Microsoft Exchange 0-day attacks

DESCRIPTION

A new set of zero-day vulnerabilities have been identified for Microsoft Exchange customers.

The vulnerability has been present for over 10 years and is just now being identified as of 3/3/2021. One attack group has been identified to date (HAFNIUM) and is generally associated with target nation state sponsored attacks. There may be others identified in the days and weeks to come. At this time, Office 365 email is not impacted by these vulnerabilities.

The vulnerabilities identified allow for the bypass of authentication at the Exchange application and allows remote code execution on the Exchange systems to steal email and potentially install webshells for persistent remote access to the system.

IDENTIFY INDICATORS OF COMPROMISE (IOC)

  1. All unpatched Exchange 2010 or higher systems are vulnerable to the exploit up to the provided 3/3/2021 patch. This does not mean you were impacted.

  2. Indicators of compromise (IOC) have been published that are associated with the HAFNIUM attackers. Discovery scripts and IOCs are provided here.

  3. As there is the possibility that there may be non-HAFNIUM related attackers, a thorough check of the Exchange system is recommended to identify unknown/unusual files on the system.

CONTAINMENT (REQUIRED)

  1. Initially disable INBOUND HTTP/HTTPS access to your Exchange server, you can still allow inbound SMTP.
  2. Disable all OUTBOUND traffic, except SMTP for email transfer, this will stop any reverse web-shell access now and in the future.

REMEDIATION

After all threat actor-controlled accounts and identified persistence mechanisms have been identified and removed:

  1. (Required) Patch the Exchange application.
  2. (Required) Reset all credentials used by or stored in the Exchange System, including domain, local, and service accounts. Such credentials may be compromised.
  3. If IOCs related to the HAFNIUM group or other suspicious items are identified, it is recommended to rebuild the Exchange System. Keep a copy of the Exchange system image in case forensic analysis is desired. HALOCK recommends performing a forensic analysis if IOCs are present.
  4. Consider deploying the patched Exchange system behind a Web Application Firewall (WAF). It is likely that a WAF would have protected against the identified web attacks as they are common attack methods that are not unique to the vulnerabilities identified.

If you would like to speak with HALOCK concerning this zero-day vulnerability, need assistance with analysis, or would like to further protect you web applications, please reach out to your HALOCK account manager or chat with us online at HALOCK to schedule a call with one of our security experts.

Consult with HALOCK concerning this zero-day vulnerability.

Contact Us


Cyber Data Breach News

HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.

References


  1. https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
  2. https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
  3. https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
  4. https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
  5. https://github.com/microsoft/CSS-Exchange/tree/main/Security
  6. https://us-cert.cisa.gov/ncas/current-activity/2021/03/03/cisa-issues-emergency-directive-and-alert-microsoft-exchange
  7. https://cyber.dhs.gov/ed/21-02/