The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a red warning for the users of the Microsoft Exchange email service due to Microsoft Exchange attacks. The investigation team has spotted that hackers have been actively exploiting zero-day vulnerabilities in the server software. Since Exchange is one of the most popular business-oriented email services, the effect of the campaign is – worrisomely – global.
Four critical bugs were identified in on-premises servers of 2013, 2016 and 2019 products. As per available information, associated cloud services should not have been affected. Specifically, the vulnerabilities were labelled as:
- CVE-2021-26855 – Server-Side request forgery (SSRF) allowing arbitrary HTTP requests and false authentication as the Exchange Server;
- CVE-2021-26857 – an insecure deserialization vulnerability in the Unified Messaging service allowing unauthorized access to mailboxes;
- CVE-2021-26858 and CVE-2021-27065 – post-authentication arbitrary file write vulnerabilities in Exchange allowing writing a file to any path on the server.
Exploiting Flaws
When taking advantage of the first-mentioned, hackers would not even need legitimate login credentials to gain access to a server. After successful compromise, they could run a web shell to execute malicious code and access sensitive information in the victim’s mailboxes.
The tech giant as well as numerous state cybersecurity bodies urge users to update their service’s servers with no hesitation. The patched version must be deployed by administrators, otherwise, the files will not install correctly.
To detect any indicators of compromise, admins may scan the Exchange server logs with a pre-written script. They should also screen the environment for potential unwelcomed visitors, who could have already gained unauthorized access. Update alone at that stage of attack will not help.
Golden Times for Cyberespionage
Microsoft’s team has already pointed a finger at a threat actor behind the Exchange campaign. Given the tactics used, they linked it to a group named Hafnium. The company has recorded the group’s activity in connection with past Office 365 compromises.
While using virtual private servers localized in the US, Hafnium operates from Chinese territory. According to Microsoft, the group should be directly sponsored by the local government. However, the Chinese foreign ministry has denied the allegations.
The recent kill-chain is nothing less than the ground ready for targeted cyber espionage. No matter its background, it seems like we are witnessing a rise of a new malicious actor. Along the way, other cyber threats persist.
As notes Tom Burt, Microsoft’s vice president, after the details have been published, many actors will seek to break into the unpatched systems. The state sector, research institutions, and private businesses should therefore bring more attention to securing its sensitive data.
References
Microsoft: HAFNIUM targeting Exchange Servers with 0-day exploits
Microsoft Blog: New nation-state cyberattacks
