Microsoft is urging customers to install emergency patches as soon as possible to protect against highly skilled hackers who are actively exploiting four zero-day vulnerabilities in Exchange Server.
The software maker said hackers working on behalf of the Chinese government have used the previously unknown exploits to hack into fully patched on-premises Exchange Server software. So far, Hafnium, as Microsoft calls the hackers, is the only group to have exploited the vulnerabilities, but the company said that could change.
“While we have worked quickly to implement an update to the Hafnium exploits, we know that many national actors and criminal groups will act quickly to take advantage of unpatched systems,” said Microsoft Corporate Vice President of Customer Security & Trust Tom Burt wrote in a post published Tuesday afternoon. “Applying the current patches immediately is the best protection against this attack.”
Burt did not identify the targets other than saying that they are companies using on-premises Exchange Server software. He said Hafnium operates out of China, primarily for the purpose of stealing data from US-based infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and non-governmental organizations.
Burt added that Microsoft is not aware of individual consumers being targeted or whether the exploits affected other Microsoft products. He also said the attacks are in no way related to the SolarWinds-related hacks that violated at least nine US government agencies and about 100 private companies.
The zero-days are present in Microsoft Exchange Server 2013, 2016 and 2019. The four vulnerabilities are:
- CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allowed the attackers to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857, an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is when untrusted, user controllable data is deserialized by a program. By exploiting this vulnerability, Hafnium was able to run code as SYSTEM on the Exchange server. This requires administrator permission or some other vulnerability to exploit.
- CVE-2021-26858, a vulnerability for writing arbitrary files after authentication. If Hafnium could authenticate with the Exchange server, then it could use this vulnerability to write a file to any path on the server. The group can authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising the credentials of a legitimate administrator.
- CVE-2021-27065, a vulnerability for writing arbitrary files after authentication. If Hafnium could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on the server. It can be verified by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising the credentials of a legitimate administrator.
The attack, Burt said, involved the following steps:
- Access an Exchange server with stolen passwords or by using the zero days to disguise the hackers as personnel who should have access
- Create a web shell to remotely control the compromised server
- Use that remote access to steal data from a target’s network
As usual at Hafnium, the group operated from rented virtual private servers in the US. Volexity, a security company that privately reported the attacks to Microsoft, said the attacks appeared to begin as early as January 6.
“While the attackers initially seemed to have flown largely under the radar simply by stealing emails, they have recently moved on to launching exploits to gain a foothold,” wrote Volexity researchers Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair and Thomas Lancaster. “From Volexity’s perspective, it appears that this exploitation involves multiple operators using a wide variety of tools and methods for credentials dumping, sideways moving, and further backdoor systems.”
More details, including indicators of compromise, are available here and here.
In addition to Volexity, Microsoft also credited security firm Dubex for privately reporting various parts of the attack to Microsoft and assisting in an investigation that followed. Companies using a vulnerable version of Exchange Server should apply the patches as soon as possible.