deepwatch is currently tracking and responding to Microsoft’s report regarding the detection of four 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. The threat actors are using the four vulnerabilities in conjunction with one another to access on-premise Exchange servers, which enables access to email accounts, and allows the installation of additional malware. The campaign is believed to be attributed to an actor named HAFNIUM per Microsoft’s Threat Intelligence Center.
Affected Versions of On-Premise Exchange Server
- Microsoft Exchange Server 2019
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2010 – Microsoft has included this for Defense in Depth purposes.
What Can You Do?
deepwatch recommends that you immediately update your defense-in-depth technologies and signatures to provide you with the most up-to-date protections. Specific to the four vulnerabilities released by Microsoft, deepwatch recommends the following:
- Identify all exchange servers on your network, as well as if they are internet facing with Outlook Web Access (OWA), and apply the latest security updates.
- Update your anti-virus and Endpoint Detection & Response (EDR) to the latest signatures
- Log PowerShell activity from all Microsoft devices
- Quarantine or block all compression extensions on your Security Email Gateway
- Block untrusted connections to Exchange server port 443 or configure a VPN to separate Exchange Servers from external access.
deepwatch also recommends Microsoft’s best practices for defending Exchange servers which includes enabling Two Factor Authentication (2FA) at a minimum and Multi-Factor Authentication (MFA) preferably. Additional items your organization can take advantage of are:
- Utilize MFA for all web facing applications
- Review critical access groups to ensure only the appropriate personnel have access to critical systems and applications.
- Enable data loss prevention mechanisms to monitor and block unauthorized file transfers
- Identify all internet facing applications.
What is deepwatch Doing?
- Managed Detection & Response team is reviewing customers who are currently sending exchange logs to Splunk
- deepwatch is performing a 90 day look back of associated Indicators of Compromise (IOCs) across the customer base to identify potential targets
- detection engineering is updating the emerging threats rules to include relevant IOCs
- deepwatch’s Vulnerability Management team is actively identifying customers with on-prem exchange servers
- deepwatch’s Managed EDR and Firewall team are identifying and evaluating IOC to ensure that IOCs are loaded into the customer’s EDR platform.
- CVE-2021-26855 – Enables a server-side forgery (SSRF) vulnerability allowing an attacker to send arbitrary HTTP requests and authenticate to the exchange server which would allow additional execution.
- CVE-2021-26857 – Is an insecure deserialization vulnerability that allows an attacker to manipulate serialized objects allowing them to pass harmful data to the exchange server. Exploiting this, in combination with CVE-2021-26855, would allow attacks to run code as SYSTEM.
- CVE-2021-26858 & CVE-2021-27065 – Are post authentication arbitrary file write vulnerabilities that allow attackers to write or overwrite arbitrary files in the system granting the ability to write files to any path on the servers.