Four zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited by state-sponsored threat groups and others to deploy backdoors and malware in widespread attacks.
While in no way believed to be connected to the SolarWinds supply chain attack that has impacted an estimated 18,000 organizations worldwide — so far — there is concern that lags in patching vulnerable servers could have a similar impact, or worse, on businesses.
Here is everything you need to know about the security issues and our guide will be updated as the story develops.
Microsoft told security expert Brian Krebs that the company was made aware of four zero-day bugs in “early” January.
A DEVCORE researcher, credited with finding two of the security issues, appears to have reported them around January 5. Going under the handle “Orange Tsai,” the researcher tweeted:
“Just report a pre-auth RCE chain to the vendor. This might be the most serious RCE I have ever reported.”
On March 2, Microsoft released patches to tackle four critical vulnerabilities in Microsoft Exchange Server software. At the time, the company said that the bugs were being actively exploited in “limited, targeted attacks.”
Microsoft Exchange Server is an email inbox, calendar, and collaboration solution. Users range from enterprise giants to small and medium-sized businesses worldwide.
While fixes have been issued, the scope of potential Exchange Server compromise depends on the speed and uptake of patches — and over a month on, the security issue continues to persist.
Microsoft is now also reportedly investigating potential links between PoC attack code issued privately to cybersecurity partners and vendors prior to patch release and exploit tools spotted in the wild, as well as the prospect of an accidental — or deliberate — leak that prompted a spike in attacks.
What are the vulnerabilities and why are they important?
The critical vulnerabilities, known together as ProxyLogon, impact on-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. However, Exchange Online is not affected.
Microsoft is now also updating Exchange Server 2010 for “defense-in-depth purposes.”
- CVE-2021-26855: CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
- CVE-2021-26857: CVSS 7.8: an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. However, this vulnerability needs to be combined with another or stolen credentials must be used.
- CVE-2021-26858: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
- CVE-2021-27065: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
If used in an attack chain, all of these vulnerabilities can lead to Remote Code Execution (RCE), server hijacking, backdoors, data theft, and potentially further malware deployment.
In summary, Microsoft says that attackers secure access to an Exchange Server either through these bugs or stolen credentials and they can then create a web shell to hijack the system and execute commands remotely.
“These vulnerabilities are used as part of an attack chain,” Microsoft says. “The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.”
On March 10, PoC code was released before being taken down by GitHub. On the weekend of March 14, a new PoC was released by another researcher that is described as a method bringing Exchange server exploits down to “script-kiddie” level.
Who is responsible for known attacks?
Microsoft says that the original attacks using the zero-day flaws have been traced back to Hafnium.
Hafnium is a state-sponsored advanced persistent threat (APT) group from China that is described by the company as a “highly skilled and sophisticated actor.”
While Hafnium originates in China, the group uses a web of virtual private servers (VPS) located in the US to try and conceal its true location. Entities previously targeted by the group include think tanks, non-profits, defense contractors, and researchers.
Is it just Hafnium?
When zero-day vulnerabilities come to light and emergency security fixes are issued, if popular software is involved, the ramifications can be massive. Problems can often be traced back to awareness of new patches, slow uptake, or reasons why IT staff cannot apply a fix — whether this is because they are unaware that an organization is using software, third-party libraries, or components at risk, or potentially due to compatibility problems.
Mandiant says further attacks against US targets include local government bodies, a university, an engineering company, and retailers. The cyberforensics firm believes the vulnerabilities could be used for the purposes of ransomware deployment and data theft.
Sources have told cybersecurity expert Brian Krebs that at least 30,000 organizations in the US have been hacked. Bloomberg estimates put this figure closer to 60,000 as of March 8. Palo Alto Networks suggests there were at least 125,000 unpatched servers worldwide, as of March 9.
In an update on March 5, Microsoft said the company “continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond Hafnium.”
On March 11, Check Point Research said that attack attempts leveraging the vulnerabilities were doubling every few hours. On March 15, CPR said attack attempts increased 10 times based on data collected between March 11 and March 15. The US, Germany, and the UK are now the most targeted countries. Government and military targets accounted for 23% of all exploit attempts, followed by manufacturing, financial services, and software vendors.
As of March 12, Microsoft and RiskIQ said at least 82,000 servers remained unpatched.
The European Banking Authority is one prominent victim. The EBA says there is “no indication to think that the breach has gone beyond our email servers.” An assessment is underway.
The US Cybersecurity and Infrastructure Security Agency (CISA) says that it is “aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers.”
On March 10, ESET said that 10 APT groups have been connected to attacks exploiting the Exchange Server vulnerabilities. These state-sponsored groups include LuckyMouse, Tick, Winnti Group, and Calypso.
