Microsoft Exchange Hacking Campaign Targets U.S. Organizations – Updated On 4.14.2021
Posted on: March 25, 2021
On April 13, 2021, Microsoft released a software update to mitigate significant vulnerabilities that affect on-premises Exchange Servers 2013, 2016, and 2019. An attacker could use these vulnerabilities to gain access and maintain persistence on the target host. These vulnerabilities are different from the ones disclosed and fixed in March 2021 – the security updates released in March 2021 will not remediate against these vulnerabilities.
Given the powerful privileges that Exchange manages by default and the amount of potentially sensitive information that is stored in Exchange servers operated and hosted by (or on behalf of) federal agencies, Exchange servers are a primary target for adversary activity.
Though CISA is unaware of active exploitation of these vulnerabilities, once an update has been publicly released, the underlying vulnerabilities can be reverse engineered to create an exploit.
Applying the update released on April 13, 2021 to Exchange servers is currently the only mitigation for these vulnerabilities (aside from removing affected servers from the network). CISA requires that agencies immediately apply the Microsoft April 2021 update to all affected Exchange Servers.
As per CISA Guidance here are the Required Actions as per Supplemental Direction v2
- Deploy Microsoft Updates. Before 12:01 am Friday, April 16, 2021, Eastern Daylight Time, agencies with on-premises Microsoft Exchange servers must deploy Microsoft updates from Tuesday, April 13, 2021, to all affected Microsoft Exchange servers. Microsoft Exchange Servers that cannot be updated within the deadline above must be immediately removed from agency networks.
- Apply/Maintain Controls. Ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected endpoints are updated before connecting to agency networks.
- Report Completion. For agencies managing on-premises Microsoft Exchange servers, department-level Chief Information Officers (CIOs) or equivalents shall submit a report to CISA using the provided template to CyberDirectives@cisa.dhs.gov by Noon Eastern Daylight Time on Friday, April 16, 2021.
- Report Indications of Compromise. Immediately report any identified cyber incidents and related indications of compromise detected while conducting update activities through https://us-cert.cisa.gov/report.
Microsoft’s April 2021 Security Update mitigates significant vulnerabilities affecting on-premises Exchange Server 2013, 2016, and 2019. An attacker could exploit these vulnerabilities to gain access and maintain persistence on the target host. CISA strongly urges organizations to apply Microsoft’s April 2021 Security Update to mitigate against these newly disclosed vulnerabilities. Note: the Microsoft security updates released in March 2021 do not remediate against these vulnerabilities.
In response to these the newly disclosed vulnerabilities, CISA has issued Supplemental Direction Version 2 to Emergency Directive (ED) 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities. ED 20-02 Supplemental Direction V2 requires federal departments and agencies to apply Microsoft’s April 2021 Security Update to mitigate against these significant vulnerabilities affecting on-premises Exchange Server 2016 and 2019.
Although CISA Emergency Directives only apply to Federal Civilian Executive Branch agencies, CISA strongly encourages state and local governments, critical infrastructure entities, and other private sector organizations to review ED 21-02 Supplemental Direction V2 and apply the security updates immediately. Review the following resources for additional information:
- Microsoft April 2021 Security Update Summary
- CISA ED 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities Supplemental Direction V2
- CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities
- CISA web page: Remediating Microsoft Exchange Vulnerabilities
On March 2, 2021, Microsoft released a series of security updates meant to patch newly discovered zero-day vulnerabilities in Microsoft Exchange Server. Microsoft Exchange is used by millions of organizations to manage their email and calendar systems, giving this vulnerability the potential to cause catastrophic damage to affected groups if exploited. An estimated 30,000 US organizations have already been compromised through this vulnerability, which can allow attackers to remotely execute malicious code to gain full control of the targeted systems. Microsoft is attributing these attacks to cyber espionage organization, HAFNIUM, based in mainland China.
