Microsoft has reported multiple exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) has attributed this campaign to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
What is the issue?
The following vulnerabilities were being exploited:
CVE-2021-26855: Server-side request forgery (SSRF) vulnerability in Exchange which allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857: Insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is de-serialized by a program. Exploiting this vulnerability gave attacker the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858: Post-authentication arbitrary file write vulnerability in Exchange. If the attacker could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
CVE-2021-27065: Post-authentication arbitrary file write vulnerability in Exchange. If the attacker could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.
What products are impacted?
- Microsoft Exchange Server 2019
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2013
How can you identify if you have been compromised?
Detection guidance and Advanced hunting queries to help customers investigate this activity has been published by Microsoft here.
What can you do to protect yourself?
- Ensure that your users always have the Zscaler Client Connector running to ensure coverage against these exploits.
- We highly recommend ensuring you have the latest security updates installed for the products affected by these CVEs.
- Keep your security software up to date with the latest definitions.
- Reduce the attack surface by limiting the visibility of these servers to the internet.
The following signature detections are now in production for Zscaler customers:
- Advanced Threat Protection
- Advanced Cloud Sandbox
- Advanced Cloud Firewall
Details related to these threat signatures can be found in the Zscaler Threat Library.
The Zscaler Cloud Sandbox will provide proactive coverage against weaponised payloads trying to exploit these vulnerabilities. The Zscaler ThreatLabZ team is also actively monitoring
and ensuring coverage for all the latest IOCs associated with these vulnerabilities targeting the Microsoft Exchange servers.