At least 30,000 organizations in the United States have suffered a compromise as the result of a threat actor’s campaign to target vulnerabilities affecting Microsoft’s Exchange Server software.
Microsoft’s Security Advisory
On March 2, the Microsoft Threat Intelligence Center warned in a blog post of a campaign to exploit previously unknown vulnerabilities affecting Exchange Server software.
The tech giant is tracking those vulnerabilities as follows:
- CVE-2021-26855: a server-side request forgery (SSRF) bug in Exchange that allows a malicious actor to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857: an insecure deserialization vulnerability in the Unified Messaging service that enables an attacker to run code as SYSTEM on the Exchange server once they’ve obtained admin permissions or exploited another security bug.
- CVE-2021-26858: an arbitrary file write vulnerability in Exchange that could allow someone to write a file to any path on the server after they’ve authenticated themselves by exploiting CVE-2021-26855 or stealing a legitimate set of credentials.
- CVE-2021-27065: a vulnerability that operates similarly to CVE-2021-26858.
Microsoft identified HAFNIUM as the primary threat actor abusing the vulnerabilities described above at the time of its security advisory.
A “highly skilled and sophisticated actor” operating out of China, HAFNIUM is known to have used leased virtual private servers (VPS) in the United States in order to target American law firms, higher education institutions, defense contractors and organizations in other sectors for the purpose of exfiltrating their sensitive data.
The Microsoft Threat Intelligence Center explained in another security bulletin that HAFNIUM begins by exploiting the vulnerabilities listed above or using a stolen set of legitimate account credentials in order to gain initial access. The threat actor then deploys web shells on the compromised server. Those web shells empower the threat actor to dump the LSASS process memory, compress stolen data into .ZIP files and ultimately exfiltrate sensitive information about an affected organization and its users.
Anyone who’s running software that’s affected by the vulnerabilities is urged to implement Microsoft’s security patches, which are available here.
Recommendations for Zix | AppRiver Customers
As a Microsoft partner, Zix | AppRiver received notification directly from Microsoft late Tuesday, March 2, 2021. Zix took immediate action upon being alerted to the attack, and quickly deployed software patches and scanning tools issued by Microsoft, among other remedial measures. Zix also launched an internal investigation and retained a forensic consultant to assist in its investigation, containment, and remediation efforts. Zix’s investigation has not revealed any evidence that the attackers were successful in obtaining unauthorized access to, or acquiring, the content of any customer email accounts in connection with this incident.
We have also had our SIEM monitoring configured to automatically trigger a notification in the event an IOC is detected.
Customers can protect themselves against the threat activity described above by using a script created by the Microsoft Exchange Server team to run a check for HAFNIUM’s IOCs. They can access that script here: https://github.com/microsoft/CSS-Exchange/tree/main/Security.
If you use SIEM, we recommend that you also configure your system to provide notification in the event an IOC for HAFNIUM is detected.
Finally, you can check out Microsoft’s blog post here to quickly inventory and evaluate the general security preparedness of your on-premise Exchange servers.
The U.S. Government’s Response
Microsoft explained in its security advisory that it had also briefed U.S. government agencies about HAFNIUM’s ongoing attack campaign.
In response, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released Emergency Directive 21-02. CISA noted in its alert that “this exploitation [by HAFNIUM] of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.” It subsequently ordered federal agencies running Microsoft Exchange on-premise products to either update their products using Microsoft’s patches or to disconnect their products from their networks until they could implement those fixes.
“This Emergency Directive will help us secure federal networks against the immediate threat while CISA works with its interagency partners to better understand the malicious actor’s techniques and motivations to share with our stakeholders,” said Acting CISA Director Brandon Wales, as quoted in a CISA press release. “The swiftness with which CISA issued this Emergency Directive reflects the seriousness of this vulnerability and the importance of all organizations – in government and the private sector – to take steps to remediate it.”
The Initial Impact
On March 5, KrebsOnSecurity shared that HAFNIUM had succeeded in compromising at least 30,000 organizations in the United, according to multiple sources.
The threat actor also hacked into tens of thousands of organizations in Europe and Asia, reported Reuters that same day.
Steven Adair, president of Volexity, told KrebsOnSecurity that the attack activity began on January 6, 2021 but increased in the weeks that followed.
“We’ve worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today,” Adair said, as quoted by KrebsOn Security. “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”
Reuters wrote on March 5 that Microsoft had yet to comment on the number of organizations affected by HAFNIUM’s hacking campaign.
We will continue to monitor this threat as it evolves.