This article is more than 1 year old

Microsoft fixes four zero-day flaws in Exchange Server exploited by China's ‘Hafnium’ spies to steal victims' data

Patch ASAP: Holes used to raid top-tier targets and stash info in Kim Dotcom's old cloud file locker

Microsoft says Beijing-backed hackers are exploiting four zero-day vulnerabilities in Exchange Server to steal data from US-based defense contractors, law firms, and infectious disease researchers.

The Windows giant today issued patches for Exchange to close up the bugs, and recommended their immediate application by all. On-prem and hosted Exchange, from version 2013 to 2019, are vulnerable and need fixing up.

Microsoft’s corporate veep for customer security and trust Tom Burt named the miscreants “Hafnium,” said they operate in China though use US-based servers, and classified the cyber-spy team as “a highly skilled and sophisticated actor” that's nation-state sponsored.

Burt said the snoops conduct a three-step attack:

  1. Gain access to an Exchange Server either using stolen passwords or by using zero-day vulnerabilities, and disguise themselves as a legitimate user.
  2. Control the compromised Exchange Server remotely using a web shell.
  3. Use the resulting remote access, from servers located in America, to exfiltrate internal data.

The Chinese spies have in their arsenal four zero-day bugs that can be chained to ultimately break into vulnerable Exchange installations; they are, according to Microsoft:

CVE-2021-26855: A server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857: An insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858: A post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

CVE-2021-27065: A post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

We note that Microsoft recommends "prioritizing installing updates on Exchange Servers that are externally facing."

China and India

Malware attack that crippled Mumbai's power system came from China, claims infosec intel outfit Recorded Future

READ MORE

Security consultancy Volexity, which Microsoft credits with having helped it uncover two of the bugs, has posted its account of the incidents that led it to alert the tech goliath.

Volexity said it noticed unusual activity on clients’ Exchange Servers in January 2021 and upon investigation spotted “a large amount of data being sent to IP addresses it believed were not tied to legitimate users.

“A closer inspection of the IIS logs from the Exchange servers revealed rather alarming results. The logs showed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access (OWA). Volexity observed the attacker focused on getting a list of e-mails from a targeted mailbox and downloading them."

Redmond also thanked Orange Tsai from the DEVCORE research team, Dubex, and its own Microsoft Threat Intelligence Center for discovering and reporting the holes. Microsoft named cloud file locker Mega.nz, a service founded by the Kim Dotcom, as one of Hafnium’s preferred destinations for exfiltrated data.

While the zero-day attacks don’t work against cloudy Exchange, users of Microsoft’s cloud messaging services need to be careful because the IT giant says it has seen Hafnium “interacting with victim Office 365 tenants.”

“While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments,” Microsoft stated.

Patch ASAP but log in as an Admin. Tweak port 443 and cross your fingers if you can’t patch

Microsoft has linked to and provided installation instructions for the patches here. Unsurprisingly, Microsoft recommends rapid patching, but if that’s going to be a problem in your environment, the super-corp's security experts offer some relief.

An advisory states: “The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access.”

However, the memo also warns: “This mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.”

china

The perils of non-disclosure? China 'cloned and used' NSA zero-day exploit for years before it was made public

READ MORE

There’s a little more relief to be had from the fact that Microsoft’s patches replace the February 9 security update for Exchange Server 2019, so if you’re a little behind, that wasn’t the worst update to have delayed.

But if you patch, do so carefully because the software titan warns that if you’re not logged in as an administrator, some files will not be correctly installed, and you won’t be notified of the problem. You’ll know you’ve done it wrong if Outlook on the web and the Exchange Control Panel stop working. But they don’t always stop.

So good luck with that one.

This page also offers details on how to detect if your environment has been compromised by Hafnium.

Microsoft says it has notified the US government of the attacks. Which means the Biden administration now has the attributed-to-Russia SolarWinds backdoor fiasco as well as the attributed-to-China Hafnium horror on its plate. SolarWinds is thought to have been compromised for up to three years. But Microsoft hasn’t said how long Hafnium has been active. ®

More about

TIP US OFF

Send us news


Other stories you might like