On March 2, 2021, Microsoft released details on a zero-day vulnerability actively exploited by a Chinese cyber threat actor, designated HAFNIUM, with an urgent recommendation for immediate security patching. The multiple zero-day exploits are used to target on-premises versions of Microsoft Exchange Server in limited and targeted attacks on U.S.-based organizations, including defense contractors, infectious disease researchers, policy think tanks, and law firms. The out of band security update addresses vulnerabilities for the following versions of Exchange Server: Exchange Server 2013; Exchange Server 2016; Exchange Server 2019
The Microsoft Threat Intelligence Center (MSTIC) identified HAFNIUM as a Chinese state-sponsored threat actor. Hafnium is assessed as a “highly skilled and sophisticated actor” that operates from within China. To date, Microsoft has only observed Hafnium actively exploiting the Exchange Server vulnerabilities. These exploits have enabled access to email accounts and allowed installation of additional malware to facilitate long-term remote access to victimized environments.
The observed cyber-attack activity has entailed three steps:
- Gaining access to an Exchange Server either with stolen passwords;
- Use of a web shell to control the compromised server remotely; and
- Exploitation of the remote access – run from the U.S.-based private servers – to steal data from the targeted organization’s network.
Additionally, following the web shell deployment, Microsoft found that Hafnium operators performed a range of post-exploitation activity:
- Using Procdump to dump the LSASS process memory;
- Using 7-Zip to compress stolen data into ZIP files for exfiltration;
- Adding and using Exchange PowerShell snap-ins to export mailbox data;
- Using the Nishang Invoke-PowerShellTcpOneLine reverse shell; and
- Downloading PowerCat from GitHub, then using it to open a connection to a remote server.
Microsoft is urging customers to install the following security updates immediately to protect against these attacks.
- CVE-2021-26855: Server-side request forgery (SSRF) vulnerability in Microsoft Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857: Insecure deserialization vulnerability in the Unified Messaging Service, resulting in untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as system administrator on the Exchange server.
- CVE-2021-26858: Microsoft Exchange Server Remote Code Execution Vulnerability. Post-authentication arbitrary file write vulnerability in Microsoft Exchange. If HAFNIUM could authenticate with the Exchange server, then the attacker can use this vulnerability to write a file to any path on the server. Authentication is accomplished by exploiting the CVE-2021-26855 SSRF vulnerability or compromising a legitimate admin’s credentials.
- CVE-2021-27065: Post-authentication arbitrary file write vulnerability in Microsoft Exchange. Same as above. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file.
March 3, 2021: CISA Issues Emergency Directive and Alert on Microsoft Exchange Vulnerabilities
The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive (ED) 21-02 and Activity Alert AA21-062A addressing these critical vulnerabilities in Microsoft Exchange on-premises products. CISA partners have observed and reported active exploitation of these vulnerabilities. Significantly, neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments. Successful exploitation of the Microsoft Exchange on-premises product vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling persistent system access and exercise of control in an enterprise network.
CISA has determined that exploitation of these Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise.
CISA strongly recommends organizations examine their systems to detect any malicious activity detailed in Activity Alert AA21-062A. Further, it is advisable to review the following resources for more information:
- CISA Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
- AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities
- Microsoft Security Blog Post: Multiple Security Updates Released for Exchange Server