Microsoft Exchange Server Zero-Days
By William Beard, Jr on March 25, 2021
(By: William Beard on March 25, 2021)
Executive Summary
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-26865 are four zero-day vulnerabilites that were used recently by the state-sponsored Chinese based threat actor HAFNIUM and other threat actors to infiltrate Microsoft Exchange servers. Once inside, the attackers would deploy web shells, exfiltrate data, deploy ransomware and execute other malicious attacks on the infected exchange servers.
Vulnerability
The CVE-2021-26855 vulnerability is a server-side request forgery (SSRF) which allowed the attackers to be authenticated on the Exchange Servers. SSRF attacks are typically used as a way into the server so that the attacker can launch other more invasive hacks.
“CVE-2021-26857 is a insecure deserialization vulnerability in the Unified Messaging service” [1]. This was used along with CVE-2021-26855 which gave HAFNIUM administrator level access which in turn gave them the ability to run code as SYSTEM on the infected servers.
Both CVE-2021-26858 and CVE-2021- 26865 are “post-authentication arbitrary file write” vulnerabilities that allowed HAFNIUM to write files anywhere on the server. HAFNIUM used these to deploy web shells which allowed them to steal data and launch other malicious attacks against the infected servers.
Impact
Exploiting the CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-26865 vulnerabilites allowed HAFNIUM to deploy web shells, exfiltrate data and execute other malicious attacks. One of these attacks included a new ransomware by the name of DeerCry, a human operated attack that gives the actor lateral movement throughout the server to then encrypt data for ransom.
Mitigation
Microsoft has released both a manual patch for each zero-day vulnerability and a new one-click mitigation tool for those without a dedicated security team. Is recommended that these patches be applied immediately to prevent infection or to help stop a current attack using these zero-day vulnerabilities.
Relevance
This attack has affected over 30,000 Microsoft Exchange Server customers so far and those number continue to go up each day. The longer these systems remain unpatched the more user will see their systems invaded by these malicious actors.
References
[1] Microsoft. “HAFNIUM Targeting Exchange Servers with 0-Day Exploits.” Microsoft Security, 6 Mar. 2021, www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/.
[2] Volexity. “Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities.” Volexity, 2 Mar. 2021, www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/.
[3] Weston, Sabina. “Microsoft Warns of Ransomware Attacks as Exchange Hack Escalates.” IT PRO, IT Pro, 12 Mar. 2021, www.itpro.co.uk/security/ransomware/358876/microsoft-warns-of-ransomware-attacks-as-exchange-hack-escalates.