Enterprise, Networking

Microsoft Exchange Server Exploits FAQ: How to Protect Your Business

Author: Kevin Rubin, president and CIO, Stratosphere Networks
Kevin Rubin, president and CIO, Stratosphere Networks

Earlier this month, Microsoft announced that malicious actors were leveraging zero-day exploits to infiltrate on-premises versions of Microsoft Exchange Server. If your company utilizes an Exchange server that hackers could potentially breach via these vulnerabilities, here’s everything you should know about the ongoing attacks, what you can do to fix weak points in your server and how to identify indicators of compromise (IOCs).

Who’s responsible for the cyberattacks on Exchange servers and when did they start?

Microsoft attributed the initial attacks to HAFNIUM, a state-sponsored group based in China, according to a blog post published March 2. However, in a more recent post, the supplier noted that criminal groups other than HAFNIUM had begun taking advantage of the server vulnerabilities to launch their own cyberattacks, including onslaughts of ransomware.

The security firm Volexity first identified suspicious activity on some of their clients’ Exchange servers in January 2021. Microsoft credits both Volexity and Dubex for sounding the alarm on the attacks and aiding with the investigation.

What are the Microsoft Exchange Server vulnerabilities hackers are exploiting?

HAFNIUM used the following vulnerabilities to gain access to Exchange servers, according to Microsoft.

CVE-2021-26857, a Unified Messaging service insecure deserialization vulnerability

CVE-2021-26855, a server-side request forgery (SSRF) vulnerability

CVE-2021-27065, a post-authentication arbitrary file write vulnerability

CVE-2021-26858, a post-authentication arbitrary file write vulnerability

These vulnerabilities impact Exchange Server versions 2013, 2016 and 2019, as specified in the Microsoft Security Response Center. Additionally, Exchange Server 2010 is undergoing updates for in-depth security. These vulnerabilities do not affect Exchange Online.

How can I fix the vulnerabilities in my Exchange server?

Microsoft recommends moving to the most recent Exchange Cumulative Updates. The Exchange Server Health Checker Script – available here on GitHub – will tell you if you’re up to date. This script doesn’t support Exchange Server 2010. The next recommended action is installing the relevant security update on your server. Details on how to do so are available here from the Microsoft Tech Community: Released: March 2021 Exchange Server Security Updates

If you can’t patch your Exchange server with those security updates, the supplier advises enacting temporary mitigations as an interim measure. These include disabling Unified Messaging, Exchange Control Panel (ECP) VDir, and Offline Address Book (OAB) VDir, as well as filtering malicious https requests with an IIS Re-Write Rule. You can deploy and roll back those mitigations with the ExchangeMitigations.ps1 script.

Please note that Microsoft advises clients to deploy all of them simultaneously and only as a temporary solution until you can fully patch your server. They are known to affect server functionality. The security patches are the only total mitigation method that doesn’t impact server performance. Microsoft also notes that these remediation steps won’t help if your server has already been breached and are not guaranteed protection against cyberattacks.

How do I know if my Exchange server has been compromised?

This script from the Exchange Server team can identify IOCs in your Exchange log files. Additionally, the supplier advises scanning your Exchange servers for known web shells with the most current version of Microsoft Safety Scanner. If your organization utilizes Microsoft Defender or Microsoft Defender for Endpoint, ensure you’ve installed the latest security intelligence patch.

To help security teams, Microsoft has also created a feed of observed IOCs. The feed is available through GitHub in JSON format and CSV format.

If you need assistance scanning for and evaluating all of the currently known IOCs, our security team already has all of the following detections built out as part of the managed detection and response (MDR) services provided as part of our Security Operations Center as a Service (SOCaaS) offering.

  • Forensic artifacts found in HAFNIUM intrusions exploiting CVE-2021-27065
  • Forensic artifacts found in HAFNIUM intrusions exploiting CVE-2021-26858
  • Forensic artifacts showing clean-up activity found in HAFNIUM intrusions
  • Forensic artifacts found in HAFNIUM intrusions
  • HAFNIUM SecChecker web shell
  • Web shell Injection
  • Simple ASPX web shell that allows an attacker to write further files to disk
  • SPORTSBALL web shell
  • PowerCat hacktool
  • PowerShell Oneliner in Nishang’s repository
  • Suspicious log entries indicating requests as described in reports on HAFNIUM activity
  • Variation on reGeorgtunnel
  • Web shells and ASPX files dropped by CVE-2021-27065 (for all threat actors)
  • Windows Error Report (WER) indicating an exploitation attempt of the Exchange server as described in CVE-2021-26857, after the application of the corresponding patches

Author Kevin Rubin is president and CIO, Stratosphere Networks. Read more from Stratosphere Networks here.