Microsoft has released to GitHub the new Microsoft Exchange On-Premises Mitigation Tool and posted a blog with step-by-step instructions on how to use the tool. This is a free, one-click tool designed to help customers who have not yet applied the on-premises Exchange security update to temporarily protect their servers prior to patching. Microsoft has also issued a guidance for responders investigating and remediating these Exchange Server vulnerabilities.
There were also reports of threat actors installing a new ransomware called 'Dearcry' after hacking into Microsoft Exchange servers using the disclosed vulnerabilities.
Zscaler has added coverage for the Dearcry ransomware family and the web shells which were found deployed on these compromised servers using Advanced Threat Signatures and Advanced Cloud Sandbox.
[End of Update]
Microsoft has reported multiple exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) has attributed this campaign to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
What is the issue?
The following vulnerabilities were being exploited:
CVE-2021-26855: Server-side request forgery (SSRF) vulnerability in Exchange which allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857: Insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is de-serialized by a program. Exploiting this vulnerability gave attacker the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858: Post-authentication arbitrary file write vulnerability in Exchange. If the attacker could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
CVE-2021-27065: Post-authentication arbitrary file write vulnerability in Exchange. If the attacker could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.
What products are impacted?
How can you identify if you have been compromised?
Detection guidance and Advanced hunting queries to help customers investigate this activity has been published by Microsoft here.
What can you do to protect yourself?
The following signature detections are now in production for Zscaler customers:
Details related to these threat signatures can be found in the Zscaler Threat Library.
The Zscaler Cloud Sandbox will provide proactive coverage against weaponised payloads trying to exploit these vulnerabilities. The Zscaler ThreatLabZ team is also actively monitoring
and ensuring coverage for all the latest IOCs associated with these vulnerabilities targeting the Microsoft Exchange servers.