Exchange Zero-Days
Vulnerabilites exploited in the wild
1. Summary
Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments.
The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in the security updates released on March 2. These vulnerabilities can be chained to allow unauthenticated remote code execution on devices running Exchange Server. There is also observed subsequent web shell implantation, code execution, and data exfiltration activities during the attacks.
The attacks exploiting these vulnerabilities involve bypassing authentication, which means multi-factor authentication will not prevent exploitation. Due to the nature of the vulnerabilities, it is prudent to expect other threat actors—including human-operated ransomware and extortion groups—to attempt to exploit these vulnerabilities as more details become known, potentially at scale.
It is highly recommended to update on-premises systems immediately. Exchange Online is not affected.
Microsoft released patches for the four different Microsoft Exchange Server zero-day vulnerabilities that were being exploited in the wild. These zero-day attacks against on-premises Exchange Server environments began in January 2021 and were conducted by a group affiliated with a nation-state. This activity is not linked to recent attacks affecting SolarWinds.
Organizations that have had these vulnerabilities exploited in their environment prior to installing the security updates should keep in mind that attackers could persist through web shells and other tools. These attack tools must be identified and removed from all affected devices. Additionally, credentials might have been accessed and compromised prior to the installation of security updates.
2. Test if you are vulnerable
Microsoft released scripts to check if your exchange instance is vulnerable. The scripts are available on Microsoft’s GitHub repository: https://github.com/microsoft/CSS-Exchange/tree/main/Security
Download them and follow the guide in the description on how to use them.
If you didn’t apply the patches released on March 2, most probably your server is vulnerable, and patches should be applied immediately!
3. Test if you are vulnerable
Microsoft has released a set of out of band security updates for vulnerabilities for the following versions of Exchange Server:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
They released patches for older and unsupported versions such as 2010 and CUs of 2013, 2016 and 2019.
Patches and information on how to apply them are available on the following page: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b.
Information about 2010 SP3 is available here: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459
Additional information is available on the blog post from Microsoft’s Exchange Team: https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/bc-p/2179909
4. References
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/bc-p/2179909