Exchange Server Critical Vulnerabilities

Details of seven critical vulnerabilities in Exchange Server have been released by Microsoft, with several of them being exploited in zero-day attacks by the HAFNIUM APT group. These vulnerabilities can be exploited to extract mail data or compromise entire mail systems.

Threat ID:: CC-3777
Category:: Exploit
Threat Severity:: High
Published:: 3 March 2021 12:15 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Exchange Server 2019 Versions: all prior to CU8 15.2.792.10 / CU7 15.2.721.13

Microsoft Exchange Server 2016 Versions: all prior to CU19 15.1.2176.9 / CU18 15.1.2106.13

Microsoft Exchange Server 2013 Versions: all prior to CU23 15.0.1497.12

Microsoft Exchange Server 2010 Versions: all prior to SP3 RU32 14.3.513.0

Threat details

Introduction

Microsoft has released details of seven critical vulnerabilities affecting their Exchange Server mail platform. They claim that a remote unauthenticated attacker could exploit some or all of these vulnerabilities to obtain administrative privileges, extract sensitive information, or gain control of an affected system.

Active exploitation

The following vulnerabilities have been confirmed by Microsoft to be under active exploitation by the HAFNIUM advanced persistent threat group:

CVE-2021-26855
CVE-2021-26857
CVE-2021-26858
CVE-2021-27065

HAFNIUM are believed to be a Chinese-affiliated group focused almost exclusively on US-based defence, engineering, finance, and legal organisations. In all observed attacks, they appear to be deploying bespoke exploits to gain access before extracting large amounts of mail and contact data.

Please note that HAFNIUM is not known to target UK-based or healthcare organisations, and at the time of publication NHS Digital are not aware of any attacks in the UK.

Vulnerability details

The seven vulnerabilities appear to be the result of several underlying flaws in Exchange Server, although Microsoft has only provided further information on the four actively exploited vulnerabilities:

CVE-2021-26855 - Exchange Server is vulnerable to server-side request forgeries, allowing an unauthenticated attacker to send arbitrary HTTP and authentication requests to a vulnerable system. CVE-2021-26855 is now known as ProxyLogon.
CVE-2021-26857 - Exchange Server's Unified Messaging service uses insecure deserialisation when handling user-controlled data, allowing an attacker with prior administrative privileges to execute arbitrary code as SYSTEM.
CVE-2021-26858 - Exchange Server is vulnerable to post-authentication file rewriting, allowing an authenticated attacker to arbitrarily write files to any location.
CVE-2021-27065 - Exchange Server is vulnerable to post-authentication file rewriting, allowing an authenticated attacker to arbitrarily write files to any location.

Exchange Online not affected

Organisations should be aware that only the listed Exchange Server versions, either physically or virtually hosted, are vulnerable. Exchange Online and all associated platforms are not vulnerable.

Threat updates

Date	Update
1 Apr 2021	Webshells analysed, and cyber journalist spoofed The US Cybersecurity and Infrastructure Security Agency (CISA) has released new and updated malware analysis reports for a range of China Chopper webshells observed in compromised Microsoft Exchange servers. Additional file hashes have been added to this article. The reports include YARA rules that can be used to help detect associated malware: AR21-072A AR21-072B AR21-072C AR21-072D AR21-072E AR21-072F AR21-072G AR21-082A AR21-082B A cyber security journalist's blog domain has been spoofed and used for C2 communications to compromised Exchange servers. The malicious domain name has been added to the network indicators in this article.
12 Mar 2021	DEARCRY ransomware A new ransomware payload, named DEARCRY, has been detected in several ongoing attacks on vulnerable Exchange servers. The attacks appear to be human-operated, with the attackers deploying bespoke exploits against target systems before dropping DEARCRY as a secondary payload.
11 Mar 2021	Public PoCs available Multiple public proof-of-concept (PoC) exploits are now available for these vulnerabilities. At the time of this update, all known PoC exploits appear to be in a semi-functioning state, however, it is likely that fully functional version will begin appearing in the coming days.
4 Mar 2021	Multiple attacks observed Security researchers have discovered several attacks targeting CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 dating back to late February this year. The objective of all observed attacks appears to be the installation of web shell in a similar manner to the HAFNIUM attacks detailed by Microsoft, although the attacker infrastructure seen suggest multiple distinct APT groups involvement.

