Microsoft Exchange Critical 0-day exploits
By Jeff Wehrman, Vigilant CISO
A Vigilant Threat Alerts Series
Hot on the heels of the VMware vulnerabilities communicated by Vigilant last week, Microsoft is back in the news regarding multiple vulnerabilities and 0-day exploits for its on-premises versions of Microsoft Exchange Server.
When major vendors announce vulnerabilities and/or security issues pertaining to their software and/or hardware products and services, it can have a significant impact on IT, security, and even business teams in terms of additional risk, remediation work, time and productivity. As you have likely noticed, the rate at which these vendor disclosures are occurring does not appear to be slowing down any time soon.
Microsoft announced in an Advisory the detection of multiple 0-day exploits being used to attack its on-premises versions of Microsoft Exchange Server in “limited and targeted attacks.” The affected versions are Microsoft Exchange Server 2013, 2016 and 2019. They also released out-of-band security updates to address these 4 vulnerabilities in Exchange Server.
In the attacks first observed by Microsoft, the threat actor used these vulnerabilities to 1) access the on-prem Exchange servers then 2) gain access to email accounts and 3) install additional malware to establish long-term persistence within victim environments (i.e., continued, ongoing access). Microsoft has now attributed this campaign with high confidence to HAFNIUM
What Immediate Actions Are We Recommending?
Due to the Critical nature of these vulnerabilities and the threat actor activity that we are seeing “in the wild,” Vigilant strongly recommends that you ensure the security of your data and environment by immediately updating any on-premises Microsoft Exchange Server systems by applying the Microsoft updates. **NOTE: Exchange Online (i.e., part of Microsoft 365) is not affected. By taking swift remediation action, you will help protect against these exploits and prevent further abuse across the ecosystem.
If you subscribe to our managed endpoint protection (MEP) service, please make sure that the MEP agent is deployed to your servers and especially any on-premises Microsoft Exchange servers.
What Is Vigilant Doing to Keep Your Organization Secure?
Vigilant is continuously and actively hunting within our client environments for evidence of exposure to any threats – not just ones like this. Due to the nature of these attacks, how they are carried out, and multiple attack vectors, there is varying coverage based on the Vigilant services you subscribe to.
- If you have CyberDNA® – The attacker enters a target company by remotely executing code as a result of these Microsoft Exchange server (on-premises) software vulnerabilities and would seek to establish network persistence and move further into the company’s environment. CyberDNA® detects this type of traffic from a network standpoint and can detect if this kind exploit activity/traffic exists. CyberDNA® and our teams are constantly on the lookout for this kind of malicious activity so we can promptly investigate and notify our clients of additional actions to take to quickly mitigate/remediate the threat.
- If you have MEP - The best mitigation and detections for this are primarily at the network layer, however, this is where defense-in-depth (aka a layered defense approach) comes into play. MEP would catch the follow-on activity (or other remote actions) that an attacker would take to further compromise a host running these impacted Microsoft Exchange products after the initial remote exploitation of the vulnerabilities. Make sure that MEP is deployed to your servers including your MS Exchange server!
- If you only have MEP Level I – MEP Level I does not have file system inventory, so while MEP Level I can detect and block the follow-on threat actor activity, without MEP Level II, we can’t proactively tell you if there are other artifacts from this type of attacker activity. If you would like us to scan and hunt on these systems, please reach out to your Vigilant CRS agent and request to be upgraded to MEP Level II. We can easily upgrade your MEP level I systems within minutes.
- If you have MEP Level II – As MEP Level II comes with full-on system hunting and file level inventory, our hunt and endpoint teams are actively hunting for this type of activity and tracking emerging threats related to these new vulnerabilities and exploits so we can promptly investigate and notify our clients of additional actions to take in order to quickly mitigate/remediate the threat.
What Are the VMware-related Vulnerability Details?
- Risk rating: Critical (9.1/10)
- Description: Remote code execution vulnerability that allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.
- Risk rating: Critical (7.8/10)
- Description: An insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could remotely execute arbitrary code as SYSTEM on the Exchange Server.
- CVE-2021-26858 - Risk rating: Critical (7.8/10)
- Description: CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could remotely write a file to any path on the server.
- CVE-2021-27065 - Risk rating: Critical (7.8/10)
- See #3
What Are the Additional Recommended Actions for our Clients?(Applies to all 4 vulnerabilities above)
If patching is not an immediate option, there are other mitigation options available. However, these should only be viewed and treated as temporary “stop gap” solutions and not a replacement for patching with Microsoft’s updates. Vigilant recommends limiting or blocking external access to internet-facing Exchange Servers via:
Restricting untrusted connections to port 443 or set up a VPN to separate the Exchange Server from external access; note that this will not prevent an adversary from exploiting the vulnerability if the attacker is already in your network.
Blocking external access to on-premises Exchange:
Restrict external access to OWA URL: /owa/.
Restrict external access to Exchange Admin Center (EAC) aka Exchange Control Panel (ECP) URL: /ecp/.
NOTE: Some of the individual CVSS score numbers for these vulnerabilities above may not appear to be Critical based on their number alone, but they are being grouped together in an attack chain that is rated as Critical overall or as a whole.
As described above, the best mitigation and early detection for these kinds of vulnerabilities is at the network layer. If you are only taking advantage of our managed endpoint protection service (MEP), then you potentially aren’t as protected as you could be and that is also why defense-in-depth is so important. With the right visibility into and across your network as well as your endpoints, it is easier and faster to respond to these kinds of vendor vulnerabilities and detect if/when they are exploited by malicious actors.
If you would like to learn more about CyberDNA® in order to both strengthen your security posture and reduce your security risk, please contact your Vigilant Customer Relationship Specialist (CRS) via firstname.lastname@example.org