Threat Signal Report

Four Microsoft Exchange Server Remote Code Execution Vulnerabilities Disclosed in April 2021 Release

Description

Today, April 13, 2021 Microsoft released guidance on four newly disclosed vulnerabilities affecting on-premise Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 products. The disclosed vulnerabilities are CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483. Similar to last month's out of band release for HAFNIUM related exploits, this latest disclosure also details four remote code execution vulnerabilities in Microsoft Exchange (Microsoft Exchange Server Remote Code Execution Vulnerability) that allows a threat actor to exploit on-premise Exchange servers.

In parallel, the United States Department of Homeland Security (DHS) released supplemental guidance to the Emergency Directive 21-02 advisory (first released - March 3, 2021) titled "Supplemental Direction v2" today as well.

Affected versions of Microsoft Exchange Server are susceptible to a remote code execution vulnerability. Although similar in scope to last month's advisory, this is not attributed to the threat actors known as HAFNIUM. This latest security advisory was responsibly disclosed by the United States National Security Agency (NSA) to Microsoft.

Who is HAFNIUM?

According to Microsoft - HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM'S modus operandi is to gain access to the victim network where victim data is then exfiltrated to file sharing sites like MEGA for possible Cyber Espionage.

What are the Technical Details of the Threat?

Details at the moment are sparse.

Two vulnerabilities (CVE-2021-28480 and CVE-2021-28481) are rated CRITICAL (9.8 out of 10) on the CVSS rating scale. According to the limited details, this appears to be a network exploitable vulnerability that does not require any user interaction or authentication. Because of these available factors, these vulnerabilities could have the potential to become wormable. Also, as the attack complexity is low, this means that an unsophisticated attacker with limited knowledge and resources could easily exploit and leverage this vulnerability on multiple unpatched systems.

The other two vulnerabilities (CVE-2021-28482 and CVE-2021-28483) are rated HIGH (8.8 out of 10). They appear to have similar base score criteria to the CVE-2021-28480 and CVE-2021-28481vulnerabilities - with the exception that a low level user with authorized privileges must commence the attack.

What Platforms Are Affected?

On-premise Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 are affected. According to Microsoft, Exchange Server 2010 is not affected as well as online versions of Microsoft Exchange (Exchange Online).

Please refer to the APPENDIX for more details.

How Serious of an Issue is This?

HIGH.

Is this Being Exploited in the Wild?

No. Although similar in scope to the HAFNIUM Exchange Server vulnerabilities of March, according to Microsoft, there is no evidence of active, in the wild attacks for this latest disclosure.

How Widespread is this Attack?

At this time, Microsoft has indicated that they have not seen any observed attacks as these vulnerabilities were disclosed via responsible disclosure.

What are the CVSS scores?

CVE-2021-28480 CRITICAL (9.8)

CVE-2021-28481 CRITICAL (9.8)

CVE-2021-28482 HIGH (8.8)

CVE-2021-28483 HIGH (8.8)

Are Patches Available?

Yes. patches for affected CVE's are available from Microsoft for download as of April 13, 2021. It is recommended that all available patches for affected Microsoft Exchange servers be applied immediately, if feasible. Please refer to the APPENDIX section for more details.

What is the Status of Coverage?

Microsoft Active Partners Program (MAPP) has not provided us with any guidance or logic at this time. As patches are available, it is highly suggested to apply these immediately as exploit developers will take the time to analyze available patches to gain insight on these fixes. We will update this Threat Signal with any other feasible updates and signatures once they become available.

Any Other Suggested Mitigation?

According to Microsoft, and to protect against this attack, it is recommended to restrict untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Given the high profile nature of the disclosing partner (NSA), it is recommended to prioritize the installation of available patches for affected Exchange Servers immediately.

Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.

Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.