Microsoft has released updates to address four previously unknown or 'zero-day' vulnerabilities in Exchange Server that were being used in limited targeted attacks, according to Microsoft.
Microsoft is urging customers to apply the updates as soon as possible due to the critical rating of the flaws. The flaws affected Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Exchange Online is not affected.
"We strongly encourage all Exchange Server customers to apply these updates immediately," it said.
Microsoft attributes the attacks to a group it calls Hafnium, which it says is a state-sponsored threat actor that operates from China.
SEE: Network security policy (TechRepublic Premium)
The attackers used the bugs in on-premise Exchange servers to access email accounts of users. The four bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
Washington DC-based security firm Volexity said in its analysis that the vulnerability CVE-2021-26855 was being used to steal the full contents of several user mailboxes. The bug didn't require authentication and could be exploited remotely.
"The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail," Volexity analysts noted.
Velocity said the attacks appear to have started as early as January 6, 2021.
Exchange email servers are an attractive target due to the volume of email information they hold about an organization.
Last year, Microsoft warned Exchange server customers to patch a different critical flaw (CVE-2020-0688) that multiple advanced persistent threat actors were quick to exploit. Yet months after Microsoft warned organizations to urgently patch this flaw, tens of thousands of Exchange servers remained unpatched.
Microsoft is concerned it could see the same scenario play out again with this set of Exchange server vulnerabilities.
"Even though we've worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today's patches is the best protection against this attack," said Tom Burt, Microsoft's corporate vice president of Customer Security & Trust.
Hafnium mainly target US entities in infectious disease research, law firms, higher education institutions, defense contractors, policy thinktanks, and NGOs, according to Microsoft. The group also primarily operates from leased virtual private servers (VPS) in the United States, it added.
Microsoft provided the following summary of each vulnerability for customers to assess:
- CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Hafnium the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
- CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server, then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin's credentials.
- CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server, then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin's credentials.
After comprising the affected Exchange servers, the attackers deployed web shells on them, allowing for potential data theft and further compromise. Web shells are small scripts that provide a basic interface for remote access to a compromised system. Microsoft warned in February that between August 2020 and January 2021, it had seen twice as many web shell attacks than in the same period last year.