Kevin Rubin, president and CIO, Stratosphere Networks
Earlier this month, Microsoft announced that malicious actors were leveraging zero-day exploits to infiltrate on-premises versions of Microsoft Exchange Server. If your company utilizes an Exchange server that hackers could potentially breach via these vulnerabilities, here’s everything you should know about the ongoing attacks, what you can do to fix weak points in your server and how to identify indicators of compromise (IOCs).
Who’s responsible for the cyberattacks on Exchange servers and when did they start?
Microsoft attributed the initial attacks to HAFNIUM, a state-sponsored group based in China, according to a blog post published March 2. However, in a more recent post, the supplier noted that criminal groups other than HAFNIUM had begun taking advantage of the server vulnerabilities to launch their own cyberattacks, including onslaughts of ransomware.
The security firm Volexity first identified suspicious activity on some of their clients’ Exchange servers in January 2021. Microsoft credits both Volexity and Dubex for sounding the alarm on the attacks and aiding with the investigation.
What are the Microsoft Exchange Server vulnerabilities hackers are exploiting?
HAFNIUM used the following vulnerabilities to gain access to Exchange servers, according to Microsoft.
CVE-2021-26857, a Unified Messaging service insecure deserialization vulnerability
CVE-2021-27065, a post-authentication arbitrary file write vulnerability
CVE-2021-26858, a post-authentication arbitrary file write vulnerability
These vulnerabilities impact Exchange Server versions 2013, 2016 and 2019, as specified in the Microsoft Security Response Center. Additionally, Exchange Server 2010 is undergoing updates for in-depth security. These vulnerabilities do not affect Exchange Online.
How can I fix the vulnerabilities in my Exchange server?
If you can’t patch your Exchange server with those security updates, the supplier advises enacting temporary mitigations as an interim measure. These include disabling Unified Messaging, Exchange Control Panel (ECP) VDir, and Offline Address Book (OAB) VDir, as well as filtering malicious https requests with an IIS Re-Write Rule. You can deploy and roll back those mitigations with the ExchangeMitigations.ps1 script.
Please note that Microsoft advises clients to deploy all of them simultaneously and only as a temporary solution until you can fully patch your server. They are known to affect server functionality. The security patches are the only total mitigation method that doesn’t impact server performance. Microsoft also notes that these remediation steps won’t help if your server has already been breached and are not guaranteed protection against cyberattacks.
How do I know if my Exchange server has been compromised?
This script from the Exchange Server team can identify IOCs in your Exchange log files. Additionally, the supplier advises scanning your Exchange servers for known web shells with the most current version of Microsoft Safety Scanner. If your organization utilizes Microsoft Defender or Microsoft Defender for Endpoint, ensure you’ve installed the latest security intelligence patch.
To help security teams, Microsoft has also created a feed of observed IOCs. The feed is available through GitHub in JSON format and CSV format.