SBN

How to Defend against Recent Attacks on Microsoft Exchange

Microsoft warns against an organized criminal group known as Hafnium performing mass attacks against government and private entities, primarily in the United States. Initial reports said that approximately 30,000 organizations have been affected but recent data shows more than 60,000 and the number is expected to still rise.

The attacks exploit known zero-day vulnerabilities in Microsoft Exchange servers. MIT Technology Review warns that it’s not just Hafnium but at least 4 other criminal organizations that are using the same techniques for their attacks.

This attack demonstrates that even low- and medium-risk vulnerabilities can lead to serious consequences, and should not be ignored.

What Is the Risk?

Targeted vulnerabilities allow the attackers to install and run software on your Microsoft Exchange servers, for example, web shells or ransomware. This allows the attackers to proceed to other connected systems, potentially access and steal all your sensitive data, as well as attempt financial extortion.

How Do the Attacks Work?

The attacks explore four separate vulnerabilities. Microsoft has known about these vulnerabilities for some time but dubbed them low-risk. While each of these vulnerabilities on its own may indeed be perceived as medium or low risk, together they allow for privilege escalation and the resulting mass attacks.

  1. Attackers begin by exploiting the CVE-2021-26855 vulnerability, which is is a server-side request forgery (SSRF) vulnerability in Exchange. It allows them to authenticate as the Exchange server.
  2. Then, attackers follow up with exploiting CVE-2021-26858 and CVE-2021-27065, which are post-authentication arbitrary file write vulnerabilities in Exchange, as well as CVE-2021-26857, which is an insecure deserialization vulnerability in the Unified Messaging service. The first two give the attackers the ability to write files to the server, and the last one lets them run code as SYSTEM on the Exchange server.
  3. With the ability to upload and run files as SYSTEM, the attackers escalate the attack to remote code execution, which allows them to install web shells or ransomware and execute them.

How Do I Check If I Am Vulnerable?

If you have an on-premises Microsoft Exchange server that is accessible from the Internet (port 443 is open), you are potentially vulnerable.

The latest update of Acunetix Premium (update 13.0.210308088) introduces a specific check for the primary vulnerability exploited by Hafnium – CVE-2021-26855. Update your Acunetix installation and scan your Exchange targets to be informed if you are vulnerable.

Note that Acunetix, by default, discovers SSRF and insecure deserialization vulnerabilities in web applications and APIs.

What Can I Do To Protect Myself?

Microsoft has already released patches for affected vulnerabilities. Update your Exchange server with Microsoft patches immediately to eliminate the vulnerabilities and protect yourself from attacks.

If you are not able to update your Microsoft software immediately, Microsoft issued a list of potential temporary mitigation measures. Implement these measures to protect yourself until you can update the software to the latest version.

How Do I Know If I’ve Been Hacked?

Even if you protect yourself, you may have already been hacked. Follow the procedures outlined by the DHS Emergency Directive 21-02 and the CISA Alert AA21-062A as well as standard forensic practices to check your systems for potential breaches.

THE AUTHOR
Tomasz Andrzej Nidecki
Technical Content Writer

Tomasz Andrzej Nidecki (also known as tonid) is a Technical Content Writer working for Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.

*** This is a Security Bloggers Network syndicated blog from Web Security Blog – Acunetix authored by Tomasz Andrzej Nidecki. Read the original post at: http://feedproxy.google.com/~r/acunetixwebapplicationsecurityblog/~3/VPINf6YR468/