As per DHS/CISA guidance, they are tracking a serious issue with Microsoft Exchange. We cannot emphasize enough that exploitation is widespread and indiscriminate and we are advising all system owners to complete the following actions.
Please complete the checklist and provide feedback to your leadership on the actions you have taken and any challenges completing the recommended steps.
- Patch ALL instances of Microsoft Exchange that you are hosting. Check out Microsoft’s April 2021 Security Update here.
- If you can’t patch then follow the recommendations Microsoft issued — Microsoft Exchange Server Vulnerabilities Mitigations – March 2021 – Microsoft Security Response Center.
- Download and run ps1 as an administrator
- .\EOMT.ps1 -RunFullScan
- Check for indicators of compromise by running the following script. This script is also very effective.
- If you haven’t been compromised we strongly recommend enhancing monitoring of network connections to your Exchange environment.
- If you have, follow this guidance to better understand what to do next.
SEDC MSS (AlienVault) includes NIDS detection signatures for both Hanfium CVE-2021-26855 and CVE-2021-26857. Two other CVEs for Hafnium, CVE-2021-26858, and CVE-2021-27065, have no NIDS detection signatures currently but AlienVault Open Threat Exchange (OTX) has threat intelligent feeds (“pulses”) available for them to enrich associated events that arise attendant to a Hafnium exploitation attempt.
For the actively detected CVEs, CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server, which permits remotes access and compromise by a remote threat actor.
The following NIDS signatures detect CVE-2021-26855 and are escalated in a Hafnium AV alarm via directive #46875 “AV Attacks, Microsoft Exchange – Attempted ECP Privilege Escalation (CVE-2021-26855)”:
2847423: “ETPRO EXPLOIT Microsoft Exchange – Attempted ECP Privilege Escalation (CVE-2021-26855)”
4002538: “AV EXPLOIT Microsoft Exchange Vulnerability Scan Detected (CVE-2021-26855)”
CVE-2021-26857 is a local host vulnerability that provides privilege escalation to an attacker to run code as SYSTEM on the Exchange server. This then permits further remote code executions.
The following NIDS signatures detect CVE-2021-26857 and are escalated in a Hanium AV alarm via directive #46877 (“AV Attacks, Microsoft Exchange – Possible RCE Inbound (CVE-2021-26857):
2847418 “ETPRO EXPLOIT Microsoft Exchange – Possible RCE Inbound (CVE-2021-26857)”
2847419 “ETPRO EXPLOIT Microsoft Exchange – Possible RCE with WebShell Inbound M1 (CVE-2021-26857)”
2847420 “ETPRO EXPLOIT Microsoft Exchange – Possible RCE with WebShell Inbound M2 (CVE-2021-26857)”
VMware Carbon Black – Please ensure you are on sensor version 3.6 or above.
The Threat Analysis Unit (TAU) has updated the Advanced Threats and AMSI Threat Intelligence watchlists, for detections related to the post-exploitation activity. TAU is also testing and refining additional detections as well as potential prevention rules. As these become available this post will be updated with additional information. The detections that are provided in the watchlist and any preventions that could be released will be dependent on the latest agent versions of the CBC products (3.6 or greater). Bottom Line Up Front: These 0-day vulnerabilities only exist on on-premise Exchange servers. If you are not running an on-premise exchange (O365 for example) you are not impacted by these vulnerabilities.
As always, you should prioritize installing the recommended patches in your Exchange environment as these vulnerabilities enable unauthenticated remote code execution and file-writes. TAU also recommends implementing egress network ACLs for all externally facing web services in your environment.
In order to take full advantage of the most up-to-date threat intelligence detection and prevention rules, VMware Carbon Black Endpoint Standard customers must be running 3.6 or greater CBC sensor versions. Customers running 3.6 sensor versions are protected out of the box without any need to configure rules relating to the post-compromise credential theft techniques disclosed. The latest versions of the CBC sensors will also detect and block suspect PowerShell usage typically associated with post-compromise behaviors.