Microsoft has introduced out-of-band security changes to deal with the four zero-day Microsoft Exchange Server vulnerabilities which a Chinese Advanced Persistent Threat (APT) group identified as Hafnium is actively taking advantage of.
The attacks have been happening beginning early January, as the APT group is attacking defense companies, law companies, colleges, NGOs, think tanks, and infectious disease research institutions in America. The exploitation of the vulnerabilities enables the hackers to exfiltrate mailboxes and other information from insecure Microsoft Exchange servers, run practically any code on the servers, and distribute malware for consistent access.
Hafnium is a formerly unidentified advanced APT group that is considered to be supported by the Chinese government. The group is chaining altogether the 4 zero-day vulnerabilities to rob sensitive files included in email accounts. While creating the exploits demanded certain skill, making use of those exploits is straightforward and permits the attackers to exfiltrate substantial amounts of sensitive data effortlessly. Though the APT group is located in China, VPNs in the USA are used in the attacks, which allows the group to keep undetected.
The flaws are existing in Exchange Server 2010 and all supported Microsoft Exchange Server versions (2013, 2016, 2019). There were patches made available to correct the vulnerabilities in Exchange Server 2010, 2013, 2015, and 2019. The flaws don’t affect Exchange Online and private email accounts, just on-premises Exchange servers.
Microsoft has awarded the cybersecurity agencies Volexity and Dubex for aiding to find the attacks, which were earliest discovered on January 6, 2021. Currently that the patches were available, attacks are estimated to increase as the group hurries to acquire access to many vulnerable Exchange servers prior to applying the patches.
The vulnerabilities found are:
CVE-2021-26858 and CVE-2021-26865 – These are two file write vulnerabilities that permit an authenticated end-user to create files to any path on the server. The vulnerabilities are locked with CVE-2021-26855, though it may also be taken advantage of employing stolen information.
CVE-2021-26857: A vulnerable deserialization vulnerability discovered in the Unified Messaging service which could be exploited to execute any arbitrary code as SYSTEM on the Exchange server.
CVE-2021-26855: A server-side request forgery (SSRF) vulnerability that enables HTTP requests to be dispatched to an on-premises Exchange Server to validate as the Exchange server itself.
As soon as preliminary access to the Exchange server is obtained, the attackers use a web shell that permits them to collect cached credentials, transfer files for example malware for continual access, implement essentially any command on the compromised network, and exfiltrate inboxes and other information.
Exploits for the vulnerabilities are not yet published freely, as the attacks at the moment solely being performed by Hafnium, even though that may not continue to be the case for very long.
Microsoft is recommending to all end users of the vulnerable Microsoft Exchange versions to use the patches promptly. After using the patches, an investigation ought to be carried out to ascertain whether the vulnerabilities were already exploited, as patching won’t stop any more malicious activity or data copying when the attackers have actually breached the server.
Microsoft has given Indicators of Compromise (IoCs) to support users to know whether the vulnerabilities were already exploited.