by Ryan Ozawa
Article filed in
Major Microsoft Exchange hacks spotted in the wild
by Ryan Ozawa
Information security professionals are on high alert as newly-identified vulnerabilities in Microsoft’s Exchange email service are being used against tens of thousands of organizations in the United States alone.
The attacks have prompted the Cybersecurity and Infrastructure Security Agency (CISA) network to issue a National Cyber Awareness System alert, and even elicited a response from the White House. And while Microsoft has released patches to close the security holes, considerable damage may have already been done, with more hacks expected until Microsoft Exchange systems are updated.
How do the attacks work?
Attackers are taking advantage of at least four separate vulnerabilities in Microsoft Exchange Server software (classified by Microsoft as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).
“These vulnerabilities are used as part of an attack chain,” Microsoft explains. “The initial attack requires the ability to make an untrusted connection to Exchange server port 443 [but] other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.”
Security firm Volexity says the attackers are using a “server-side request forgery (SSRF) vulnerability” to steal the full contents of several user mailboxes.
“Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system,” explains the CISA alert.
What software is affected?
Microsoft says the vulnerabilities can be found in servers running Exchange Server 2013, 2016, and 2019 software.
“Neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments,” CISA notes.
But according to Microsoft, the attackers are probing Office 365 services.
“While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments,” the company says.
Who has been attacked?
Because Microsoft Exchange is so widely used, security experts can only estimate the impact of the attacks so far. As different Internet security firms analyze their networks, some estimate the number of victims to number over 30,000.
“We have identified an array of affected victims including US-based retailers, local governments, a university, and an engineering firm,” reports Fireeye. “Related activity may also include a Southeast Asian government and Central Asian telecom.”
Renowned cybersecurity expert Brian Krebs says his sources have seen “targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”
How serious is the threat?
When Microsoft released its security updates to address the vulnerabilities on March 2, the company said the vulnerabilities had been used in “limited targeted attacks.”
However, as the scope of the attacks became clear, cybersecurity experts sounded the alarm.
“This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment,” Volexity warned. “The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail.”
Krebs, meanwhile, reported that since the vulnerabilities were publicized, hackers have “dramatically stepped up attacks on any vulnerable, unpatched Exchange servers worldwide,” ensnaring “hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.”
As the attacks began to make headlines this week, National Security Advisor Jake Sullivan urged companies to update their software, and White House Press Secretary Jen Psaki said, “This is a significant vulnerability that could have far-reaching impacts. First and foremost, this is an active threat.”
Who is behind the attacks?
Based on observed tactics, procedures, and targeted victims, Microsoft says it has identified the group responsible for the global barrage of attacks on its Exchange systems.
“Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China,” the company reports. “HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”
Microsoft says HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.
How can organizations prevent these attacks?
It is very important to update Microsoft Exchange server software. Microsoft released emergency security updates to patch these vulnerabilities, and the Microsoft Exchange Server team has published a blog post that also provides a script to get a quick inventory of the patch-level status of on-premises Exchange servers.
Because the first step in the attack chain targets server port 443, which is used by Microsoft Exchange, Microsoft says “this can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access.”
Note that while Microsoft Exchange uses port 433, most email systems (including Paubox) rely on port 25, which is mainly used for SMTP email management.
Finally, if your Microsoft Exchange system is fully patched, it’s important to make sure that it wasn’t previously compromised.
To determine whether your Microsoft Exchange Server has malicious software already installed, the Exchange Server team has created a script to run a check for HAFNIUM “indicators of compromise” (IOCs) focused on performance and memory issues. That script is available here.