Microsoft Fixes Four Zero-Day Bugs in Exchange Servers Exploited by Chinese State-Sponsored Hackers

essidsolutions

Microsoft has patched four zero-day flaws in its Exchange email server that Chinese state-sponsored group Hafnium exploited to steal data from private and public organizations worldwide. The vulnerabilities enabled attackers to authenticate themselves, inject malware, execute commands remotely, and exfiltrate data.

The Redmond-based software giant revealed this week that a China-based nation-state group, dubbed Hafnium, has been targeting private servers running Microsoft Exchange. The hacker group actively exploited four zero-day vulnerabilities in Exchange to target private companies and governmental organizations to steal sensitive data.

Microsoft patched the four vulnerabilities affecting Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019 but said their exploitation for targeted attacks remains limited as of now.

The exploitation of the four vulnerabilities by Chinese hackers was discovered by cybersecurity companies Volexity and Dubex. Volexity said they found no backdoors and attributed the attack – which started in early January – to a “zero-day exploit being used in the wild.” The company is referring to CVE-2021-26855, a server-side request forgery (SSRF) bug detailed below.

Our team has been tirelessly working several intrusions since January involving multiple 0-day exploits in Microsoft Exchange. We’ve released the details of this threat activity alongside Microsoft’s Out of Band patch. Take a look and update Exchange!

— Steven Adair (@stevenadair) March 2, 2021Opens a new window

Hafnium Group

Microsoft terms Hafnium as a highly-skilled and sophisticated state-sponsored group from China that “primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.”

A deeper analysis of the group’s tactics and procedures led Microsoft Security Response Center (MSRC) to conclude that the group is, in fact, a Chinese state-sponsored advanced persistent threat (APT) group. It conducts malicious activities mainly from leased virtual private servers (VPS) located in the United States. Redmond, however, clarified that malicious attacks by Hafnium are unrelated to the 2020 SolarWinds hack.

The four zero-day vulnerabilities discovered in Microsoft Exchange servers are as follows:

  • CVE-2021-26855
    CVSS Rating: 9.1;  Severity: Critical
    This is a server-side request forgery (SSRF) vulnerability in Exchange. An attacker can exploit CVE-2021-26855 to send across arbitrary HTTP requests which are authenticated as the Exchange server. CVE-2021-26855 allows remote code execution (RCE).
  • CVE-2021-26857
    CVSS Rating: 7.8; Severity: High
    CVE-2021-26857 resides in the Unified Messaging service as an insecure deserialization vulnerability. “Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server,” Microsoft said. The vulnerability requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858
    CVSS Rating: 7.8; Severity: High
    CVE-2021-26858 is a file write vulnerability in Microsoft Exchange that enables threat actors to write arbitrary files post authentication. It also enables attackers to write a file to any path on the server. To exploit CVE-2021-26858, the attackers will first have to authenticate themselves using CVE-2021-26855 or using compromised credentials of an administrator.
  • CVE-2021-27065
    CVSS Rating: 7.8; Severity: High
    Also a post-authentication arbitrary file write vulnerability, CVE-2021-27065 enables attackers to write a file to any path on the server after authentication. Like in the case of CVE-2021-26858, attackers need to first authenticate themselves using CVE-2021-26855 SSRF vulnerability or by compromising legitimate administrator credentials to exploit CVE-2021-27065.

Adrien GendreOpens a new window , chief product and services officer at Vade Secure, told Toolbox that  the  latest attack on Microsoft is a continuation of the supply chain attacks that have been rampant since the SolarWinds breach last year. Microsoft 365’s prominence in the market and customer base makes it extremely attractive and lucrative to cybercriminals.

“The victims in this case–medical researchers and defense contractors–not only offer state secrets but a supply chain of their own, which could be even more lucrative than the original victims. With a quick MX record search, a cybercriminal can see the domains of the email security vendors protecting those businesses and then reverse engineer the solutions to bypass them. If you’re using Microsoft 365, your email security vendor needs to be invisible, inside Microsoft 365 via API, instead of on the outside like a gateway,” he added.

See Also: Russian Hackers Infected Centreon Software With Malware To Target Businesses Worldwide

Hafnium Attack Chain

The attack chain of Hafnium began with hackers gaining access to on-premise Exchange servers. They achieved this either through the exploitation of the four zero-day bugs or through stolen admin credentials. Any of these two methods enabled them to conceal their true identities and disguise themselves as genuine users.

After infiltrating the servers, Hafnium created and deployed a web shell on a compromised server to control it remotely. Web shells come in handy when the task at hand is data theft by exfiltration. Below is one of the web shells deployed by Hafnium as part of the attack chain:

Finally, the attackers executed tasks such as performing LSASS (Local Security Authority Subsystem Service) memory dumps, compressing and exfiltrating stolen data as ZIP files, adding user accounts, moving laterally to other systems, and more. LSASS  generally stores the domain, local usernames, and passwords, which explains the attackers’ proclivity toward this process responsible for administering the security policy.

This is a serious and bad as it sounds! Attackers are actively exploiting multiple 0-days in Exchange to steal e-mail/compromise networks. Internet facing Exchange servers are on the menu and the attackers are able to order whatever they want. Update with this OOB patch now!

— Steven Adair (@stevenadair) March 2, 2021Opens a new window

MSRC said in a blog post that organizations could prevent such attacks by restricting untrusted connections or through the use of a VPN connection to limit external access to the Exchange server. However, “using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file,” it said.

Most targets are located in the US but we’ve seen attacks against servers in Europe, Asia and the Middle East. Targeted verticals include governments, law firms, private companies and medical facilities. 3/5 pic.twitter.com/kwxjYPeMlmOpens a new window

— ESET research (@ESETresearch) March 2, 2021Opens a new window

See Also: Cisco Patches Critical Authentication Bypass Flaws in its Networking Products

Indicators of Compromise

Microsoft also detailed the indicators of compromise on host systems. They are:

Web Shell Hashes

  • b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
  • 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
  • 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
  • 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
  • 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
  • 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
  • 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
  • 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944

Web Shell Names: web.aspx, help.aspx, document.aspx, errorEE.aspx, errorEEE.aspx, errorEW.aspx, errorFF.aspx, healthcheck.aspx, aspnet_www.aspxOpens a new window , aspnet_client.aspx, xx.aspx, shell.aspx, aspnet_iisstart.aspx, one.aspx

Paths in which Web Shells were identified:

  • C:inetpubwwwrootaspnet_client
  • C:inetpubwwwrootaspnet_clientsystem_web
  • In Microsoft Exchange Server installation paths such as:
    • %PROGRAMFILES%MicrosoftExchange ServerV15FrontEndHttpProxyowaauth
    • C:ExchangeFrontEndHttpProxyowaauth

All four vulnerabilities impact Microsoft Exchange on-premise systems while the online version of the email and calendaring server remains unaffected. Systems administrators, therefore, should patch on-premise systems immediately to prevent breaches. Hafnium also got their hands on the Exchange offline address book – containing information about an organization and its users – from compromised systems.

Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA