Microsoft is urging customers to install emergency patches as soon as possible to protect against sophisticated hackers who use four-day vulnerabilities in Exchange Server.
The software maker says that hackers working on behalf of the Chinese government are using previously unknown exploits to hack the fully-patched server server software. So far, Hafnium, as Microsoft calls the hackers, is the only group it has seen exploiting the vulnerabilities, but the company says that could change.
“Although we have worked quickly to update for Hafnium exploits, we know that many national actors and criminal organizations will be quick to take advantage of any unpatched systems,” Microsoft Corporate Vice President of Consumer Protection & Trust Tom Burt wrote in a post published Tuesday afternoon. “Using up-to-date patches is the best defense against this attack.”
Burt did not identify the targets other than to say they were businesses that used on-premises Server software. He said Hafnium was operating from China, primarily for the purpose of stealing data from US-based epidemiologists, law firms, universities, defense contractors, think tanks policy, and non-governmental organizations.
Burt added that Microsoft does not know which individual users were targeted or that the operations affected other Microsoft products. He also said the attacks were not linked to SolarWinds-related hacks that occurred at at least nine US government agencies and about 100 private companies.
The zero days are available in Microsoft Exchange Server 2013, 2016, and 2019. The four vulnerabilities are:
- CVE-2021-26855server side request forgery (SSRF) vulnerability that allows attackers to send arbitrary HTTP requests and pretend to be the Exchange server.
- CVE-2021-26857, an unsafe deserialization vulnerability in the Unified Messaging service. Insecure encryption is when untrusted user data is encrypted by a system. Exploiting this vulnerability gives Hafnium the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or other incapacity to exploit.
- CVE-2021-26858, an arbitrary file post-validation write vulnerability. If Hafnium can authenticate with the Exchange server, then you can use this vulnerability to write a file to any path on the server. The team can prove it by exploiting the CVE-2021-26855 SSRF vulnerability or by suggesting valid administrator credentials.
- CVE-2021-27065, an arbitrary file post-validation write vulnerability. If Hafnium can authenticate with the Exchange server, they can use this vulnerability to write a file to any path on the server. It can be verified by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising the correct administrator credentials.
The attack, Burt said, includes the following steps:
- Gain access to the Exchange server either with stolen passwords or by using zero-days to disguise hackers as employees who should have access.
- Create a web shell to remotely manage a compromised server
- Use that remote access to steal data from a target network
As usual for Hafnium, the team operates from private servers located in the US. Volexity, a security company that privately reports attacks to Microsoft, tell The attacks appear to have started as early as January 6.
“While the attackers seem to have flown at first under the radar by simply stealing emails, they soon launched operations to gain a foothold,” said Volexity researchers Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, and Thomas Lancaster wrote. “From Volexity’s perspective, this exploit appears to involve multiple operators using a variety of tools and methods for misappropriating credentials, outsourcing, and further back-end systems.”
Besides Volexity, Microsoft also credits the security company Dubex with privately reporting different attack units to Microsoft and helping in the subsequent investigation. Businesses using a vulnerable version of Exchange Server should apply patches as soon as possible.