Vulnerabilities discovered earlier this year in Microsoft’s Exchange Server are being used by cyber-attackers (including state-sponsored groups) to steal data and gain access to sensitive information. Microsoft Exchange Server is an email server, collaboration solution and calendaring service used by organisations of all sizes in countries across the globe.
The issue is thought to have compromised more than 7,000 servers in the UK alone and many are still thought to be at high risk. The National Cyber Security Centre (UK) has warned that it is “vital” that all businesses take further action to secure their email servers.
What are the vulnerabilities?
The first known attack occurred on January 6th. Microsoft has since become aware of four ‘zero-day’ bug vulnerabilities known collectively as ProxyLogon. It affects on-premise Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. However, it is believed that Exchange Online has not been affected.
The four vulnerabilities are as follows.
- CVE-2021-26855: CVSS 9.1. This is a Server Side Request Forgery (SSRF) vulnerability that can allow attackers to craft their own HTTP requests. For this bug to be triggered servers must accept untrusted connections over port 443.
- CVE-2021-26857: CVSS 7.8. This an insecure de-serialisation vulnerability within the Exchange Unified Messaging Service that allows arbitrary code to be deployed (under SYSTEM). However, this exploit requires either the use of stolen credentials or has to be combined with another vulnerability.
- CVE-2021-26858: CVSS 7.8. This is a post-authentication arbitrary ‘file write’ vulnerability that writes to paths.
- CVE-2021-27065: CVSS 7.8. Again, this is a post-authentication arbitrary ‘file write’ vulnerability that writes to paths.
When these vulnerabilities are exploited in an attack chain they can facilitate server hijacking, remote code execution (RCE), backdoor implanting, data theft and additional malware deployment. Most worrying – attackers can also use their access to create a web shell that allows them to execute commands remotely even after the original vulnerabilities are patched.
Who are the attackers?
According to Microsoft, attacks exploiting the zero-day flaws have been traced back to Hafnium – a state sponsored group from China. However, it is no longer just Hafnium who are involved and other groups and freelance actors have quickly taken advantage of the situation. The vulnerabilities were probably used initially to conduct espionage but can now be exploited to deploy ransomware or steal valuable data with commercial value.
In the US, known targets have included local government bodies, universities, engineering companies and big retailers. In Europe, one of the most high-profile victims was the European Banking Authority who have since said that the breach did not go “beyond their email servers”.
What have Microsoft done about it?
At the beginning of March, Microsoft released patches aimed at tackling the four vulnerabilities in Microsoft Exchange. On March 8th, they released an additional set of updates that can be applied to older and officially unsupported versions. Then on March 15th they released a one-click tool to make it simpler for smaller businesses to mitigate the risks to their internet-exposed servers. Finally, as of March 18th they have added automatic on-premises Exchange Server mitigation measures to their Defender Antivirus software.
How can organisations defend against this and similar attacks?
You can defend yourself from the most common initial attack by stopping untrusted connections to Exchange Server port 443, or by setting up a VPN to separate Exchange Server from external access. However, attack chains can also be initiated by malicious files or by using pirated personal credentials. Such credentials are often traded between malicious and criminal groups.
If you have an IT Support company, then ensure they’re aware of the issue and have mitigated any impact via software updates, or protecting the resources with a firewall.
Applying Microsoft’s patches and security fixes as soon as they become available will also help to prevent future attacks that try to exploit the now well-known Exchange vulnerabilities. However, you also need to be aware that your server could already have been compromised so you need to be vigilant in monitoring server and network activity.