Attackers Used Flaws to Download Full Contents of Email Accounts
Microsoft issued emergency software patches on Tuesday for four zero-day vulnerabilities in its Exchange email server, one of the most widely used pieces of enterprise infrastructure.
The company says it believe the flaws have been exploited by a China-based group it calls Hafnium, which is seeking to gain persistent access to email systems. Microsoft typically issues patches for Windows and other products on the second Tuesday of every month, but it make exceptions for security vulnerabilities that are deemed particularly dangerous.
Although Microsoft describes the attacks as “limited and targeted,” there are already indications that many other hacking groups are mounting attacks hoping to catch slow-patching organizations off guard. The flaws appear to have been exploited since at least early January.
Microsoft says it has never publicly discussed Hafnium before. The group has been targeting infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs, according to a blog post from Tom Burt, corporate vice president for Customer Security & Trust at Microsoft.
“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,” Burt writes.
Full Contents of Email Accounts Stolen
There’s a sense of urgency around not only patching, but also for organizations to examine their systems to ensure they’ve not been compromised. Other security companies have already seen attackers seizing on the flaws.
“FireEye has observed these vulnerabilities being exploited in the wild and we are actively working with several impacted organizations,” says Charles Caramakal, senior vice president and CTO of FireEye Mandiant. “In addition to patching as soon as possible, we recommend organizations also review their systems for evidence of exploitation that may have occurred prior to the deployment of the patches.”
Volexity, a computer forensics firm that specializes in incident response and memory analysis, expounded on the abnormal behavior it saw on the systems of two of its clients in January. The attackers used the vulnerabilities to “steal the full contents of several user mailboxes,” according to a blog post.
Volexity says it detected anomalous activity with its customers as early as Jan. 6, which means attackers have been active for at least two months but likely longer.
Microsoft says the latest malicious activity is not related, however, to the SolarWinds incident. The U.S. government believes Russia’s SVR intelligence agency infiltrated SolarWinds’ software update infrastructure, planting malware that was then distributed to 18,000 organizations (see House SolarWinds Hearing Focuses on Updating Cyber Laws).
Lateral Movement Possible
The vulnerabilities only affect the on-premise version of Exchange, where an organization has chosen to host the application itself. It does not affect Exchange online, or the cloud-based version, according to Microsoft’s technical advisory. It wasn’t exactly clear why.
The vulnerabilities are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The systems affected are Exchange Server 2010 RU31 for Service Pack 2, 2013 CU 23, 2016 CU 18 and CU 19; and 2019 CU7 and CU8.
Microsoft has published indicators of compromise so organizations can check if they may have been attacked. Also, it has released advanced hunting queries for Azure Sentinel and product detections and queries for Microsoft Defender for Endpoint.
In laymen’s terms, Microsoft spelled out how the attackers gained access to email. The group would gain access to an Exchange server either through stolen passwords or the newly disclosed vulnerabilities. The group would put a web shell on the server, which allowed for persistent access.
The group would command that shell using Virtual Private Servers within the United States to mask the malicious activity while data is exfiltrated, Microsoft says.
Volexity also pointed out a larger risk that goes beyond Exchange. Within several organizations, the company observed CVE-2021-26855, which is the server side request forgery flaw, chained together with another remote execution flaw on the targeted Exchange services.
“In all cases of RCE, Volexity has observed the attacker writing webshells (ASPX files) to disk and conducting further operations to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT), and move laterally to other systems and environments,” Volexity writes.
Volexity says the RCE flaw “appears to reside within the use of the Set-OabVirtualDirectory ExchangePowerShell cmdlet. Evidence of this activity can be seen in Exchange’s ECP Server logs.”