Coverage Advisory for Zero-day Exploits Related to Microsoft

ByPR 24

Background

Microsoft has reported multiple exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) has attributed this campaign to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

What is the issue?

The following vulnerabilities were being exploited:

CVE-2021-26855: Server-side request forgery (SSRF) vulnerability in Exchange which allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857: Insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is de-serialized by a program. Exploiting this vulnerability gave attacker the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858: Post-authentication arbitrary file write vulnerability in Exchange. If the attacker could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

CVE-2021-27065: Post-authentication arbitrary file write vulnerability in Exchange. If the attacker could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.

What products are impacted?

  • Microsoft Exchange Server 2019
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2013

How can you identify if you have been compromised?

Detection guidance and Advanced hunting queries to help customers investigate this activity has been published by Microsoft here.

What can you do to protect yourself?

  • Ensure that your users always have the Zscaler Client Connector running to ensure coverage against these exploits.
  • We highly recommend ensuring you have the latest security updates installed for the products affected by these CVEs. 
  • Keep your security software up to date with the latest definitions.
  • Reduce the attack surface by limiting the visibility of these servers to the internet.

Zscaler coverage

The following signature detections are now in production for Zscaler customers:

  • Advanced Threat Protection
    HTML.Exploit.CVE-2021-26855
    Win32.Exploit.Nishang
    PS.Hacked.PowerCat
     
  • Advanced Cloud Sandbox
    Win32.Exploit.CVE-2021-26855
     
  • Advanced Cloud Firewall
    HTML.Exploit.CVE-2021-26855
    Win32.Trojan.ProcdumpExfil
    Win64.Trojan.ProcdumpExfil

Details related to these threat signatures can be found in the Zscaler Threat Library.

The Zscaler Cloud Sandbox will provide proactive coverage against weaponised payloads trying to exploit these vulnerabilities. The Zscaler ThreatLabZ team is also actively monitoring
and ensuring coverage for all the latest IOCs associated with these vulnerabilities targeting the Microsoft Exchange servers.

References

1. https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

2. https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901

3. https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

Similar Posts

Azure Cosmos DB remote takeover bug affects thousands of organisations – Security

Azure Cosmos DB remote takeover bug affects thousands of organisations – Security

ByPR 24

Security researchers have found a long-standing vulnerability in the Azure Cosmos DB fully managed non-structured query language database, which allows attackers to remotely take over the information store with a trivial exploit. Named ChaosDB, the vulnerability gives any Azure user full administrative access to other customers’ Cosmos DB instances, security vendor Wiz Research Team said….

Researchers Find 3 New Malware Strains Used by SolarWinds Hackers

Researchers Find 3 New Malware Strains Used by SolarWinds Hackers

ByPR 24

FireEye and Microsoft on Thursday said they discovered three more malware strains in connection with the SolarWinds supply-chain attack, including a “sophisticated second-stage backdoor,” as the investigation into the sprawling espionage campaign continues to yield fresh clues about the threat actor’s tactics and techniques. Dubbed GoldMax (aka SUNSHUTTLE), GoldFinder, and Sibot, the new set of…

Aviation Industry Lacks Cohesive Cybersecurity Approach

Aviation Industry Lacks Cohesive Cybersecurity Approach

ByPR 24

Aviation Industry Lacks Cohesive Cybersecurity Approach | IT Security News Sponsors Endpoint Cybersecurity www.endpoint-cybersecurity.com – Consulting in building your security products– Employee awareness training– Security tests for applications and pentesting… and more. Daily Summary Categories CategoriesSelect Category(ISC)2 Blog  (323)(ISC)2 Blog infosec  (13)(ISC)² Blog  (341)2020-12-08 – Files for an ISC diary (recent Qakbot activity)  (1)2020-12-11 – Quick post: TA551 (Shathak)…

State-Sponsored Successor to “Project Signal” Ransomware Campaign Discovered

State-Sponsored Successor to “Project Signal” Ransomware Campaign Discovered

ByPR 24

Iranian state-sponsored attackers have been linked to a variety of cyberespionage activities aimed at organizations all over the world. Flashpoint security experts recently discovered another ransomware strain from Iran, that has been operating since July 2020. According to Flashpoint, Iran’s Islamic Revolutionary Guard Corps (IRGC) was running a ransomware campaign through Emen Net Pasargard, an Iranian…

Matt Gaetz ‘Wingman’ Joel Greenberg Pleads Guilty

Matt Gaetz ‘Wingman’ Joel Greenberg Pleads Guilty

ByPR 24

Matt Gaetz’s longtime friend and partner in alleged crimes Joel Greenberg has pleaded guilty to six of the charges against him: identity theft, stalking, wire fraud, conspiracy to bribe a public official, and sex trafficking of a minor. While all of those crimes are incredibly serious, that last one carries a mandatory minimum sentence of…