Cybersecurity Threat Advisory: Critical Microsoft Exchange Server Vulnerabilities

As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.

This week there is a new critical alert that requires the mission-critical community’s immediate attention.

Advisory overview

Microsoft released several security updates due to targeted attacks against vulnerabilities found in Microsoft Exchange Server (versions 2013, 2016, and 2019). Though the attacks appear to be limited, Microsoft is urging the immediate updating of all affected systems to mitigate the vulnerabilities and further abuse within networking environments where Exchange servers are being used. Microsoft attributes the activity to a cyberattack group known as “Hafnium.”

What is the threat?

At the time of this writing, there are four zero-day exploits of which users of Microsoft Exchange Server versions 2013, 2016, or 2019 need to be aware. They are described in detail in the following common vulnerabilities and exposures (CVE) documents: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. These vulnerabilities include a server-side request forgery (SSRF) that would enable a cyberattacker to send arbitrary Hypertext Transfer Protocol (HTTP) requests and authenticate as the Exchange server.

This is an insecure deserialization vulnerability in Microsoft’s unified messaging service that would enable the attacker to run code as SYSTEM on the Exchange server, and a post-authentication arbitrary write vulnerability that would enable the attacker to write a file to any path on the server. These vulnerabilities previously have been used by Hafnium, which is the only cyberattack group that Microsoft has seen using the exploits.

Why is this noteworthy?

It is believed that Hafnium is a state-sponsored organization that operates out of China. But it also is known to conduct operations over leased virtual private servers in the United States, which is where most of its targets and victims are located. It should be noted that, because mostly businesses that use Microsoft Exchange Server are being attacked, the attack vector is not aimed at individual consumers and no other Microsoft products are affected by the vulnerabilities. Microsoft also wanted to make it known that Exchange Online is not affected by the critical vulnerabilities.

It is presumed that Hafnium primarily targets organizations based in the U.S. to steal data across multiple industry sectors. U.S. government agencies also have been notified and informed of the attacks.

What is the exposure?

Though Microsoft believes at this point that Hafnium is the only group that has been exploiting the vulnerabilities, as knowledge of the exploit spreads, the software giant also believes that the number of groups or individuals attempting to leverage the exploit could change. Even though Microsoft acted quickly in releasing patches for the exploits, it is expected that many cyberattackers will try to take advantage of the opportunity to exploit those systems that have not applied the prescribed updates.

What are the recommendations?

MCP recommends the immediate patching of all affected versions of Microsoft Exchange Server (versions 2013, 2016, and 2019) with the latest updates. If you suspect that any of your Exchange servers have been compromised, then we highly recommend that you conduct the appropriate investigation and implement any necessary detection methods to identify any present and future targeted attacks.

Please refer to the article published by Microsoft for a list of the web shell hashes and file names for known host indicators of compromise (IOC), as well as other resources and detection techniques, including:

• How to check patch levels of Microsoft Exchange Server
• How to scan Exchange log files for indicators of compromise
• Where to check for suspicious .zip, .rar, and .7z files that may indicate data exfiltration
• Microsoft Defender Antivirus detections, Microsoft Defender for Endpoint detections, Azure Sentinel detections, and advanced hunting queries

For more in-depth information about the recommendations, please visit the following links:

• https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
• https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
• https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/
• https://arstechnica.com/information-technology/2021/03/microsoft-issues-emergency-patches-for-4-exploited-0days-in-exchange/

Mike Beagles has specialized experience with supporting mission-critical communications agencies by providing technical expertise, strategic IT planning, and architecting both on-prem and shared systems for new and innovative technologies as well as legacy solutions. He currently manages the platform and suite of tools used to deliver MCP network and cybersecurity monitoring to our clientele.