On 2 March, Microsoft released critical security updates for four crucial zero-day vulnerabilities discovered in Exchange Servers and reported that the exploits are being actively exploited by an actor called HAFNIUM, a state-sponsored group operating out of China.
Within one week, at least 30,000 U.S. organisations and hundreds of thousands of organisations worldwide have fallen victim to an automated campaign run by HAFNIUM that provides the attackers with remote control over the affected systems.
In the past week, the patched vulnerabilities have been weaponised by over 10 different APT groups and are being leveraged in ransomware and cryptomining campaigns.
Radware assesses the threat as critical for all industries across the globe, from small to large corporations. Initial reports indicated the involvement of advanced Chinese actors. Chinese APT groups are known for espionage and targeting governments, pharmaceutical/research institutions, research in general and corporate research assets.
Last week, exploits started to circulate and ransomware and cryptocurrency campaigns started exploiting the vulnerabilities. Consequently, the threat is now generic and global, putting any organisation, independent of industry or location, at risk of falling victim to ransomware and cryptomining abuse.
On December 10, 2020, Orange Tsai, a researcher working for the Taiwanese security consulting organisation DEVCORE, discovered a pre-authentication proxy vulnerability (CVE-2021-26855) in Exchange Servers that allows a remote actor to bypass authentication and receive admin server privileges.
Combined with a post-authentication vulnerability (CVE-2021-27065) that allows arbitrary file writes to the system (discovered by Tsai three weeks later), an actor can achieve remote command execution of arbitrary commands through internet-exposed Exchange Servers. Initial access is achieved through uploading a web shell, commonly referred to as a ‘China chopper.’
CVE-2021-26855: Server side request forgery
The server-side request forgery (SSRF) vulnerability provides a remote actor with admin access by sending a specially crafted web request to a vulnerable Exchange Server. The web request contains an XML SOAP payload directed at the Exchange Web Services (EWS) API endpoint.
The SOAP request bypasses authentication using specially crafted cookies and allows an unauthenticated, remote actor to execute EWS requests encoded in the XML payload and ultimately perform operations on users' mailboxes. This vulnerability, combined with the knowledge of a victim's email address, means the remote actor can exfiltrate all emails from the victim's Exchange mailbox.
Organisations that received this letter were companies that received threats in August and September of 2020. Analysis of this new wave of ransom letters suggests that the same threat actors from the middle of 2020 are behind these malicious communications.
CVE-2021-26857: Remote code execution vulnerability
A post-authentication insecure deserialisation vulnerability in the Unified Messaging service of a vulnerable Exchange Server allows commands to be run with SYSTEM account privileges.
The SYSTEM account is used by the operating system and services that run under Windows. By default, the SYSTEM account is granted full control permissions to all files.
A malicious actor can combine this vulnerability with stolen credentials or with the previously mentioned SSRF vulnerability to execute arbitrary commands on a vulnerable Exchange Server in the security context of SYSTEM.
CVE-2021-26858 and CVE-2021-27065
Both of these post-authentication arbitrary file write vulnerabilities allow an authenticated user to write files to any path on a vulnerable Exchange Server.
A malicious actor could leverage the previously mentioned SSRF vulnerability to achieve admin access and exploit this vulnerability to write web shells to virtual directories (VDirs) published to the internet by the server's Internet Information Server (IIS).
IIS is Microsoft's web server, a dependency that is installed with Exchange Server and provides services for Outlook on the web, previously known as Outlook Web Access (OWA), Outlook Anywhere, ActiveSync, Exchange Web Services, Exchange Control Panel (ECP), the Offline Address Book (OAB) and Autodiscover.