Microsoft issues emergency patches for 4 exploited 0-days in Exchange

The word ZERO-DAY is hidden amidst a screen filled with ones and zeroes.

Microsoft is urging customers to install emergency patches as soon as possible to protect against highly skilled hackers who are actively exploiting four zero-day vulnerabilities in Exchange Server.

The software maker said hackers working on behalf of the Chinese government have been using the previously unknown exploits to hack on-premises Exchange Server software that is fully patched. So far, Hafnium, as Microsoft is calling the hackers, is the only group it has seen exploiting the vulnerabilities, but the company said that could change.

“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,” Microsoft Corporate Vice President of Customer Security & Trust Tom Burt wrote in a post published Tuesday afternoon. “Promptly applying today’s patches is the best protection against this attack.”

Burt didn’t identify the targets other than to say they are businesses that use on-premises Exchange Server software. He said that Hafnium operates from China, primarily for the purpose of stealing data from US-based infectious disease researchers, law firms, higher-education institutions, defense contractors, policy think tanks, and nongovernmental organizations.

Burt added that Microsoft isn’t aware of individual consumers being targeted or that the exploits affected other Microsoft products. He also said the attacks are in no way connected to the SolarWinds-related hacks that breached at least nine US government agencies and about 100 private companies.

The zero-days are present in Microsoft Exchange Server 2013, 2016, and 2019. The four vulnerabilities are:

  • CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allowed the attackers to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857, an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is when untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Hafnium the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858, a post-authentication arbitrary file write vulnerability. If Hafnium could authenticate with the Exchange server, then it could use this vulnerability to write a file to any path on the server. The group could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
  • CVE-2021-27065, a post-authentication arbitrary file write vulnerability. If Hafnium could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

The attack, Burt said, included the following steps:

  1. Gain access to an Exchange server either with stolen passwords or by using the zero-days to disguise the hackers as personnel who should have access
  2. Create a web shell to control the compromised server remotely
  3. Use that remote access to steal data from a target’s network

As is usual for Hafnium, the group operated from leased virtual private servers in the US. Volexity, a security firm that privately reported the attacks to Microsoft, said the attacks appeared to start as early as January 6.

“While the attackers appear to have initially flown largely under the radar by simply stealing emails, they recently pivoted to launching exploits to gain a foothold,” Volexity researchers Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, and Thomas Lancaster wrote. “From Volexity’s perspective, this exploitation appears to involve multiple operators using a wide variety of tools and methods for dumping credentials, moving laterally, and further backdooring systems.”

More details, including indicators of compromise, are available here and here.

Besides Volexity, Microsoft also credited security firm Dubex with privately reporting different parts of the attack to Microsoft and assisting in an investigation that followed. Businesses using a vulnerable version of Exchange Server should apply the patches as soon as possible.