Description: Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed the installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics, and procedures.
Microsoft indicates that the initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.
Affected Systems: The critical vulnerabilities impact on-premises Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Exchange Online is not affected.
Details: Four specific vulnerabilities (Microsoft Exchange Server Remote Code Execution Vulnerability) were chained together to enable the threat actors to exploit on-prem Exchange servers:
- CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
- CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange Server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
- CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange Server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
Microsoft Protection: Microsoft has made available several patches and recommends applying these immediately on affected Microsoft Exchange Servers.
Barracuda Networks Protection: The following IPS signatures were released on March 8, 2021, to protect against CVE-2021-26855 which serves as the beginning of the attack chain. Since only CVE-2021-26855 has a network attack vector, the Barracuda CloudGen Firewall can detect and prevent malicious traffic targeting affected Microsoft Exchange Servers.
- Signature ID 1138767: WEB Microsoft Exchange Server Remote Code Execution Vulnerability -1 (CVE-2021-26855)
- Signature ID 1138774: WEB Microsoft Exchange Server Remote Code Execution Vulnerability -2 (CVE-2021-26855)
- Signature ID 1138775 WEB Microsoft Exchange Server Remote Code Execution Vulnerability -3 (CVE-2021-26855)
- Signature ID 1138776 WEB Microsoft Exchange Server Remote Code Execution Vulnerability -4 (CVE-2021-26855)
Note that inbound TLS inspection must be enabled on the Barracuda CloudGen Firewall to detect vulnerable traffic towards the Exchange Server. For more information on how to enable TLS inspection please visit the documentation on Barracuda Campus.