Organisations using on-premises versions of Microsoft Exchange Server are at risk of targeted attacks exploiting three newly-disclosed zero-day exploits, which are already being taken advantage of by malicious actors associated with the Chinese state.
The three vulnerabilities, assigned CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 enable threat actors to access victim email accounts and install malware to gain long-term access to their wider environments. According to Microsoft’s Threat Intelligence Center (MSTIC), the campaign is attributed with a high degree of confidence to a group known as Hafnium.
The Hafnium advanced persistent threat (APT) group mainly targets organisations in the US, and in the past has hit medical research organisations, law firms, universities, defence contractors, policy think tanks and non-governmental organisations (NGOs). Although China-based, it operates from leased virtual private server (VPS) infrastructure located in the US.
It has previously compromised victims through vulnerabilities in internet-facing servers using legitimate open source frameworks – such as Covenant – for command and control (C2). Once inside their victim’s network, Hafnium typically exfiltrates data to file sharing sites.
“To date, Hafnium is the primary actor we’ve seen use these exploits,” said Microsoft’s corporate vice-president of customer security and trust, Tom Burt, in a blog post.
“The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the US-based private servers – to steal data from an organisation’s network.
“We’re focused on protecting customers from the exploits used to carry out these attacks,” said Burt. “Today, we released security updates that will protect customers running Exchange Server. We strongly encourage all Exchange Server customers to apply these updates immediately.
“Exchange Server is primarily used by business customers, and we have no evidence that Hafnium’s activities targeted individual consumers or that these exploits impact other Microsoft products.”
“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack,” he added.
FireEye Mandiant senior vice-president and chief technology officer Charles Carmakal said: “FireEye has observed these vulnerabilities being exploited in the wild and we are actively working with several impacted organisations. In addition to patching as soon as possible, we recommend organisations also review their systems for evidence of exploitation that may have occurred prior to the deployment of the patches.”
Satnam Narang, staff research engineer at Tenable, said the fact Microsoft chose to rush an out-of-band patch, rather than wait for March’s Patch Tuesday drop, suggested the vulnerabilities were highly dangerous.
“Based on what we know so far, exploitation of one of the four vulnerabilities requires no authentication whatsoever and can be used to potentially download messages from a targeted user’s mailbox. The other vulnerabilities can be chained together by a determined threat actor to facilitate a further compromise of the targeted organisation’s network,” said Narang.
“We expect other threat actors to begin leveraging these vulnerabilities in the coming days and weeks, which is why it is critically important for organisations that use Exchange Server to apply these patches immediately.”
He also noted research by Eset, which suggests that a number of other APT groups besides Hafnium are exploiting the vulnerabilities to target organisations on a global basis.
The four CVEs work as follows: -26855 is a server-side request vulnerability that lets an attacker send arbitrary HTTP requests and authenticate as the Exchange server; -26857 is an insecure deserialisation vulnerability in the Unified Messaging service, that lets an attacker run code as SYSTEM on the Exchange server, and requires admin rights or another vulnerability to exploit; and finally, -26858 and -27065 are both post-authentication arbitrary file write vulnerabilities that let an attacker write a file to any path on the server it they can authenticate with it, for example by exploiting -26855 or using stolen credentials.
After gaining access through these vulnerabilities, Hafnium deploys web shells on the compromised servers to steal data and perform further malicious actions.
Microsoft noted the assistance of security teams at Volexity and Dubex, who reported different elements of the attack chains and assisted with the wider investigation. “It is this level of proactive communication and intelligence sharing that allows the community to come together to get ahead of attacks before they spread and improve security for all,” said Microsoft.