Microsoft has released patches to correct four zero-day vulnerabilities in Microsoft Exchange Server that are currently being chained together and exploited by a sophisticated Chinese Advanced Persistent Threat (APT) group in cyberespionage attacks on U.S. targets including defense contractors, law firms, universities, and companies involved in infectious disease research.
The affected Microsoft Exchange servers are typically used by large organizations for email and calendar services. To exploit the flaws, an attacker would need access to an on-premise Microsoft Exchange server via port 443.
The patches are for all supported Microsoft Exchange versions: Exchange Server 2013, 2016, and 2019 and patches have also been made available for Exchange Server 2010. The vulnerabilities do not affect Microsoft cloud-based services – Exchange Online.
The patches correct the following vulnerabilities:
- CVE-2021-26855: A server-side request forgery (SSRF) vulnerability that allows HTTP requests to be sent to authenticate as the Exchange server.
- CVE-2021-26857: An insecure deserialization vulnerability in the Unified Messaging service which allows arbitrary code to be run as SYSTEM on the Exchange server
- CVE-2021-26858: A file write vulnerability that allows an authenticated user to write a file on any path on the server, using compromised credentials or authentication via CVE-2021-26855.
- CVE-2021-26865: A file write vulnerability that allows an authenticated user to write a file on any path on the server, using compromised credentials or authentication via CVE-2021-26855.
After exploiting the flaws, a web shell is deployed that allows the attackers to execute commands on compromised systems, harvest cached credentials, and exfiltrate data. The attackers export mailboxes and other data stolen from vulnerable Microsoft Exchange servers to a file-sharing service. They can also upload files, such a backdoor that will ensure persistent access after the vulnerabilities have been patched.
Microsoft tracks the APT group as Hafnium, which is based in China and believed to be backed by the Chinese government. Attacks are conducted using leased virtual private servers in the United States. The intrusions, the number of which have not been disclosed, were identified by Microsoft and Volexity and have been ongoing since mid-January 2021.
Now that the patches have been released Microsoft expects attacks to be accelerated to gain access to as many vulnerable servers as possible before the patches are applied to correct the flaws.
Immediate patching is essential. It should be noted that if the flaws have already been exploited, the patches will not prevent further malicious activity of data exfiltration.