Four zero-day vulnerabilities have been discovered in the Microsoft Exchange 2013, 2016 and 2019 on-premise servers and exploited by an adversary named « Hafnium ».
Zero-day vulnerabilities are proven software flaws that can be exploited in the wild for which there is no patch published but rather urgent action which must be taken.
In the case of Microsoft Exchange servers these flaws allow Hafnium and other malicious actors to compromise the servers and steal sensitive data.
- CVE-2021-26855 : By leveraging this vulnerability, the attacker gains access to mailboxes without the need to authenticate (using a Server-side Request forgery)
- CVE -2021-26857, CVE-2021-26858 and CVE-2021-27065 are used to remotely execute malicious code.
After gaining initial access via these vulnerabilities, attackers may use webshells in order to conduct further harmful actions leading to critical compromise.
Other vulnerabilities CVE-2021-26412, CVE-2021-26854, CVE-2021-27078 have been detected but have not been exploited yet. Exchange Online and Office 365 do not seem to be affected by this attack.
RECOMMENDED SOLUTION :
- Microsoft urges to update vulnerable Microsoft Exchange servers and if needed prioritize external facing Exchange servers.
- Microsoft also invites clients to scan Exchange files for known indicators of compromise (IoC) and to regularly search for vulnerabilities on servers or detect abnormal behaviours, in particular via proper monitoring of accesses and sensitive roles defined.
- To help with identifying compromise, the Microsoft Safety Scan tool has been updated to detect and remediate the threats linked to recent vulnerabilities.
- For customers who are unable to update their Exchange servers, Microsoft suggested mitigations to consider until servers are fully patched : IIS Re-Write rule – CVE-2021-26855, Disable UM Services – CVE-2021-26857, Disable ECP Application Pool- CVE-2021-27065 and Nmap Script To Scan For CVE-2021-26855.
For more information, refer to the Microsoft Security Response Center for solutions to mitigate and defend your servers.
Sources : Volexity, Microsoft, MSRC, Bleeping Computer, CERT-US, CERT-FR, Update Microsoft, Microsoft Safety Scanner