Microsoft has confirmed that hackers, attributed to state-sponsored Chinese operatives, are currently attacking Microsoft Exchange Server installations using multiple zero-day exploits.
Microsoft issues critical update warning as Exchange servers comes under attack
SOPA IMAGES/LIGHTROCKET VIA GETTY IMAGES
In a joint posting, the Microsoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team and Microsoft 365 Security warned that the in-the-wild attacks allowed access to email accounts as well the installation of additional malware. Attributing the attack campaign to a group known as HAFNIUM, Microsoft has warned users of the critical nature of the four vulnerabilities, urging customers to update all on-premises Exchange servers immediately. Microsoft also confirmed that Exchange Online does not appear to be affected.
According to researchers at Volexity, the attacks would seem to have started back on January 6. "The attacker was using the vulnerability to steal the full contents of several user mailboxes," a Volexity blog posting states. The same researchers found the vulnerability to be remotely exploitable without any authentication needed. Indeed, they determined that all an attacker needs to know is "the server running Exchange and the account from which they want to extract e-mail."
The four critical vulnerabilities are a server-side request forgery (CVE-2021-26855) used to authenticate as the Exchange server, a unified messaging service (CVE-2021-26857) enabling the running of code as SYSTEM and two post-authentication arbitrary file writing vulnerabilities (CVE-2021-26858 and CVE-2021-27065) which together create a perfect exploitation storm.
Tom Burt, Microsoft's corporate vice-president of customer service and trust, explained how HAFNIUM is exploiting these zero-day vulnerabilities.
This happens in three stages, with the first being gaining access to the Exchange Server by appearing to be someone who has authorized access thanks to CVE-2021-26855. Next, a web shell is created in order to gain remote control of the server. And finally, that remote access is used to steal data form the network.
A statement by the Microsoft Security Response Center says that the attack chain initially requires an untrusted connection to port 443 of the Exchange server, and mitigation includes “restricting untrusted connections or by setting up a VPN to separate the Exchange server from external access.”
Applying the released patches, however, remains the priority here. Burt reiterated the need to apply the emergency updates immediately. "Even though we’ve worked quickly to deploy an update for the Hafnium exploits," Burt said, "we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems."
Microsoft senior threat intelligence analyst, Kevin Beaumont, tweeted that he expects "more threat actors, including ransomware" to start using these vulnerabilities soon. Which just serves to underscore the criticality of applying those updates at once. Beaumont isn't known for exaggerating risk, quite the opposite, so when he says something like this you know it is, in his words, the real deal.
Indeed, Satnam Narang, a staff research engineer at Tenable, said that "while Microsoft says that HAFNIUM primarily targets entities within the United States, other researchers say they have seen these vulnerabilities being exploited by different threat actors targeting other regions."
Microsoft has stated that "the exploits we’re discussing today were in no way connected to the separate SolarWinds-related attacks. We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services."
Meanwhile, Charles Carmakal, chief technical officer at FireEye Mandiant stating the importance of organizations needing to check if they have been compromised, in addition to just patching. "FireEye has observed these vulnerabilities being exploited in the wild and we are actively working with several impacted organizations. In addition to patching as soon as possible, we recommend organizations also review their systems for evidence of exploitation that may have occurred prior to the deployment of the patches."