Exchange Server Bug: Microsoft knew from January

Exchange Server Bug: Microsoft knew from January

Exchange Server Bug

Microsoft released several “out-of-band” patches last week to address four zero-day vulnerabilities that were exploited to perform various attacks against Exchange Server. It now turns out that the security issue was reported in early January, so it took the Redmond company nearly two months to fix the bugs.

Exchange Server Bugs: Patch Overdue

According to the timeline published by Brian Krebs, the first report was made on January 5th by the security company DEVCORE. Other reports came in the following days from Volexity, Dubex and Trend Micro. Microsoft told DEVCORE that the patches would be released on March 9 (Patch Tuesday), but the company decided to bring the release forward by a week because several groups of cybercriminals (not just Hafnium's Chinese) exploited the vulnerabilities to install backdoors in Exchange Server.

In the release published on the official blog, Microsoft writes that zero-day exploits have been used to carry out a limited number of attacks. In fact, there are over 60,000 victims worldwide (double the number reported a few days ago). One of them is the European Banking Authority (EBA) which has confirmed access to emails stored on servers.

Microsoft has updated the original post, specifying that attacks have been identified by other groups of cybercriminals (at least four according to MIT Technology Review sources). Exploits allow you to install web shells which are used to steal data, upload files, and execute commands remotely.

The Redmond company has updated Microsoft Defender, Azure Sentinel and the Microsoft Safety Scanner tool to detect and remove web shells (backdoors). Patches were also deployed for Exchange Server 2010, so the vulnerabilities had been around for over ten years. The US government allegedly planned a response to the attacks carried out against China and Russia (SolarWinds).

Source: Krebs on Security




Everything you need to know about the Microsoft Exchange Server hack

Four zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited by a state-sponsored threat group from China and appear to have been adopted by other cyberattackers in widespread attacks.


While in no way believed to be connected to the SolarWinds supply chain attack that has impacted an estimated 18,000 organizations worldwide -- so far -- there is concern that lags in patching vulnerable servers could have a similar impact, or worse, on businesses. 


Also: Best VPNs • Best security keys  • Best antivirus


Here is everything you need to know about the security issues and our guide will be updated as the story develops. 

What happened?

Microsoft told security expert Brian Krebs that the company was made aware of four zero-day bugs in 'early' January. 


A DEVCORE researcher, credited with finding two of the security issues, appears to have reported them around January 5. Going under the handle 'Orange Tsai,' the researcher tweeted:


'Just report a pre-auth RCE chain to the vendor. This might be the most serious RCE I have ever reported.'


According to Volexity, attacks using the four zero-days may have started as early as January 6, 2021. Dubex reported suspicious activity on Microsoft Exchange servers in the same month.


On March 2, Microsoft released patches to tackle the four severe vulnerabilities in Microsoft Exchange Server software. At the time, the company said that the bugs were being actively exploited in 'limited, targeted attacks.'


Microsoft Exchange Server is an email inbox, calendar, and collaboration solution. Users range from enterprise giants to small and medium-sized businesses worldwide. 


While fixes have been issued, the scope of potential Exchange Server compromise depends on the speed and uptake of patches -- and the number of estimated victims continues to grow. 

What are the vulnerabilities and why are they important?

The critical vulnerabilities impact on-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. However, Exchange Online is not affected. 

  • CVE-2021-26855: CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
  • CVE-2021-26857: CVSS 7.8: an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. However, this vulnerability needs to be combined with another or stolen credentials must be used.
  • CVE-2021-26858: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths. 
  • CVE-2021-27065: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths. 
  • If used in an attack chain, all of these vulnerabilities can lead to Remote Code Execution (RCE), server hijacking, backdoors, data theft, and potentially further malware deployment.


    In summary, Microsoft says that attackers secure access to an Exchange Server either through these bugs or stolen credentials and they can then create a web shell to hijack the system and execute commands remotely. 


    'These vulnerabilities are used as part of an attack chain,' Microsoft says. 'The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.'

    Who is responsible for known attacks?

    Microsoft says that attacks using the zero-day flaws have been traced back to Hafnium. 


    Hafnium is a state-sponsored advanced persistent threat (APT) group from China that is described by the company as a 'highly skilled and sophisticated actor.' 


    While Hafnium originates in China, the group uses a web of virtual private servers (VPS) located in the US to try and conceal its true location. Entities previously targeted by the group include think tanks, non-profits, defense contractors, and researchers. 

    Is it just Hafnium? 

    When zero-day vulnerabilities come to light and emergency security fixes are issued, if popular software is involved, the ramifications can be massive. Problems can often be traced back to awareness of new patches, slow uptake, or reasons why IT staff cannot apply a fix -- whether this is because they are unaware that an organization is using software, third-party libraries, or components at risk, or potentially due to compatibility problems. 


    Mandiant says further attacks against US targets include local government bodies, a university, an engineering company, and retailers. The cyberforensics firm believes the vulnerabilities could be used for the purposes of ransomware deployment and data theft. 


    Sources have told cybersecurity expert Brian Krebs that approximately 30,000 organizations in the US have been hacked so far. Bloomberg estimates put this figure closer to 60,000, as of March 8. In an update on March 5, Microsoft said the company 'continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond Hafnium.'


    The European Banking Authority is one of the latest victims. The EBA says there is 'no indication to think that the breach has gone beyond our email servers.' An assessment is underway. 


    The US Cybersecurity and Infrastructure Security Agency (CISA) says that the agency is 'aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers.'


    The Biden Administration is expected to form a task force to explore the reported links between Microsoft Exchange attacks and China, according to CNN. 

    How can I check my servers and their vulnerability status? What do I do now?

    Microsoft has urged IT administrators and customers to apply the security fixes immediately. However, just because fixes are applied now, this does not mean that servers have not already been backdoored or otherwise compromised.


    Interim mitigation option guides are also available if patching immediately is not possible. 


    The Redmond giant has also published a script on GitHub available to IT administrators to run that includes indicators of compromise (IOCs) linked to the four vulnerabilities. IoCs are listed separately here. 


    On March 8, Microsoft released an additional set of security updates that can be applied to older, unsupported Cumulative Updates (CUs) as a temporary measure. 


    CISA issued an emergency directive on March 3 that demanded federal agencies immediately analyze any servers running Microsoft Exchange and to apply the firm's supplied fixes. 


    If there are any indicators of suspicious behavior dating back as far as September 1, 2020, CISA requires agencies to disconnect them from the Internet to mitigate the risk of further damage. The FBI has also released a statement on the situation.


    Microsoft continues to investigate and as more information comes to light we will update.

    Previous and related coverage

    Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0





    Powered by Blogger.