Now Hiring: IT Support Engineer

IT Blog

Security

Microsoft Exchange Server hacked

by March 13, 2021

(Information collected from ZDnet)

Four zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited by a state-sponsored threat group from China and appear to have been adopted by other cyberattackers in widespread attacks.

WHAT HAPPENED?

Microsoft told security expert Brian Krebs that the company was made aware of four zero-day bugs in “early” January.

On March 2 – Microsoft released patches for the vulnerabilities and at same time the company said that the bugs were being actively exploited in “limited, targeted attacks.” 

On March 12 – Microsoft focused their investigation on whether the hackers got the credentials to access the Microsoft exchange server by microsoft partners,either intentionally or unintentionally. It is suspected that the hackers possessed “proof of concept” attack code that Microsoft shared with antivirus companies as part of the company’s Microsoft Active Protections Program (Mapp).  

WHAT ARE THE VULNERABILITIES AND WHY ARE THEY IMPORTANT?

The critical vulnerabilities impact on-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. However, Exchange Online is not affected. 

  • CVE-2021-26855: CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
  • CVE-2021-26857: CVSS 7.8: an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. However, this vulnerability needs to be combined with another or stolen credentials must be used.
  • CVE-2021-26858: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths. 
  • CVE-2021-27065: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths. 

If used in an attack chain, all of these vulnerabilities can lead to Remote Code Execution (RCE), server hijacking, backdoors, data theft, and potentially further malware deployment.

In summary, Microsoft says that attackers secure access to an Exchange Server either through these bugs or stolen credentials and they can then create a web shell to hijack the system and execute commands remotely.

WHO IS RESPONSIBLE FOR KNOWN ATTACKS?

Microsoft says that attacks using the zero-day flaws have been traced back to Hafnium

Hafnium is a state-sponsored advanced persistent threat (APT) group from China that is described by the company as a “highly skilled and sophisticated actor.” 

While Hafnium originates in China, the group uses a web of virtual private servers (VPS) located in the US to try and conceal its true location. Entities previously targeted by the group include think tanks, non-profits, defense contractors, and researchers. 

HOW CAN I CHECK MY SERVERS AND THEIR VULNERABILITY STATUS? WHAT DO I DO NOW?

Microsoft has released security fixes ,the customers and IT Administrators can use them immediately.Just because fixes are applied now, this does not mean that servers have not already been backdoored or otherwise compromised.

On March 8, Microsoft released an additional set of security updates that can be applied to older, unsupported Cumulative Updates (CUs) as a temporary measure. 

CISA issued an emergency directive on March 3 that demanded federal agencies immediately analyze any servers running Microsoft Exchange and to apply the firm’s supplied fixes. 

If there are any indicators of suspicious behavior dating back as far as September 1, 2020, CISA requires agencies to disconnect them from the Internet to mitigate the risk of further damage. The FBI has also released a statement on the situation.

By Adars Manilal

Nifty

Computers Dubai

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *