Microsoft Exchange Server Zero-day Vulnerabilities

A severe attack exploiting four zero-day vulnerabilities in on-premises versions of Microsoft's Exchange Server was carried out by what is believed to be a state-sponsored threat actor. Microsoft had already begun monitoring the activities of this hacker collective under the designation HAFNIUM. According to their findings, the group is located in China and backed by the Chinese government.

Through the exploits, the hackers could illegally obtain access to the Exchange Server and create a web shell that gave them remote control over the system. The main purpose of the attack was to access sensitive data contained in the victim's email accounts and the Exchange offline address book. The web shell, however, also allowed for additional malware payloads to be dropped. In the HAFNIUM attack, that functionality was used to ensure prolonged access to the victim's systems.

After information of the attack became public, Microsoft detected multiple additional threat actors incorporating the zero-day vulnerabilities into their operations. In just 9 days, a new ransomware threat was observed to be delivered through the four security weaknesses. The threat was named DearCry, an obvious homage to the infamous WannaCry malware that infected users across the world in an attack exploiting a different set of Microsoft vulnerabilities.

Four Zero-Day Exploits Enabled the Attack

The zero-days exploited by HAFNIUM and the other threat actors are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

The first one, CVE-2021-26855, is a server-side request forgery (SSRF) vulnerability that allows attackers to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. In short, this exploit allowed attackers to run code as SYSTEM on the Exchange serve.

The last two exploits - CVE-2021-26858 and CVE-2021-27065, both consist of a post-authentication arbitrary file write vulnerability.

Microsoft Released Security Patches and Tool to Mitigate the Attack

In the wake of the breach and due to its severity Microsoft released several security updates to patch the vulnerabilities in older versions of their Exchange Server. The tech giant also released a security blog containing observed IoC (Indicators of Compromise), detection guidance, and advanced hunting queries so that customers have a better idea of where to check for signs of potentially malicious activity.

To help smaller customers who do not have dedicated cybersecurity or IT departments, Microsoft has also released a one-click mitigation tool. The Microsoft Exchange On-Premises Mitigation Tool is intended to be used as an interim security measure on Exchange Server 2013, 2016, and 2019 deployments while the customer prepares to install the appropriate security update.