Security Experts:

Microsoft: Multiple Exchange Server Zero-Days Under Attack by Chinese Hacking Group

Microsoft Exchange Vulnerabilities

Microsoft late Tuesday raised the alarm after discovering Chinese cyber-espionage operators chaining multiple zero-day exploits to siphon e-mail data from corporate Microsoft Exchange servers.

Redmond's warning includes the release of emergency out-of-band patches for four distinct zero-day vulnerabilities that formed part of the threat actor's arsenal.

Microsoft pinned the blame on a sophisticated Chinese APT operator called HAFNIUM that operates from leased VPS (virtual private servers) in the United States.

HAFNIUM primarily targets entities in the U.S. across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

The company said its analysts assess with high confidence that HAFNIUM is state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

Supply Chain Security Summit

In all, Microsoft said the attacker chained four zero-days into a malware cocktail targeting its Exchange Server (Outlook Web App) product. The vulnerabilities exposed Microsoft's customers to remote code excecution attacks, without requiring authentication.

"In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments," Microsoft said.

"We strongly urge customers to update on-premises systems immediately," the company urged.

Here are the raw details on the vulnerabilities being exploited in the wild.

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Enterprise defenders can find additional techincal details in this blog post from the Microsoft Server team.

Microsoft said the attacks included three steps. First, the group gained access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise as someone who should have access. Second, the attackers created a web shell to control the compromised server remotely. That remote access was then used – run from the U.S.-based private servers – to steal data from an organization’s network.

In campaigns unrelated to this new batch of zero-day vulnerabilities, Microsoft said it found HAFNIUM interacting with victim Office 365 tenants. "While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments," the company explained.  

The attackers were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users, Microsoft added.

Cybersecurity firm Volexity, which was credited by Microsoft for reporting different parts of the attack chain, has published a blog post with technical details and a video demonstrating exploitation in action, along with known attacker IP addresses connected to the attacks. Volexity said it detected anomalous activity from two of its customers’ Microsoft Exchange servers in January 2021, which led to discovery of the attacks.

The U.S. Cybersecurity and Infrastructure Security (CISA) also issued an alert with additional information and mitigation guidance. 

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a journalist and cybersecurity strategist with more than 20 years experience covering IT security and technology trends. Ryan has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's career as a journalist includes bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.