Threat Signal Report

Out of Band Patches Released for Active Exploitation of Microsoft Exchange Server

Description

On March 2nd, Microsoft released out of band patches for on-premise Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. This response was in relation to the in the wild exploitation of four vulnerabilities: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.


The attack chain targets a Microsoft Exchange server that is able to receive untrusted connections from an external source. Microsoft attributes this latest attack to the threat actor known as HAFNIUM.


Who is HAFNIUM?

According to Microsoft - HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.


HAFNIUM'S modus operandi is to gain access to the victim network where victim data is then exfiltrated to file sharing sites like MEGA for possible Cyber Espionage.


What are the Technical Details of the Threat?

Four specific vulnerabilities (Microsoft Exchange Server Remote Code Execution Vulnerability) were chained together to allow the threat actor to exploit on-premise Exchange servers.


They are:


CVE-2021-26855

A remote code execution vulnerability exists in Microsoft Exchange Server where a server side request forgery (SSRF) vulnerability allows an attacker to send arbitrary HTTP requests to authenticate as the Exchange server. This vulnerability is part of an attack chain and to be successful, an attempt to connect on an untrusted connection on Exchange server port 443 must be allowed.


CVE-2021-26857

A remote code execution vulnerability exists in Microsoft Exchange Server where an insecure deserialization vulnerability exists in the Unified Messaging service. Exploiting this vulnerability will give an attacker the ability to run code with elevated privileges (SYSTEM) on the Exchange server. In order for this vulnerability to be leveraged, certain criteria must be available such as existing administrator permissions or the chaining of another vulnerability in parallel.


CVE-2021-26858

A remote code execution vulnerability exists in Microsoft Exchange Server where an attacker can perform a post authentication arbitrary file write. Once authentication is made with the server, an actor can place a file to any location on a server. This vulnerability can be chained by compromising known Exchange administrator credentials or authenticating by exploiting CVE-2021-26855 (SSRF).


CVE-2021-27065

A remote code execution vulnerability exists in Microsoft Exchange Server where an attacker can perform a post authentication arbitrary file write. Once authentication is made with the server, an actor can place a file to any location on a server. This vulnerability can be chained by compromising known Exchange administrator credentials or authenticating by exploiting CVE-2021-26855 (SSRF).


What Platforms are Affected?

On-premise Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 are affected. Exchange Server online is unaffected. Although not listed as affected, Exchange Server 2010 has mitigation guidance available for it. Please refer to the APPENDIX for more details.


How Serious of an Issue is This?

HIGH.


Is this Being Exploited in the Wild?

Yes. According to recent media reports, in the wild attacks have been observed to affect potentially over 30,000 customers.


How Widespread is this Attack?

Global. Attacks have been observed to affect multiple verticals and targets worldwide.


Are Patches Available?

Yes. Out of Band patches were available from Microsoft for download on March 2nd, 2021. It is recommended that all available patches for affected Microsoft Exchange servers are applied immediately, if feasible.


What is the Status of Coverage?

FortiGuard Labs has the following AV coverage in place for publicly known samples as:


ASP/WebShell.cl!tr

ASP/Chopper.A!tr

HTML/Agent.A121!tr


FortiGuard Labs has the following IPS coverage in place as:


MS.Exchange.Server.ProxyRequestHandler.Remote.Code.Execution

MS.Exchange.Server.UM.Core.Remote.Code.Execution

MS.Exchange.Server.CVE-2021-27065.Remote.Code.Execution

MS.Exchange.Server.CVE-2021-26858.Remote.Code.Execution


All known network IOC's related to this threat are blocked by the FortiGuard WebFiltering Client.


We will update this threat signal with any other feasible updates once they become available.


Any Other Suggested Mitigation?

According to Microsoft and to protect against this attack, it is recommended to restrict untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack. Other portions of the chain still can be triggered if an attacker already has access or can convince an administrator via social engineering methods to open a malicious file. it is recommended to prioritize installing the available patches on Exchange Servers immediately.


Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.


Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.