Multiple Threat Groups Exploiting Zero Day Microsoft Exchange Server Flaws

Share this article on:

Microsoft has released out-of-band security updates to fix four zero-day Microsoft Exchange Server vulnerabilities that are being actively exploited by a Chinese Advanced Persistent Threat (APT) group known as Hafnium.

The attacks have been ongoing since early January, with the APT group targeting defense contractors, law firms, universities, NGOs, think tanks, and infectious disease research organizations in the United States. Exploitation of the flaws allows the attackers to exfiltrate mailboxes and other data from vulnerable Microsoft Exchange servers, run virtually any code on the servers, and upload malware for persistent access.

Hafnium is a previously unidentified sophisticated APT group that is believed to be backed by the Chinese government. The group is chaining together the four zero-day vulnerabilities to steal sensitive data contained in email communications. While developing the exploits required some skill, using those exploits is simple and allows the attackers to exfiltrate large quantities of sensitive data with ease. While the APT group is based in China, virtual private servers in the United States are leased for use in the attacks, which helps the group stay under the radar.

The flaws are present in all supported Microsoft Exchange Server versions (2013, 2016, 2019) and Exchange Server 2010. Patches have been released to fix the flaws in Exchange Server 2010, 2013, 2015, and 2019. The flaws do not affect Exchange Online and personal email accounts, only on-premises Exchange servers.

Microsoft has credited the cybersecurity firms Volexity and Dubex for helping to discover the attacks, which were first identified on January 6, 2021. Now that the patches have been released attacks are expected to increase as the group rushes to gain access to as many vulnerable Exchange servers before the patches are applied.

The vulnerabilities are:

  • CVE-2021-26855: A server-side request forgery (SSRF) vulnerability that allows HTTP requests to be sent to an on-premises Exchange Server to authenticate as the Exchange server itself.
  • CVE-2021-26857: An insecure deserialization vulnerability in the Unified Messaging service that can be exploited to run any arbitrary code as SYSTEM on the Exchange server.
  • CVE-2021-26858 and CVE-2021-26865 – Two file write vulnerabilities that allow an authenticated user to write files to any path on the server. The flaws are chained with CVE-2021-26855, although could also be exploited using stolen credentials.

Once initial access to the Exchange server is gained, the attackers deploy a web shell that allows them to harvest cached credentials, upload files such as malware for persistent access, execute virtually any command on the compromised system, and exfiltrate mailboxes and other data.

Exploits for the vulnerabilities are not believed to have been released publicly, with the attacks currently only being conducted by Hafnium, although that may not remain the case for long.

Microsoft is advising all users of the vulnerable Microsoft Exchange versions to apply the patches immediately. After applying the patches, an investigation should be conducted to determine if the flaws have already been exploited, as patching will not prevent any further malicious activity or data exfiltration if the attackers have already compromised the server.

Microsoft has provided Indicators of Compromise (IoCs) to help customers identify whether the flaws have already been exploited.

CISA has issued an emergency directive about the vulnerabilities, which can be viewed here.

UPDATE:

Security researchers have reported multiple APT groups are now exploiting the flaws and organizations and companies of all sizes are now being targeted, including healthcare providers, banks, utility companies, hotels, and local and county governments. Attacks are expected to continue to increase over the coming days.

ESET reports that in addition to Hafnium, attacks are being conducted by the APT27, LuckyMouse, Tick, and Calypso APT groups, and there are other clusters that have yet to be identified. Researchers at Huntress say they have observed more than 100 web shells being deployed on around 1,500 vulnerable Microsoft Exchange Servers.

While the Hafnium attacks are being conducted for cyber espionage purposes, the motives of the other groups are unclear. The web shells they are deploying will provide continued access to Microsoft Exchange Servers after the patches have been applied and could be used for a range of different malicious purposes.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On