulnerability to steal the full contents of several user mailboxes, and installing malwares on the target server to facilitate long-term access to victim environments. Furthermore, this vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail.

Solution


Microsoft recommends that customers upgrade their on-premises Exchange environments to the latest supported version. For customers that are not able to quickly apply updates, we are providing the following alternative mitigation techniques to help Microsoft Exchange customers who need more time to patch their deployments and are willing to make risk and service function trade-offs.

Reference


Revision


Related Articles