Microsoft has announced that on-premises Exchange servers are under attack likely from a state-sponsored group operating from China. The group is named "HAFNIUM" and is using multiple 0-day exploits to access on-premises Exchange Server instances, which essentially gives access to the email account of victims as well. The malicious actors install additional malware which acts as a backdoor for future attacks as well.
Microsoft has patched all the vulnerabilities with CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, and has recommended that customers update their on-premises systems on an urgent basis. It has noted that Exchange Online is not affected by these attacks.
The Redmond tech giant says that the attack methodology is extremely similar to previous attacks by the HAFNIUM group, which have usually targeted multiple government and private entities in the United States. The details of the vulnerabilities that this group exploited in its latest attack can be seen below:
- CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
- CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
- CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
Microsoft claims that after exploiting the aforementioned vulnerabilities, the malicious actors were able to install web shells on the server, which allowed them to steal data such as offline address books for Exchange which contain information about a business and its users. They also performed certain activities to allow further malicious actions in the future.
In its "Can I determine if I have been compromised by this activity?" section, Microsoft has also outlined several indicators of compromise (IOCs) available in the logs, and hashes, paths, and names of web shells used in the attack. For remediation, it has recommended the use of Azure Sentinel and Microsoft Defender for Endpoint to detect malicious activities. All on-premises Exchange Server instances and systems need to be updated with the latest patches immediately, as per Microsoft.