F-Secure researchers have called the situation a “disaster in the making,” adding that servers are “being hacked faster than we can count.”
In a situation reminiscent of the 2017 WannaCry ransomware outbreak, on March 12, Microsoft said that a variant of ransomware known as DoejoCrypt/DearCry is leveraging the bugs to deploy ransomware on vulnerable Exchange servers. In addition, incidents involving Cobalt Strike, BlackKingdom, and the Lemon Duck cryptocurrency mining botnet have been recorded.
The deployment of web shells, such as China Chopper, on compromised Exchange servers has proved to be a common attack vector. Batch files written to servers infected with ransomware may ensure access is maintained to vulnerable systems, even after infections have been detected and removed.
“This batch file performs a backup of the Security Account Manager (SAM) database and the System and Security registry hives, allowing the attackers later access to passwords of local users on the system and, more critically, in the LSA [Local Security Authority] Secrets portion of the registry, where passwords for services and scheduled tasks are stored,” Microsoft says.
In April, Sophos documented the installation of Monero cryptocurrency miners on vulnerable Exchange servers.
The FBI wades in
In April, the US Department of Justice (DoJ) said the FBI had obtained court approval and authorization to remove web shells from vulnerable Exchange servers.
“The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” the DoJ says.
The firefighting activities, involving hundreds of systems, do not include issuing patches or mitigations on behalf of vendors. When removal takes place, however, the FBI will then attempt to contact those affected.
It is not just in the US that governments have become directly involved. The Australian Cyber Security Centre (ACSC) is also performing scans to find vulnerable Exchange servers belonging to organizations in the country, and the UK’s National Cyber Security Centre (NCSC) is also working with local entities to remove malware from infected servers.
How can I check my servers and their vulnerability status? What do I do now?
Microsoft has urged IT administrators and customers to apply the security fixes immediately. However, just because fixes are applied now, this does not mean that servers have not already been backdoored or otherwise compromised.
Interim mitigation option guides are also available if patching immediately is not possible.
The Redmond giant has also published a script on GitHub available to IT administrators to run that includes indicators of compromise (IOCs) linked to the four vulnerabilities. IoCs are listed separately here.
On March 8, Microsoft released an additional set of security updates that can be applied to older, unsupported Cumulative Updates (CUs) as a temporary measure.
On March 15, Microsoft released a one-click tool to make it easier for businesses to mitigate the risk to their internet-facing servers. The Microsoft Exchange On-Premises Mitigation Tool, available on GitHub, is currently “the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching,” according to the firm.
By March 18, Microsoft had added automatic on-premises Exchange Server mitigation to Microsoft Defender Antivirus software.
The organization is now also offering commercial customers using on-premise Exchange Server a 90-day trial of Microsoft Defender for Endpoint.
CISA issued an emergency directive on March 3 that demanded federal agencies immediately analyze any servers running Microsoft Exchange and to apply the firm’s supplied fixes. UK companies, too, have now been urged by the NCSC to patch immediately.
If there are any indicators of suspicious behavior dating back as far as September 1, 2020, CISA requires agencies to disconnect them from the Internet to mitigate the risk of further damage. The FBI has also released a statement on the situation.
By March 22, Microsoft said that patches or mitigations had been applied to 92% of internet-facing, on-prem Exchange servers.
Microsoft’s April Patch Tuesday
Microsoft releases frequent security updates for the firm’s products, usually on the second Tuesday of every month, with the exception of out-of-schedule releases — such as for the Exchange bugs — that are considered serious enough to be issued more quickly.
In April’s Patch Tuesday round, 114 CVEs were tackled — 19 of which deemed critical — including two remote code execution (RCE) vulnerabilities reported by the US National Security Agency (NSA), CVE-2021-28480 and CVE-2021-28481.
CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483 are all RCEs that impact Microsoft Exchange Server. The RCEs, issued severity scores of between 8.8 and 9.8, have not been linked to active attacks but are assessed by Microsoft as “exploitation more likely;” in other words, the exploit of the past Exchange Server vulnerabilities may have heightened the risk of exploit code being developed for the new critical vulnerabilities.
“We have not seen the vulnerabilities used in attacks against our customers,” Microsoft says. “However, given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats.”
CISA has ordered federal agencies to apply these updates.
On March 9, Microsoft opened up access to additional identity and access management protections, at no extra cost, to AccountGuard members in 31 democracies.
AccountGuard is a program designed to protect the accounts of Microsoft users at a higher risk of compromise or attack due to their involvement in politics. The program is also available to journalists and those on the frontline fighting COVID-19.
Microsoft continues to investigate and as more information comes to light we will update.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0