Microsoft urges customers to install emergency patches as soon as possible to protect against highly skilled hackers who are actively exploiting four zero-day vulnerabilities in Exchange Server.
The software maker said hackers working on behalf of the Chinese government were using the previously unknown exploits to hack fully patched local Exchange Server software. So far, Hafnium, as Microsoft calls the hackers, is the only group that has seen the vulnerabilities, but the company said it could change that.
“While we have worked quickly to deploy an update to the Hafnium operations, we know that many national state actors and criminal groups will move quickly to take advantage of any unopened systems,” said Microsoft’s corporate vice president of customer security and trust Tom Burt writes in a report published Tuesday afternoon. “The best protection against this attack is to apply the patches of today immediately.”
Burt did not identify the targets as saying that they were businesses using Exchange Server software on the premises. He said Hafnium operates from China, primarily with the aim of stealing data from infectious disease researchers, law firms, higher education institutions, defense contractors, policy thinkers and non-governmental organizations.
Burt added that Microsoft is not aware that individual consumers are being targeted or that the abuse of other Microsoft products is being affected. He also said the attacks were in no way related to the SolarWinds-related hacks that infested at least nine U.S. government agencies and about 100 private companies.
The zero days are present in Microsoft Exchange Server 2013, 2016 and 2019. The four vulnerabilities are:
- CVE-2021-26855, a server-side attack forgery (SSRF) vulnerability that allowed attackers to send arbitrary HTTP requests and authenticate them as the Exchange server.
- CVE-2021-26857, An Unsafe Vulnerability of Deserialization in the Unified Messaging Service. Unsafe deserialization is when data that cannot be trusted is deserialized by an application. Using this vulnerability has allowed Hafnium to execute code as SYSTEM on the Exchange server. This requires administrative permission or another vulnerability to exploit.
- CVE-2021-26858, a post-verification arbitrary file write vulnerability. If Hafnium can verify with the Exchange server, it can use this vulnerability to write a file to any path on the server. The group can verify by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising the legitimacy of a legitimate admin.
- CVE-2021-27065, a vulnerability to arbitrary file writing after verification. If Hafnium can verify with the Exchange server, they can use this vulnerability to write a file to any path on the server. This can be verified by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising the legitimacy of a legitimate admin.
According to Burt, the attack included the following steps:
- Gain access to an Exchange server with stolen passwords or by using the zero days to disguise the hackers as staff who need access
- Create a web shell to remotely control fraudsters
- Use remote access to steal data from a target’s network
As is customary for Hafnium, the group operates from leased virtual private servers in the US. Volexity, a security firm that reported the attacks privately to Microsoft, said the attacks appeared to begin on January 6.
“While the attackers initially seem to have largely flown under the radar by simply stealing emails, they have recently threatened to exploit themselves to gain a foothold,” said Volexity researchers Josh Grunzweig, Matthew Meltzer, Sean Koessel, Written by Steven Adair and Thomas Lancaster. “From Volexity’s perspective, it appears that this exploitation involves multiple operators using a wide range of tools and methods to dump credentials, move laterally, and use further backdoor systems.”
More details, including indicators of compromise, are available here and here.
In addition to Volexity, Microsoft also blamed security firm Dubex for privately reporting various parts of the attack to Microsoft and assisting in the investigation. Businesses using a vulnerable version of Exchange Server should apply the patches as soon as possible.