Synergy has been monitoring the recent threats relating to high-impact vulnerabilities in Microsoft Exchange environments. Many of our customers leverage Microsoft Exchange so we wanted to provide the most up-to-date information and recommendations around this threat.
Microsoft Exchange Zero Day Vulnerabilities Statement

Microsoft Exchange Zero Day Vulnerabilities Statement

Synergy has been monitoring the recent threats relating to high-impact vulnerabilities in Microsoft Exchange environments. Many of our customers leverage Microsoft Exchange so we wanted to provide the most up-to-date information and recommendations around this threat.

 

What happened?
On Tuesday, March 2, 2021, Microsoft released an out of band patch to address multiple remote code execution (RCE) vulnerabilities in Microsoft Exchange.
 
Four of these vulnerabilities have been connected to attacks by a nation state threat group known as HAFNIUM dating back to at least January 6, 2021.
 
HAFNIUM was able to chain together several of these vulnerabilities to exploit vulnerable Exchange Servers in their attacks to access full mailboxes of interest.
 
The four vulnerabilities exploited in these attacks (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) affect on-prem deployments of Microsoft Exchange 2013, 2016, and 2019.
 
Who is affected?
Organizations running Microsoft Exchange 2013, 2016 or 2019 on-prem / hybrid may be at risk, while organizations running Office 365 or Microsoft Exchange online remain unaffected by these vulnerabilities and do not need further action.
 

What should we do?

  • Those affected should immediately apply Microsoft's security updates
  • The priority should be to patch externally-facing Microsoft Exchange deployments first, followed by internally facing Microsoft Exchange deployments.
  • Review existing connections to Exchange and monitor for suspicious activity.
  • Implement IP (firewall) restrictions against Third-Party VPNs, Proxies and TOR.
 
 

Additional Updates (as of 4/15/21)

  • As per this industry article, there have been four (4) additional patches released by Microsoft that they recommend applying immediately to on-prem Microsoft Exchange environments:

    • “On April 13, as part of its April 2021 Patch Tuesday release, Microsoft addressed four critical vulnerabilities in Microsoft Exchange Server. The disclosure follows last month’s out-of-band (OOB) security update which addressed four zero-day vulnerabilities in Exchange Server that were exploited in the wild by an advanced persistent threat group known as HAFNIUM. As with last month’s OOB security update, these latest Exchange Server vulnerabilities affect only on-premises versions of Microsoft Exchange Server; Microsoft Exchange Online is not affected by these flaws.”

 

  • According to CISA: Microsoft has released the Exchange On-premises Mitigation Tool (EOMT.ps1) that can automate portions of both the detection and patching process. Microsoft stated the following along with the release: "[the tool is intended] to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.” CISA recommends users review the EOMT.ps1 blog post for directions on using the tool.

  • CISA encourages users and administrators to review the following resources for more information.
  • As per this an industry article, there is the potential that any on-prem Exchange system that was compromised using the recent Exchange zero-day vulnerability also has the potential of a manual installation for ransomware called DEARCRY having been performed.

    It is recommended that if your company was vulnerable to this attack, that the script provided by Microsoft to show indicators of compromise be run and analyzed to determine the potential extend of the exploit.

  • According to CISA:
 

Impact

  • CVE-2021-26855
    • A server-side request forgery (SSRF) vulnerability in Exchange which allows an attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

  • CVE-2021-26857
    • An insecure deserialization vulnerability in the Unified Messaging service.
    • Exploiting this vulnerability can provide an attacker with the ability to run code as SYSTEM on the
      Exchange server.
    • This vulnerability requires administrator permission or another vulnerability to exploit. Microsoft observed HAFNIUM chain CVE-2021-26855 with this one to authenticate with elevated privileges.

  • CVE-2021-26858 & CVE-2021-27065
    • These two are post-authentication arbitrary file write vulnerabilities in Exchange.
    • If an attacker can authenticate with the Exchange server then they can use one of these vulnerabilities to write a file to any path on the server. Microsoft observed HAFNIUM chain CVE-2021-26855 with this one to authenticate with elevated privileges.

  • Who is the HAFNIUM Threat Group?
    • Microsoft has assessed HAFNIUM to be state-sponsored threat group operating out of China based on observed victimology, tactics and procedures.
    • According to Microsoft, HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs

 

References

For more information about these vulnerabilities and how to defend against their exploitation, see:
 
- Microsoft Advisory: Multiple Security Updates Released for Exchange Server
- Microsoft Blog: HAFNIUM targeting Exchange Servers with 0-day exploits
- Microsoft GitHub Repository: CSS-Exchange
- CISA Alert: Mitigate Microsoft Exchange Server Vulnerabilities
- CISA Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities

 

Additional Assistance

For additional consultation on this threat, please reach out to your Synergy account manager or call 716-250-3200 to engage with Synergy’s team of technical resources.