www.belgium.be Logo of the federal government

Multiple Critical Vulnerabilities for Microsoft Exchange

Reference: 
Advisory #2021-0003
Version: 
1.2 (Updated on 16 March 2021)
Affected software: 
Microsoft Exchange Server 2013, 2016 and 2019
Microsoft Exchange Server 2010 is out of support but is being updated for Defence-in-Depth purpose
Type: 
Zero-day, vulnerabilities chain leading to remote code execution
CVE/CVSS: 
Actively exploited in known attacks

Not related to known attacks, but still dangerous enough to patch

 

Sources

Microsoft’s blog - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

IOCs and more context (Updated by Microsoft on 8 March 2021) - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Frequently Asked Questions (Updated by Microsoft on 8 March 2021) - https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901

Extensive Incident Response guide (Updated by Microsoft on 16 March 2021) :  https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/

Risks

Microsoft has detected multiple 0-day exploits being used to attack on-premise versions of Microsoft Exchange Server in limited and targeted attacks.

In the attacks observed, the threat actor used these vulnerabilities to access on-premise Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments. All this could be done without any need for authentication.

UPDATE 16/03/2021: It has been determined that malicious actors are installing web shells in vulnerable systems.

Organisations and companies that do not take action can become the victim of ransomware or data exfiltration.

Description

Microsoft has released several security updates for Microsoft Exchange Server to address vulnerabilities that have been used in limited targeted attacks.  

The report mentions 4 of the 7 vulnerabilities patched that are used in these attacks.

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858 & CVE-2021-27065 are post-authentication arbitrary file write vulnerabilities in Exchange. Authentication is possible by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

The following CVEs are not related to the attacks but should be patched as well: CVE-2021-26412, CVE-2021-26854 and CVE-2021-27078.

UPDATE 16/03/2021: It is important to make a distinction between the "on-premises", "hybrid" and "online" setups of Microsoft Exchange. On-premises software means that the software is installed in the company itself, on the computers and servers of the company. Hybrid means that the software is installed both in the company and online (in the cloud). The Hafnium cyberattack has an impact on these two setups. There is no impact on companies whose Exchange services are only online (in the cloud).

Mitigation

Source: Microsoft Tech Community

These vulnerabilities are used as part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.

This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.

UPDATE on 6 March 2021https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

On 8 March 2021, Microsoft released an update strategy to temporarily protect vulnerable machines until you are able to update the latest support CU and then apply the applicable SUs.

Recommended Actions

CERT.be recommends prioritizing installing updates (Updated on 8 March 2021) on Exchange Servers that are externally facing. All affected Exchange Servers should ultimately be updated with the highest priority.

After patching, Exchange administrators can run a Health Checker script to determine the status of each Exchange server.

Then remove all web shells.

Overview of all the steps to be followed: Multiple Security Updates Released for Exchange Server - updated March 12, 2021 - Microsoft Security Response Center

Update 16/03/2021 : Microsoft has launched a tool to automate things for customers with little expertise.  One-Click Microsoft Exchange On-Premises Mitigation Tool - March 2021 - Microsoft Security Response Center

Companies and organisations that experience difficulties with these steps are advised to hire an ICT partner or external expert to perform these actions.

 

Check your environment for signs of compromise

  1. Scan Exchange server logs for Indicators of Comprise (IOCs)
  2. Scan hosts for IOCs such as web shell hashes, known paths and filenames, LSASS process memory dumps

For more information on how to check your environment and use the IOCs: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ (Updated by Microsoft on 8 March 2021)

For more information on how to investigate an remediate (Updated by Microsoft on 16 March 2021)Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities – Microsoft Security Response Center

References

Webcast from Microsoft: https://aka.ms/EMEAExchangeOOBMarch2021PM
Slides for this webcast: https://aka.ms/ExOOB

Updated slides on 9 March 2021: https://webcastdiag864.blob.core.windows.net/2021presentationdecks/March%202021%20Exchange%20Server%20Security%20Update%20-%20EN.pdf

Advanced hunting queries