Microsoft Exchange Hafnium Exploit
WHAT HAPPENED?
Microsoft told security expert Brian Krebs that the company was made aware of four zero-day bugs in “early” January.
A DEVCORE researcher, credited with finding two of the security issues, appears to have reported them around January 5. Going under the handle “Orange Tsai,” the researcher tweeted:
“Just report a pre-auth RCE chain to the vendor. This might be the most serious RCE I have ever reported.”
According to Volexity, attacks using the four zero-days may have started as early as January 6, 2021. Dubex reported suspicious activity on Microsoft Exchange servers in the same month.
On March 2, Microsoft released patches to tackle the four severe vulnerabilities in Microsoft Exchange Server software. At the time, the company said that the bugs were being actively exploited in “limited, targeted attacks.”
On March 12, Microsoft focused its investigation on whether the hackers obtained the credentials needed to gain access to the Exchange Server by a Microsoft partner, either intentionally or unintentionally. It is suspected that the hackers possessed Proof-of-Concept (PoC) attack code that Microsoft shared with antivirus companies as part of the company’s Microsoft Active Protections Program (Mapp).
While fixes have been issued, the scope of potential Exchange Server compromise depends on the speed and uptake of patches — and the number of estimated victims continues to grow.
Microsoft is now also reportedly investigating potential links between PoC attack code issued privately to cybersecurity partners and vendors prior to patch release and exploit tools spotted in the wild, as well as the prospect of an accidental — or deliberate — leak that prompted a spike in attacks.
WHAT ARE THE VULNERABILITIES AND WHY ARE THEY IMPORTANT?
The critical vulnerabilities, known together as ProxyLogon, impact on-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. However, Exchange Online is not affected.
Microsoft is now also updating Exchange Server 2010 “for defense-in-depth purposes.”
- CVE-2021-26855: CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
- CVE-2021-26857: CVSS 7.8: an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. However, this vulnerability needs to be combined with another or stolen credentials must be used.
- CVE-2021-26858: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
- CVE-2021-27065: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
If used in an attack chain, all of these vulnerabilities can lead to Remote Code Execution (RCE), server hijacking, backdoors, data theft, and potentially further malware deployment.
In summary, Microsoft says that attackers secure access to an Exchange Server either through these bugs or stolen credentials and they can then create a web shell to hijack the system and execute commands remotely.