Over the past few months, more than 30,000 businesses across the United States have been attacked by hackers using four 0-day vulnerabilities in Microsoft Exchange Server to gain access to victims’ email accounts and install malware and backdoors, giving the criminals full access to the affected servers. Here’s what you need to know about the attacks.
When did the Server hack attacks begin?
Cybercriminals began targeting Microsoft Exchange servers on January 5, 2021. The criminals gained access to organizations’ servers using undiscovered vulnerabilities disguising themselves as someone who should be granted access or with stolen passwords.
The hackers also used web shells to control U.S.-based private servers through remote access and steal information from an organization’s network. On March 2, Microsoft released security updates for 2010 through 2013 Exchange Server versions.
Microsoft identified Hafnium, a state-sponsored group as the primary suspect behind the attacks. The group targets businesses in the United States across different industries including higher learning education institutions, NGOs, researchers, and law firms.
Although the group comes from China, it uses virtual private servers in the U.S. to hide its true location. The group uses legitimate open-frame source frameworks to exploit vulnerabilities and exfiltrate information to file-sharing websites once they gain access to an organization’s network.
What security patches are available?
The critical vulnerabilities, commonly known as ProxyLogon affect on-premise Exchange Servers 2013, 2016, and 2019. Exchange Online is not impacted. Microsoft is now urging customers to install the following security patches to protect against any pending Server hack attacks:
- CVE-2021-26855: This is a server-side request forgery (SSRF) vulnerability that allows attackers to send HTTP requests.
- CVE-2021-26857: This is an insecure deserialization vulnerability in the Unified Messaging service that deserializes untrusted user-controlled information using a program. Attackers that exploit this vulnerability can run code on the Exchange server as SYSTEM. However, this requires another vulnerability or stolen credentials to exploit.
- CVE-2021-26858: This is a post-authentication file write vulnerability. If cybercriminals can authenticate with the Exchange server, they can use this vulnerability to write files to different paths on the server. They can authenticate by hacking legitimate credentials or by exploiting the server-side request forgery (SSRF) vulnerability.
- CVE-2021-27065: This is also a post-authentication file write vulnerability that attackers can use to write files to any path.
These vulnerabilities can result in malware deployment, hijacking backdoors, Remote Code Execution (RCE), and information theft if used in attack chains.
How to check your servers and their vulnerability status
While Microsoft has urged customers to implement the above security fixes, this doesn’t mean the servers haven’t been impacted or backdoored. However, you can use these guidelines to monitor this activity using Azure Sentinel, Microsoft 365 Defender, Exchange server logs, and Microsoft Defender for Endpoint.
1. Check Exchange Server path levels
To do this, see available security updates for specific Exchange versions and then install them immediately to protect against future Server hack attacks. Microsoft releases security updates frequently, usually on the 2nd Tuesday of each month.
For example, remote code executions (RCEs) vulnerabilities CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483 impact Microsoft Exchange server and haven’t been linked to any attacks.
2. Scan Exchange log files
Microsoft has also created scripts you can use to run checks for indicators of compromise (IOCs) to address memory and performance issues. The company has also released additional security updates that you can apply temporarily to unsupported Cumulative Updates (CUs).
3. Use Microsoft Exchange on-premises mitigation tool
Microsoft has released a tool to help businesses reduce the risk to their servers. The tool makes it easier for entities to mitigate on-premises Exchange servers’ highest risks prior to patching.
The company has also added to Microsoft Defender antivirus software automatic on-premises Exchange Server mitigation to further reduce risks. Microsoft is also offering on-premise Exchange Server customers a 3-month trial period of Microsoft Defender for Endpoint.
4. Use AccountGuard Program
Early this year, Microsoft granted AccountGuard customers in 31 countries access to additional identity management protections without any additional cost. AccountGuard is a program that protects accounts of Microsoft customers that are at a higher risk of Server hack attacks because of their involvement in politics.
Other public figures such as journalists and those fighting the Coronavirus can also use the program. Microsoft is still investigating this issue and as more information is released, we will continue to update.
- Microsoft’s big email hack: What happened, who did it, and why it matters by Jordan Novet, March 9, 2021, CNBC
- “Hack everybody you can”: What to know about the massive Microsoft Exchange breach by Nicole Sganga, March 14, 2021, CBS NEWS
- The Microsoft Exchange Server hack: A timeline by Brian Carlson, May 6, 2021, CSO
- HAFNIUM targeting Exchange Servers with 0-day exploits – March 2, 2021, Microsoft
- 2021 Microsoft Exchange Server data breach – Wikipedia