HAFNIUM Exploits Microsoft Exchange: Critical Zero-Day Vulnerabilities

Written By: Triden Group’s Sr. Security Principal

Threat Summary:

On March 2, 2021, Microsoft announced four critical zero-day vulnerabilities impacting a variety of Microsoft Exchange Server products. The stated vulnerabilities result in code execution by remote and unauthenticated attackers. Microsoft Exchange Server 2013, 2016, and 2019 are impacted.

Microsoft has reported active exploitation in the wild. Organizations are strongly recommended to review the recent Microsoft releases and apply patches for vulnerable devices.

Background:

A new state-sponsored threat actor based in China, identified as HAFNIUM by the Microsoft Threat Intelligence Center, has been reported engaging in a number of attacks exploiting zero-day vulnerabilities targeting Exchange servers.
Historically, HAFNIUM has primarily targeted entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. However, based on TTPs observed, Microsoft has high confidence that Hafnium are the threat actors behind this attack.
Microsoft reported HAFNIUM operators were able to download Exchange offline address books from compromised systems, containing information about organizations and its users.
Exchange Server is primarily used by business customers, and Microsoft has stated there is no evidence that Hafnium’s activities targeted individual consumers or that these exploits impact other Microsoft products.
Microsoft has briefed appropriate U.S. government agencies on this activity and has released a statement regarding this compromise’s relationship to the recent SolarWinds supply chain attack. “The exploits we’re discussing today were in no way connected to the separate SolarWinds-related attacks. We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services.”

Technical Information:

The recent critical vulnerabilities are as follows:
CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allowed the attackers to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857, an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is when untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858, a post-authentication arbitrary file write vulnerability. If HAFNIUM could authenticate with the Exchange server, then it could use this vulnerability to write a file to any path on the server. The group could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
CVE-2021-27065, a post-authentication arbitrary file write vulnerability. If HAFNIUM could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

What you should do about it:

• Microsoft has also released a set of IOCs which can be found under the vulnerability security bulletin: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
• After performing a business impact review, apply the relevant security patches provided by Microsoft. Information available here: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server
• Use TG Secure Pro to have a continuous assessment and pen testing cycle. One-time testing will not be sufficient in the ongoing cyber attacks. Technology is a powerful security weapon if it’s configured to detect a breach immediately and handled by a team that knows how to respond.

Learn More about TG Secure Pro
https://tridengroup.com/triden-group-secure-pro/
Are you ready to be proactive instead of reactive? Contact us TODAY.
www.TridenGroup.com
Stay up to date with the current trends in cybersecurity by subscribing to our YouTube channel.
https://www.youtube.com/channel/UCp4Enkhk-SXzKi5gHcJMUIg

 

References:
[1] https://arstechnica.com/information-technology/2021/03/microsoft-issues-emergency-patches-for-4-exploited-0days-in-exchange/
[2] https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
[3] https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/