Remediation advice

Microsoft has released updates and patching guidance for all affected Exchange Server versions. Affected organisations are required to review and apply any relevant updates immediately.

Further guidance has also been provided from Microsoft on possible actions that affected organisations may take to detect and mitigate exploitation of these vulnerabilities. The following articles are also available as part of this guidance:

Indicators of compromise

HAFNIUM exploitation

Filenames

web.aspx
help.aspx
document.aspx
errorEE.aspx
errorEEE.aspx
errorEW.aspx
errorFF.aspx
healthcheck.aspx
aspnet_www.aspx
aspnet_client.aspx
xx.aspx
shell.aspx
aspnet_iisstart.aspx
one.aspx

Filepaths

C:\inetpub\wwwroot\aspnet_client\
C:\inetpub\wwwroot\aspnet_client\system_web\
%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
C:\Exchange\FrontEnd\HttpProxy\owa\auth\

SHA256 hashes

b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944
71ff78f43c60a61566dac1a923557670e5e832c4adfe5efb91cac7d8386b70e0
ee883200fb1c58d22e6c642808d651103ae09c1cea270ab0dc4ed7761cb87368
c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5
1e0803ffc283dd04279bf3351b92614325e643564ed5b4004985eb0486bf44ee
d9c75da893975415663c4f334d2ad292e6001116d829863ab572c311e7edea77
c0caa9be0c1d825a8af029cc07207f2e2887fce4637a3d8498692d37a52b4014
be17c38d0231ad593662f3b2c664b203e5de9446e858b7374864430e15fbf22d
d637b9a4477778a2e32a22027a86d783e1511e999993aad7dca9b7b1b62250b8
31a750f8dbdd5bd608cfec4218ccb5a3842821f7d03d0cff9128ad00a691f4bd
bda1b5b349bfc15b20c3c9cbfabd7ae8473cee8d000045f78ca379a629d97a61
138f0a63c9a69b35195c49189837e899433b451f98ff72c515133d396d515659
0c5fd2b5d1bfe5ffca2784541c9ce2ad3d22a9cb64d941a8439ec1b2a411f7f8
36149efb63a0100f4fb042ad179945aab1939bcbf8b337ab08b62083c38642ac
508ac97ea751daebe8a99fa915144036369fc9e831697731bf57c07f32db01e8
695d4a81ce526a136351cd8eeba5c452d0ab79438fe467922a0bd61db87cef93
b67a11f17434f5ee501cc1d2acab2da14ae8dfc5a27dc00bbd7652425d5c3d23
2e1eb00575e1a8f6c95a23c87b05e23eb4718557f787aa905bb000e98b31c5f0
4e08ba96ca8fc7f2f8347eef22a972de0d6886a51201ddc604195ba8d0bfb54a

Network indicators

Domain name

brian.krebsonsecurity[.]top

IP addresses

103.77.192[.]219
104.140.114[.]110
104.250.191[.]110
108.61.246[.]56
149.28.14[.]163
157.230.221[.]198
167.99.168[.]251
185.250.151[.]72
192.81.208[.]169
203.160.69[.]66
211.56.98[.]146
5.254.43[.]18
80.92.205[.]81
165.232.154[.]116

NCSC link

https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

CVE Vulnerabilities

Status Published

CVE-2021-26412

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.

Status Published

CVE-2021-26854

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.

Status Published

CVE-2021-26855

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.

Status Published

CVE-2021-26857

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.

Status Published

CVE-2021-26858

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-27065, CVE-2021-27078.

Status Published

CVE-2021-27065

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27078.

Status Published

CVE-2021-27078

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065.

Last edited: 1 April 2021 2:24 pm