Microsoft has released an alert that they have detected multiple zero-day exploits that are leaving on-premises versions of Microsoft Exchange Server vulnerable to targeted attacks. The attackers, identified as HAFNIUM, are able to use the vulnerability to access Exchange servers, giving them access to email accounts and allowing them to install malware for long-term access to environments. The actors accomplish this by gaining an untrusted connection to Exchange server port 443. Restricting untrusted connections or separating the Exchange server from external access by setting up a VPN can mitigate the attack. However, mitigating the initial port connection will only protect against a portion of the attack chain used by HAFNIUM and will not be effective if an attacker already has access to your environment. Externally facing on-premises Exchange servers should be updated immediately!
Microsoft identified the following 4 vulnerabilities:
- CVE-2021-26855 – is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857 – is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
- CVE-2021-26858 – is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
- CVE-2021-27065 – is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
Versions affected are:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Exchange Online is NOT affected.
We encourage all on-prem Exchange customers to investigate if your organization has been compromised. Indicators of compromise and detection guidance are outlined in this Microsoft post: LINK
