Cybersecurity Threat Advisory 0011-21: HAFNIUM Targeting Exchange Servers with Zero-day Exploits (Reposted from SKOUT Cyber)
Sharing for SMBs in our communities. As you may have seen last week, Microsoft recommends immediate patching of Microsoft Exchange Server, versions 2013, 2016, and 2019 ASAP. There’s four CVEs (Common Vulnerability Exposures) from an advanced persistent threat from a State-sponsored hacker group called HAFNIUM in China that is currently leveraging this to hack into corporate exchange servers and steal sensitive business data.
If you’re a business that has any of these versions of exchange (many do) your IT team or provider should patch them immediately if they haven’t already. There’s also ways to look for suspicious files on your MS Exchange Server posted from our friends at SKOUT Cyber below.
Don’t have the right IT resources or need help? Contact us today at 213-797-5600 for help or a free Cyber assessment of your server and infrastructure against current industry best practices.
Microsoft has released several security updates due to targeted attacks against vulnerabilities found in Microsoft Exchange Server (versions 2013, 2016, and 2019). Though the attacks are said to have been limited, Microsoft is urging the immediate updating of all affected systems as to mitigate the vulnerabilities and further abuse within networking environments wherein Exchange servers are being used. Microsoft attributes the activity to a hacking group called “Hafnium.”
TECHNICAL DETAIL & ADDITIONAL INFORMATION
WHAT IS THE THREAT?
At the time of this writing, there are four zero-day exploits that users of Microsoft Exchange Server 2013, 2016, and 2019 need to be aware of. They are described in detail in the following CVEs: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. These vulnerabilities include a server-side request forgery (SSRF) that would allow an attacker to send arbitrary HTTP requests and authenticate as the Exchange server, an insecure deserialization vulnerability in the Unified Messaging service that would give the attacker the ability to run code as SYSTEM on the Exchange server, and a post-authentication arbitrary write vulnerability that would allow the attacker to write a file to any path on the server. These vulnerabilities have previously been used by the state-sponsored actor Hafnium, which is the only actor that Microsoft has seen using the exploits.
WHY IS IT NOTEWORTHY?
It is believed that Hafnium is a state-sponsored actor operating out of China. But the group is also known to conduct operations over leased virtual private servers in the United States, which is where most of its targets and victims are located. It should also be noted that, since it is mostly businesses that use Microsoft Exchange Server, the attack vector is not aimed at individual consumers and no other Microsoft products are affected by the vulnerabilities. It is presumed that Hafnium primarily targets organizations based in the U.S. to steal data across multiple sectors of industry. U.S. government agencies have been notified and informed of the attacks, as well.
WHAT IS THE EXPOSURE OR RISK?
Though Microsoft believes at this point that Hafnium is the only group that has been exploiting the vulnerabilities, as knowledge of the exploit spreads, the software giant feels that the number of groups or individuals attempting to leverage the exploit could change. In response to the news of the zero-day exploit, SKOUT has already created and implemented event detection rules into its security monitoring solution using the IOCs made public by Microsoft and will continue to update the rules with any new threat intelligence made available. Even though Microsoft acted quickly in releasing patches for the exploits, it is expected that many bad actors will try to take advantage of the opportunity to exploit those systems that have not yet applied the prescribed updates. Microsoft also wanted to make it known that Exchange Online is not affected by the critical vulnerabilities.
WHAT ARE THE RECOMMENDATIONS?
SKOUT recommends the immediate patching of all affected versions of Microsoft Exchange Server (versions 2013, 2016, and 2019) with the latest updates. If you suspect that any of your Exchange servers have been compromised, then we highly recommend that you conduct the appropriate investigation and implement any necessary detection methods to identify any present and future targeted attacks. Please refer to the article published by Microsoft at https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ for a list of the web shell hashes and file names for known host IOCs, as well as other resources and detection techniques, including:
- How to check patch levels of Exchange Server;
- How to scan Exchange log files for indicators of compromise;
- Where to check for suspicious .zip, .rar, and .7z files that may indicate data exfiltration; and
- Microsoft Defender Antivirus detections, Microsoft Defender for Endpoint detections, Azure Sentinel detections, and advanced hunting queries.
For more in-depth information about the recommendations, please visit the following links:
Credit to SKOUT Cybersecurity, our partners for this update. The link here is here for the full article: Cybersecurity Threat Advisory 0011-21: HAFNIUM Targeting Exchange Servers with Zero-day Exploits | SKOUT CYBERSECURITY (getskout.com)
By Michael Flavin, CISM, CHPA, CyRP