Security Bloggers Network 
SBN

Microsoft Exchange Server Hack

by Felipe Ruiz on March 11, 2021

The attention of global media, U.S. federal agencies, and other
organizations is partly shifting from one world power to another this
month. I mean, in the cybersecurity field, the Russians were in the
limelight with the SolarWinds supply chain
attack. Now, the Chinese have taken on the
central role. Microsoft has attributed
attacks
on its Exchange Server to a Chinese state-sponsored group. These
cybercriminals took advantage of four zero-day vulnerabilities in that
software and have exploited them to break into many organizations,
primarily in the United States. In this post, we will examine several
details that are known so far about this incident.

What is Microsoft Exchange Server?

Microsoft Exchange Server (MES) is a “software that
provides
the back end to an integrated system for email, calendaring, messaging,
and tasks.” (Outlook, instead, is the app installed on your desktop
that, like other email clients, can be synchronized with MES and used to
send and receive emails.) This program is employed worldwide within
large organizations but also small and medium-sized companies.

It turns out that in early January of this year, the cybersecurity
company Volexity started to
note
abnormal activity in the MES servers of two of its clients. That
activity involved large quantities of data sent to IP addresses
apparently not linked to legitimate users. The Danish company Dubex
also
reported
part of the issue the same month. It was not until
March 2
that the situation became public: Microsoft released
updates
to remediate four zero-day (previously unknown) vulnerabilities
identified in its software.

What were the alerts?

According to Microsoft, these flaws started to be exploited by a Chinese
state-sponsored APT (advanced persistent threat) group it dubbed
Hafnium. Based on the
procedures
and strategies observed, Microsoft said it is a modern and skilled team
with a history of attacks against Office 365 users. Indeed, it is a
Chinese group but “primarily operates from leased virtual private
servers (VPS) in the United States,” said Tung in
ZDNet.

These attackers could access users’ mailboxes, extract content, and
install backdoors on compromised servers for persistent access and
control through such security flaws in the software. Their first
reported attacks impacted higher education and research institutions,
law firms, policy think tanks, defense contractors, and NGOs, mainly in
the United States. The situation looked thornier when the investigation
revealed attacks against the U.S. government agencies. Curiously, these
critical vulnerabilities’ exploitation could affect servers running MES
2013, 2016, and 2019 (on-premises products) but not Exchange Online
(cloud-hosted service).

Microsoft began to publicly request all companies that were making use
of MES to apply the updates as soon as possible. At the same time, it
reflected
concern
that other malicious hacker groups beyond Hafnium could also quickly
target unpatched systems. (It
seems
this has already happened.) On March 3, the U.S. Cybersecurity &
Infrastructure Security Agency (CISA) issued an emergency
directive regarding the matter. It
asked all government agencies to comply with the installation of
patches, especially if there were no indicators of compromise in their
networks and systems. Otherwise, they should “disconnect their Microsoft
Exchange on-premises servers and report their findings to CISA for
further investigation,” said Osborne in
ZDNet.

The next day, CISA updated the
alert,
reporting they were “aware of threat actors using open source tools to
search for vulnerable [MESs]” and that agencies needed to look for
signs of suspicious behavior from at least September 1, 2020. Then, on
March 6, CISA
recommended
that agencies urgently run the script that Microsoft
released
at that time to determine if their systems had been compromised. Around
those days, Chris Krebs, who was director of CISA until Trump fired
him,
posted on his Twitter
account an
intriguing question: “Is this a flex in the early days of the Biden
admin to test their resolve?” In fact, if we go to CNN Politics, we can
find a post titled: “Biden administration
expected
to form [a] task force to deal with Microsoft hack linked to China.”

Photo by Pineapple Supply Co. on Unsplash.

Figure 1. Photo by Pineapple Supply Co.
on Unsplash.

What are the four flaws?

The four MES zero-day vulnerabilities involved in this case are
officially tracked as
CVE-2021-26855,
CVE-2021-26857,
CVE-2021-26858,
and
CVE-2021-27065.
The discovery of the first one (also known as
ProxyLogon) and the last one is attributed to
the researcher “Orange Tsai” of Devcore, a
team of professionals who in October 2020 started reviewing MES
security.

  • CVE-2021-26855 (CVSS 9.1) is a Server-Side Request Forgery
    (SSRF) vulnerability that allows “the attacker
    to
    send arbitrary HTTP requests and authenticate as the Exchange
    server.”

  • CVE-2021-26857 (CVSS 7.8) “is an insecure deserialization
    vulnerability in the Unified Messaging service.” It allows attackers
    to “run code as SYSTEM on the Exchange server,” only if they combine
    it with another flaw or use stolen credentials.

  • CVE-2021-26858 (CVSS 7.8) and CVE-2021-27065 (CVSS 7.8) are
    post-authentication arbitrary file write vulnerabilities. “If
    Hafnium could authenticate with the Exchange server, then they could
    use [any of these vulnerabilities] to write a file to any path on
    the server.”

According to several sources, attackers can carry out attacks using one
or more of the above flaws. Therefore, they can write and deploy
backdoor ‘web shells’ on the servers and have a foothold to execute
further attacks. (Web shells are small, easy-to-use “scripts that
provide
a basic interface for remote access to a compromised system.”) These can
involve stealing credentials, installing malware (Kaspersky
mentioned
the high risks of ransomware), stealing full email inboxes, adding rogue
user accounts, among others.

How worrying is the situation?

The incident with these vulnerabilities seems to have no
connection
with the SolarWinds supply chain attack that has affected around 18,000
organizations worldwide. In this new indiscriminate attack, it appears
that the number of organizations impacted is approximately 30,000. More
recently, some authors have even reported
60,000.
In addition to the types of organizations previously mentioned as
victims are “banks, credit
unions,
non-profits, telecommunications providers, public utilities and police,
fire and rescue units.”

It is currently quite worrying how slowly different companies and
government agencies are patching their systems. Some even consider that
there may be more severe results from this hack attributed to the
Chinese than from the one related to SolarWinds. As the cybersecurity
expert Brian Krebs has
said,
“By all accounts, rooting out these intruders is going to require an
unprecedented and urgent nationwide clean-up effort.” But the longer it
takes everyone to remove the backdoors and update their systems, the
longer attackers will continue to prowl their networks and even expand
their access, reach, and damage.

Let’s keep the following in mind: Last year,
Microsoft
had already warned its MES customers to patch a different critical
vulnerability
(CVE-2020-0688).
Nevertheless, months after the first attacks, “tens of
thousands”
of clients still had their systems not updated with the released patch.
“Microsoft is
concerned
it could see the same scenario play out again with this set of Exchange
server vulnerabilities.” We will see what happens. For now, Microsoft
continues with investigations and offering guidance to its customers on
risk mitigation.

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Ruiz. Read the original post at: https://fluidattacks.com/blog/exchange-server-hack/

Felipe Ruiz