It is difficult to overstate the severity and reach of the latest group of vulnerabilities disclosed in on-premise Microsoft Exchange servers earlier this month. Exploitation of these 0-day vulnerabilities has been detected world-wide and defenders are actively patching, mitigating and most importantly, conducting incident response to understand the depth of their potential compromise.
The latest attack on Microsoft Exchange servers encompasses several unique vulnerabilities in an attack chain. The impact is critical due to the plethora of private/confidential communications in corporate email systems as well as the abundance of vulnerable servers on the internet. Unauthenticated exploitation lowers the barrier to entry for an attacker that is able to communicate with the vulnerable exchange servers. To be clear, the four vulnerabilities listed below affect Microsoft Exchange Server, while Exchange Online is unaffected.
CVE-2021-26857: Insecure deserialization vulnerability in the Exchange Unified Messaging Service
CVE-2021-27065: Authenticated arbitrary file write vulnerability
CVE-2021-26858: Authenticated arbitrary file write vulnerability
The scale of the attack is the biggest concern at this time. Over 30,000 organizations across the United States, from government institutions and large corporations to local small businesses, have been attacked. Microsoft initially tied the attack to a single threat actor, which they named Hafnium, but have since reported multiple threat actors leveraging these vulnerabilities. The attackers focus on gaining remote code execution (RCE), stealing email from victim organizations, and leaving behind common web shells for persistent access. The attack is unique because it targets several zero-day vulnerabilities. Because attackers were able to exploit a previously unknown vulnerability, any on premise Microsoft OWA servers exposed to the internet should be assumed compromised. Upon successful exploitation and establishment of persistence, the threat actor could gain further control over other assets in the network. Due to the nature of this attack, mitigation strategies may not fully remove any access already obtained and additional incident response should follow.
There are conflicting numbers of affected servers being reported, but telemetry from Palo Alto Networks indicates over 125K Exchange servers remain unpatched across the world. These vulnerabilities also affect a wide range of server versions and present enough risk that Microsoft has released patches for older servers that are no longer supported.
Exchange 2010: Version 14.3.496.0 and below
Exchange 2013: Any version below 15.0.1497.2 (not inclusive)
Exchange 2016: Any version below 15.1.2106.2 (not inclusive)
Exchange 2019: Any version below 15.2.721.2 (not inclusive)
Successful exploitation results in attackers gaining sensitive information in the internal network and may allow them to download user email and possibly gain full RCE on the mail server. With email access, the attackers can redirect email to release sensitive information outside an organization. Attackers will often leave web shells behind for persistent access. They can leverage this level of access to pivot deeper into the network with opportunities to attack an organization’s Domain Controllers and other high value services.
Defenders should quickly apply patches and conduct thorough incident response. To guard against future threats, they should continuously monitor their exchange servers for the creation of new aspx files that may be web shells or indicators of compromise, remotely log all powershell activity and review those logs on a regular cadence. With reports that web shells are being accessed after a patch has been installed, defenders must ensure all non-standard aspx pages are examined for malicious intent.
Microsoft has made the following tools available for defenders responding to this immediate threat.