Best of 2021 – Chinese Exchange Hack: At Best, Microsoft is Incompetent

As we close out 2021, we at Security Boulevard wanted to highlight the most popular articles of the year. Following is the next in our series of the Best of 2021.

This week brought news of Chinese “Hafnium” hackers attacking Microsoft Exchange customers. The Microsoft email server product had four nasty zero-day vulnerabilities that were easily chained to steal information and remotely execute code—with elevated privileges.

But this has been going on since January 6—probably earlier. Why on Earth did Microsoft wait eight weeks to tell anyone? What’s it been up to all this time?

Was Microsoft asleep at the switch? With a zero-day being actively exploited, you’d think Microsoft could suggest a mitigation or two.

Some suspect it’s a sneaky way to encourage customers to dump on-prem Exchange and use Office 365 instead. In today’s SB Blogwatch, we yell at Redmond.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Tim Hunkin.

At Worst, Microsoft is Manipulative

What’s the craic, Zack? Mister Whittaker reports—“China-backed hackers are exploiting Exchange zero-days”:

 Microsoft is warning customers that a new China state-sponsored threat actor is exploiting four previously undisclosed security flaws in Exchange Server. … It believes the hacking group, which it calls Hafnium … used the four newly discovered security vulnerabilities to break into Exchange email servers running on company networks, granting the attackers to steal data … and the ability to plant malware.

Patches to fix those four security vulnerabilities [in] Exchange 2013 and later … are now out.

What should people do? Graham Cluley advises, “Patch your Exchange email server now!”:

 Exploitation of the security holes allowed malicious attackers to gain access to email accounts, and allowed other malware to be planted to gain a long-term foothold within organisations. … Microsoft is urging at-risk organisations to install security updates immediately. … The online version of Exchange is not affected by the flaws.

So don’t delay. … Dawdling only increases the chances that Hafnium, or other hacking groups … will attempt to exploit the vulnerabilities in an attack against your organisation.

Who discovered the attacks? Dubex’s Lars Westergaard Birch tells the story—“Please leave an exploit after the beep”:

 [We] investigated suspicious activity on a set of Exchange servers. Generic post exploitation activity was seen, and many POST requests were sent to webshells hosted in the OWA directory.

The webshells were written by the UMWorkerProcess, a part of the Unifying Messaging module. The UM server allows an Exchange organisation to store voicemail and faxes … in users’ mailboxes. … Unified Messaging offers an integrated store for all messages and access to content through the computer and the telephone.

Feeding the UM Server with a sufficiently malformed voicemail file caused it to spawn a UMWorkerProcess that deserialised the voicemail and executed contents. … The code executed by UM runs as ‘NT Authority\SYSTEM’ and can unhindered alter the system.

And Volexity’s Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair and Thomas Lancaster call it, “Operation Exchange Marauder”:

 [We] determined the attacker was exploiting a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange. … The attacker was using the vulnerability to steal the full contents of several user mailboxes. This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access.

The attacker … managed to chain the SSRF vulnerability with another that allows remote code execution (RCE) on the targeted Exchange servers … to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT), and move laterally. … These attacks appear to have started as early as January 6, 2021.

Wait. Pause. What has Microsoft been doing for almost two months? tripodal:

 The patch was signed Feb 14. It’s been ready since at least then, and mitigations would have been available well before work even started on the patch.

Because the right thing for Microsoft to do would be to release this patch as soon as it was ready, not well after it’s fully deployed to [Office 365]. … I see this as nothing less than an intentional delay to force people into the cloud.

That’s a damning indictment. OndraH puts some words through the mincer:

 It is unusual that it took almost two months from spotting exploitation of unpatched vulnerability to releasing fixes. Especially in such case, where majority of deployments have vulnerable interface … open to the public network.

Wow. But genmud doesn’t care:

 I will always chuckle at people who are running their own mail infrastructure because, “It’s more secure than trusting the cloud with my data”.

They always seem to have issues with their DMARC and SPF for some reason. And never are able to setup encryption or other stuff like that. And they always seem to have issues with spam and malware.

And u/Raymich can relate:

 Alright, just finished patching our server. Started documenting at 9AM, had all steps ready at [noon], and it’s now exactly midnight, only because I’ve never updated Exchange server before and nobody else that’s left in IT knows how to do it.

I hate pet servers. Cannot wait to move this thing to O365 in few months. … It was super stressful.

Although some people are wired like Danny 5:

 That was an exciting 24 hours, we were scrambling to get the fixes installed. I love stuff like that, the emergency process kicks in and all responsibility falls firmly on the people executing the updates, no layers upon layers of management that need to put their 2 cents in, short lines and fast turnover, this is what I love most about working in IT.

Got all my customers sorted out, was done at 22:30 last night with the last 2010 server (customer is slow to migrate, they should’ve been gone last year, but they’re still with us on the EOL 2010 servers). Very satisfied with a job well done.

Meanwhile, thomst brings us back down to Earth with a sweary bump:

 CISA has issued an order that all U.S. government Exchange servers must be updated by the end of the business day on Friday, because China has already been exploiting this zero-day vulnerability for an unknown length of time, and has already used it to gain access … to government systems … as well as [a] large number of civilian systems.

Feel scared yet? Because you should.

This is not routine. … CISA has never treated any previous zero-day with that kind of urgency. If unpatched … and the employer for whom you work has any data that might interest the Chinese government … that data has already been pwned.

And Finally:

Irrepressible inventor Tim Hunkin is back

Hat tip: Mark Frauenfelder

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Yannik Mika (via Unsplash)

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 318 posts and counting.See all posts by richi