Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported Microsoft Exchange versions that are actively exploited in the wild.
The IT giant reported that at least one China linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments.
“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.” reads the advisory published by Microsoft. “Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”
The attack chain starts with an untrusted connection to Exchange server port 443.
The first zero-day, tracked as CVE-2021-26855, is a server-side request forgery (SSRF) vulnerability in Exchange that could be exploited by an attacker to authenticate as the Exchange server by sending arbitrary HTTP requests.
The second flaw, tracked as CVE-2021-26857, is an insecure deserialization vulnerability that resides in the Unified Messaging service. The flaw could be exploited by an attacker with administrative permission to run code as SYSTEM on the Exchange server.
The third vulnerability, tracked as CVE-2021-26858, is a post-authentication arbitrary file write vulnerability in Exchange.
The last flaw, tracked as CVE-2021-27065, is a post-authentication arbitrary file write vulnerability in Exchange.
According to Microsoft, the Hafnium APT exploited these vulnerabilities in targeted attacks against US organizations. The group historically launched cyber espionage campaigns aimed at US-based organizations in multiple industries, including law firms and infectious disease researchers.
In past campaigns, HAFNIUM attackers also interacted with victim Office 365 tenants.
“HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.” state Microsoft.
HAFNIUM has previously hacked internet-facing servers by exploiting vulnerabilities, and used legitimate open-source frameworks, like Covenant, for command and control. Once the attackers have gained access to a victim network, they typically exfiltrates data to file-sharing services like MEGA.
Tom Burt, Microsoft Corporate Vice President, explained that once gained access to a vulnerable Microsoft Exchange server, Hafnium hackers would use remote access to steal data from an organization’s network
“First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.” wrote Burt.
Administrators are urged to install these security updates immediately to protect their installs.
Microsoft published Indicators of Compromise (IoCs) for these attacks.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, GootKit)