Microsoft is asking customers to install emergency patches as soon as possible to protect against highly skilled hackers who are actively exploiting four zero-day vulnerabilities in Exchange Server.
The software maker said that hackers working on behalf of the Chinese government have used hitherto unknown exploits to hack local Exchange Server software that has been fully patched. So far, Hafnium, as Microsoft is calling hackers, is the only group exploiting the vulnerabilities, but the company said that could change.
“Even though we have worked quickly to deploy an update for Hafnium exploits, we know that many national actors and criminal groups will move quickly to take advantage of any uncorrected system,” Corporate Vice President for Customer Security and Trust, Tom Burt wrote in a post published on Tuesday afternoon. “Immediately applying today’s patches is the best protection against this attack.”
Burt did not identify the targets, except to say that they are companies that use the local Exchange Server software. He said that Hafnium operates in China, primarily for the purpose of stealing data from infectious disease researchers, law firms, higher education institutions, defense contractors, US policy think tanks and non-governmental organizations.
Burt added that Microsoft is not aware of individual consumers being targeted or that the exploits have affected other Microsoft products. He also said that the attacks are in no way connected to SolarWinds-related hacks that breached at least nine United States government agencies and about 100 private companies.
Zero days are present in Microsoft Exchange Server 2013, 2016 and 2019. The four vulnerabilities are:
- CVE-2021-26855, a server-side request spoofing (SSRF) vulnerability that allows attackers to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857, an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization occurs when untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Hafnium the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
- CVE-2021-26858, an arbitrary post-authentication file write vulnerability. If Hafnium could authenticate to the Exchange server, it could use this vulnerability to write a file to any path on the server. The group can authenticate itself by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising the credentials of a legitimate administrator.
- CVE-2021-27065, an arbitrary post-authentication file write vulnerability. If Hafnium could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on the server. It can authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising the credentials of a legitimate administrator.
The attack, Burt said, included the following steps:
- Get access to an Exchange server with stolen passwords or using the zero day to disguise hackers as employees who should have access
- Create a web shell to control the compromised server remotely
- Use this remote access to steal data from a target’s network
As is usual for Hafnium, the group operated from virtual private servers rented in the United States. Volexity, a security company that reported on the attacks in particular to Microsoft, said the attacks appear to have started on Jan. 6.
“While attackers initially seemed to have gone unnoticed by simple email theft, they recently turned to launching exploits to gain a foothold,” wrote Volexity researchers Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair and Thomas Lancaster. “From Volexity’s point of view, this exploitation appears to involve multiple operators using a wide variety of tools and methods to dump credentials, move sideways and other backdoor systems.”
More details, including commitment indicators, are available here and here.
In addition to Volexity, Microsoft also credited security firm Dubex for reporting in particular on different parts of the attack on Microsoft and helping with an ensuing investigation. Companies using a vulnerable version of Exchange Server should apply patches as soon as possible.