Another zero-day hack hit the deadlines this past weekend, affecting over 30,000 organizations using Microsoft Exchange Server 2013, 2016 or 2019. Here’s what Microsoft has released on the issue:
Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence toHAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in today’s Microsoft Security Response Center (MSRC) release –
Multiple Security Updates Released for Exchange Server. We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected.
Your IT provider can read further on the nature of these vulnerabilities through these MSRC reports:
CVE-2021-26855: A server-side request forgery (SSRF) vulnerability in Exchange which allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857: An insecure deserialization vulnerability in the Unified Messaging service, where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gives HAFNIUM the ability to run code as SYSTEM on the Exchange server (requires administrator permission or another vulnerability to exploit).
CVE-2021-26858: A post-authentication arbitrary file write vulnerability in Exchange. If the Exchange server could be leveraged to authenticate, the hacker could use this vulnerability to write a file to any path on the server. Authentication could be obtained by exploiting the CVE-2021-26855 SSRF vulnerability or through direct compromose of legitimate admin credentials.
CVE-2021-27065: A post-authentication arbitrary file write vulnerability in Exchange. HAFNIUM could authenticate with the Exchange server and then use this vulnerability to write a file to any path on the server. Authentication is obtained through exploiting the CVE-2021-26855 SSRF vulnerability or through direct compromose of legitimate admin credentials.
Get Protected Now
Secure Network Technologies is prepared to help your organization defend itself from this attack. If your organization is using Micorosft Server 2013-2019, contact us immediately using the form below or by calling: 315-579-3373