Written by -Jay Jay Davey
At the start of March 2021, Microsoft released information about Zero-Day exploits targeting on-premises exchange servers. Since then, there has been a flurry of attacks that have been attributed to different threat actor groups, in particular a group named HAFNIUM.
What Has Occurred?
On March 2, 2021, Microsoft released out of band security updates to address the four vulnerabilities that had been discovered, this was soon met by a large number of threat actors targeting Exchange servers to gain access and ultimately compromise networks.
What Are CyberClan Seeing?
We have observed threat actors using the server-side request forgery vulnerability (CVE-2021-26855), which, when exploited will give the attacker access to the exchange server, the attacker can send crafted HTTP requests to the exchange server and if the server accepts untrusted connections over 443/tcp. Once carried out, the vulnerability can be exploited, this vulnerability allows the attacker to authenticate as the Exchange server.
Once the threat actor is in the exchange server you will commonly see credential dumping activity taking place before they are able to fully leverage the other three vulnerabilities. However, there have been reports that two of the vulnerabilities, namely the arbitrary write vulnerabilities ( CVE-2021-26858, CVE-2021-27065) have been exploited post-authentication after using the SSRF exploit without the requirement of other credentials, this furthers the overall control which the attacker can gain.
Further to this, once this compromise has occurred and the exchange server is fully under the threat actors control, the attack then matures into more devastating attacks, such as ransomware, data exfiltration and more, all because they are able to abuse the trust relationship between the exchange server and the network it resides on.
A Pathway Carved For Ransomware Attacks
The nature of ProxyLogon (CVE-2021-26855) the attacker can gain enough of a foothold to deploy ransomware amongst the local network and this has recently been observed with the announcement of the new family of ransomware dubbed “DearCry” which increases the impact this attack has had. DearCry is only one of many different variants of ransomware that can be chained together with ProxyLogon.
CVE-2021-26855 server-side request forgery (SSRF) which allows the attacker to authenticate as the Exchange server
CVE-2021-26857 is an insecure deserialisation vulnerability in the Unified Messaging Service, this could allow code to be run as SYSTEM.
CVE-2021-26858 Post authentication arbitrary file which will allow the attacker to write a file to any path on the server, this is commonly used in conjunction with the SSRF vulnerability
CVE-2021-27065 Post authentication arbitrary file which will allow the attacker to write a file to any path on the server, this is commonly used in conjunction with the SSRF vulnerability
What Are Cyberclans Recommendations?
We recommend having a holistic approach to network security, ensuring all assets are up to date with the latest patches and that security controls are layered in defence using an in-depth approach to ensure a high level of protection.
We have listed some key points below:
Patch Your Exchange Server – Ensure that your Exchange server has the latest security patches from Microsoft.
Protect Your Exchange Server – Installing Host intrusion protection solutions on the server could prevent the attack from causing a large impact, and warn relevant teams of the events.
Monitor Your Assets – Ensure that you are monitoring your environment for malicious activity, or behaviour that deviates from the known normal, this could be indicative of an attack.
Check For Indicators Of Compromise – There are several free tools that will enable you to scan your exchange server for indicators of compromise, we recommend the one released by Microsoft (https://github.com/microsoft/CSS-Exchange/tree/main/Security)
If you have concerns about how the Microsoft Zero-Day attack may have effected your exchange server or require assistance with patching, scanning and checking for a compromise, please contact our incident response team to discuss how we can help.