Recent exploitations of on-premises Microsoft Exchange Server products have been highlighted starting around the 3rd of March utilising zero-day exploits. When successfully exploited these allow for an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers. This allows attackers to gain persistent system level access to the servers, mailbox accesses and credential level access on the Exchange server.
There are four specific techniques highlighted by Microsoft as being utilised as part of the exploitation of these vulnerabilities:
- CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability. This allows for an arbitrary HTTP request and authenticate as the Exchange server.
- CVE-2021-26857 is an insecure deserialisation vulnerability in the Unified Messaging service. Insecure deserialisation is where untrusted user-controllable data is deserialised by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
- CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
- CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
How to Determine if you Have Been Compromised
Microsoft have released several scripts within their GitHub page which can be found here. Run script Test-ProxyLogon.ps1 which scans for known IoCs and highlights any potential exploitations, allowing for you to get a quick indicator whether potential compromise has occurred.
Microsoft has released several out of band security updates which can be found here. It is recommend these are applied as soon as possible. Microsoft has also released on their GitHub page http-vuln-cve2021-26855.nse works with nmap to determine whether Exchange server is vulnerable to exploit CVE-2021-26855. Finally, BackendCookieMitigation.ps1 provides mitigation against requests that contain X-AnonResource-Backend and malformed X-BEResource cookies which are used within SSRF attacks (currently link to download not working at the time of writing this).
Secrutiny SOC are available for any concerns or if you have any potential Indicators on 0203 7467 007.
Updated 24/03/2021: The latest OSINT related to the recent HAFNIUM cyberattacks indicates that vulnerabilities highlighted are now being used to deliver ransomware payloads to vulnerable Microsoft Exchange servers by multiple actors. The payload first spotted in June 2020 and nicknamed ‘Black Kingdom’ has been seen attacking Exchange servers via ProxyLogon vulnerabilities. For an overview of the new exploits, check out this article; for those interested in a more technical explanation click here.
As with all vulnerabilities such as HAFNIUM, techniques and attacks evolve over time with subsequent techniques utilised to bypass security controls implemented, deliver different payloads and to lower the barrier of entry for exploitation. Consequently, we want to reiterate the importance of ensuring you are sufficiently patched against HAFNIUM vulnerabilities.
Secrutiny is available to advise and discuss any concerns.