On March 2nd, Microsoft released a set of out-of-band security updates to address critical remote code execution vulnerabilities in Microsoft Exchange Server. According to Microsoft these vulnerabilities are actively being exploited in the wild, and hence it is recommended to patch them immediately.
To detect vulnerable instances, Qualys released QID 50107 which detects all vulnerable instances of Exchange server. This QID is included in VULNSIGS-2.5.121-4 version and above.
CVEs addressed as part of this QID are: CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
Among the above CVEs, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 are being actively targeted in the wild using zero-day exploits. Microsoft attributes these attacks with high confidence to the HAFNIUM (Chinese cyber spy) threat actor group. These vulnerabilities are related to the following versions of Exchange Server:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
At the time of the security update release the vulnerabilities affect only on-premises Microsoft Exchange Server installations. Exchange online is not affected.
CVE Technical Details
CVE-2021-26855 is a Server-Side Request Forgery (SSRF) vulnerability that allows attackers to send arbitrary HTTP requests and authenticate to on-premise Exchange server. Attackers can also trick the Exchange server to execute arbitrary commands by exploiting this vulnerability.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Attackers who successfully exploit this vulnerability can run their code as SYSTEM on the Exchange server.
CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. Exploiting this vulnerability could allow an attacker to write a file to any part of the target Exchange server. Attackers exploiting this vulnerability could write a file to any path on the target Exchange server.
CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. Similar to CVE-2021-26858, exploiting this vulnerability could allow an attacker to write a file to any path of the target Exchange server.
Microsoft has provided details regarding how the HAFNIUM (threat actor) group is exploiting the above-mentioned critical CVEs. Following sequence of steps summarizes Microsoft’s findings.
- The initial step in the attack chain includes the threat actor group making an untrusted connection to the target Exchange server (on port 443) using CVE-2021-26855.
- After successfully establishing the connection, the threat actor group exploits CVE-2021-26857 that gives them ability to run code as SYSTEM on the target Exchange server. This requires administrator permission or another vulnerability to exploit.
- As part of their post-authentication actions, the threat actor group exploits CVE-2021-26858 and CVE-2021-27065 and proceeds to writing files to any path of the target server.
It has been observed that after gaining the initial access, the threat actor group deployed web shells on the target compromised server.
Discover and Remediate the Zero-Day Vulnerabilities Using Qualys VMDR
Identification of Assets Using Qualys VMDR
The first step in managing these critical vulnerabilities and reducing risk is identification of assets. Qualys VMDR makes it easy to identify Windows Exchange server systems.
Query: operatingSystem.category:Server and operatingSystem.category1:`Windows` and software:(name:Microsoft Exchange Server)
Once the hosts are identified, they can be grouped together with a ‘dynamic tag’, let’s say – “Exchange Server 0-day”. This helps in automatically grouping existing hosts with the 0-days as well as any new Windows Exchange server that spins up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the Qualys Cloud Platform.
Discover Exchange Server Zero-Day Vulnerabilities
Now that hosts with the 0-days are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like these based on the always updated Knowledge Base (KB).
You can see all your impacted hosts for this vulnerability tagged with the ‘Exchange Server 0-day’ asset tag in the vulnerabilities view by using this QQL query:
QID 50107 is available in signature version VULNSIGS-2.5.121-4 and above and can be detected using authenticated scanning or the Qualys Cloud Agent manifest version 188.8.131.52-3 and above.
With VMDR Dashboard, you can track ‘Exchange 0-day’, impacted hosts, their status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment using the Exchange Server 0-Day Dashboard.
Response by Patching and Remediation
VMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select “qid: 50107” in the Patch Catalog and filter on the “Missing” patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag – Exchange Server 0-day.
Security updates are available for the following specific versions of Exchange:
- Exchange Server 2010 (RU 31 for Service Pack 3 – this is a defense-in-depth update)
- Exchange Server 2013 (CU 23)
- Exchange Server 2016 (CU 19, CU 18)
- Exchange Server 2019 (CU 8, CU 7)
Users are encouraged to apply patches as soon as possible.
Post Compromise Detection Details
Discover Confirmed Compromise Using Qualys EDR
Post exploitation, an adversary can perform the following activity:
Use legitimate utilities such as procdump or the rundll32 comsvcs.dll method to dump the LSASS process memory. Presumably, this follows exploitation via CVE-2021-26857 as these methods do need administrative privileges.
Use 7-Zip or WinRar to compress files for exfiltration.
Use PowerShell based remote administration tools such as Nishang & PowerCat to exfiltrate this data.
To maintain persistent access on compromised systems, adversaries may also create a domain user account and install ASPX and PHP based web shells for command and control. Information about their probable location and their related hashes are mentioned below.
Web shell hashes:
b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944
Web shell paths: