On March 2, 2021, Microsoft released information on multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks detected and observed, the threat actor, HAFNIUM used these vulnerabilities to access on-premises Exchange servers, enabling access to email accounts, and allowing installation of additional malware (facilitating long-term access to victim environments). The Microsoft Threat Intelligence Center (MSTIC) is strongly encouraging business customers to apply critical security updates immediately, to protect against these exploits and to prevent future abuse across the ecosystem.
The four critical vulnerabilities are a server-side request forgery (CVE-2021-26855) used to authenticate as the Exchange server, a unified messaging service (CVE-2021-26857) enabling the running of code as SYSTEM and two post-authentication arbitrary file writing vulnerabilities (CVE-2021-26858 and CVE-2021-27065) which together create a perfect exploitation storm. Microsoft Exchange Server versions affected are 2013, 2016, and 2019 (Exchange Online is not affected).
IF YOU WERE IMPACTED
As always, it is best to be proactive rather than reactive if you believe you are one of the organizations that could be impacted. The cost of a breach once a vulnerability has been exploited by an attacker is significantly more expensive to an organization in impacted systems, incident response costs, and most importantly, business continuity interruptions.
HAVE I BEEN COMPROMISED?
Microsoft is encouraging its customers to conduct investigations and implement proactive detections to identify possible prior campaigns and prevent future campaigns that may target their systems. Network Center will be able to assist in identifying potential indicators of compromise in your network, and if warranted engage our partner Blue Team Alpha for Incident Response. Reach out today so that we can answer one simple, but very important, question: is your organization compromised?
Microsoft has released a One-Click Exchange Mitigation tool for exchange customers who have not yet applied the patch, or are unaware of how to apply in an effort to create a stop gap until the patch can be applied. If you require assistance, please let us know and we’d be happy to assist.
One-Click Exchange Mitigation
Exchange versions supported:
Please note, this is not a permanent fix and all patches should be applied as soon as possible. For more information on this vulnerability, please reference Microsoft’s Exchange Server Vulnerability blog post.