Although not on the same scale as the Microsoft Exchange Server hack in 2021, security issues affecting Exchange Server have resurfaced.
During the March 2024 monthly patch cycle, Microsoft fixed critical issues in software such as HyperV and Exchange Server. These fixes follow the release of 2024 H1 Cumulative Update for Exchange Server in February.
Cumulative Update 2024 H1 includes enabling Extended Protection (EP) by default. EP is a Windows feature that protects servers against man-in-the-middle (MiTM) attacks. The automatic inclusion of EP was first announced in 2023.
The security update may help resolve CVE-2024-21410, a privilege escalation vulnerability leading to NTLM relay attacks that affects Exchange Server. This vulnerability is exploited.
“An attacker could target an NTLM client such as Outlook with an NTLM credentials leak vulnerability,” Microsoft explains. “The leaked credentials may then be relayed against the Exchange server to gain privileges as a victim client and to perform operations on the Exchange server on behalf of the victim.
CVE-2024-21410 was revealed in Microsoft’s February 2024 patch update.
And here is the article published on the subject in 2021: Microsoft Exchange: Everything you need to know about the current attack campaign
What happened ?
On March 2, Microsoft released patches to address four serious vulnerabilities in Microsoft Exchange Server software. The company then claimed that the bugs were actively exploited in “limited and targeted attacks”.
Microsoft Exchange Server is an email, calendar, and collaboration solution. Its users range from large accounts to small and medium-sized businesses around the world.
Although the patches have been released, the extent of the compromises depends on the speed of patch adoption – and the estimated number of victims continues to rise.
What are the vulnerabilities and why are they important?
These critical vulnerabilities impact Exchange 2013, Exchange Server 2016, and Exchange Server 2019 servers. However, Exchange Online is not affected.
- CVE-2021-26855: CVSS 9.1:a SSRF (Server Side Request Forgery) vulnerability allowing the sending of HTTP requests by unauthenticated attackers. Servers must be able to accept unreliable connections on port 443 for the bug to be exploited.
- CVE-2021-26857: CVSS 7.8:An insecure deserialization vulnerability in the Exchange Unified Messaging service, which allows deployment of arbitrary code with SYSTEM privileges. However, this vulnerability must be combined with another or stolen credentials must be used.
- CVE-2021-26858: CVSS 7.8:a vulnerability that allows files to be uploaded to the system, used in particular to install a web shell on compromised servers.
- CVE-2021-27065: CVSS 7.8:a vulnerability that allows files to be uploaded to the system, used in particular to install a web shell on compromised servers.
If used in conjunction, all of these vulnerabilities can lead to remote code execution, server compromise, installation of backdoors, data theft, and potentially further deployment of malware.
Microsoft says attackers secure access to an Exchange server either by exploiting these bugs or using stolen credentials, and can then create a web shell to compromise the system and execute commands remotely. “These vulnerabilities are used as part of an attack chain,” Microsoft explains. “The initial attack requires the ability to establish an untrusted connection to port 443 of the Exchange server. It is possible to protect against this by limiting unreliable connections or by setting up a VPN to separate the Exchange server from any external access. Using this measure will only protect against the initial part of the attack; other parts of the chain can be triggered if an attacker already has access or manages to convince an administrator to execute a malicious file. »
Who is responsible for the attacks?
Microsoft says attacks using these flaws have been attributed to the Hafnium group.
Hafnium is an advanced persistent malware group (APT) linked to the Chinese state, which the company describes as a “highly skilled and sophisticated actor.”
If Hafnium originates from China, the group uses a network of virtual private servers (VPS) located in the United States to try to conceal its true location. Entities previously targeted by the group include think tanks, non-profit organizations, defense companies and researchers.
Just Hafnium?
When zero-day vulnerabilities are exposed in popular software and emergency security patches are released, the ramifications can be massive. Patching can be delayed by many factors: the company may not be aware of the patches, may not know that it is using the affected software, or may not be able to update due to compatibility issues.
According to Volexity, attacks using these zero-day flaws could have started as early as January 6, 2021.
According to Mandiant, the attacks on U.S. targets include local government agencies, a university, an engineering company and retailers. The cybersecurity company believes the vulnerabilities could be used for ransomware deployment and data theft.
Multiple victims
Sources told cybersecurity expert Brian Krebs that about 30,000 organizations have been hacked so far in the United States. Bloomberg estimates that figure is closer to 60,000, as of March 8.
The European Banking Authority is one of the latest victims to come forward. The US Cybersecurity and Infrastructure Security Agency (CISA) notes that the agency is “aware that malicious actors are using open source tools to search for vulnerable Microsoft Exchange servers.”
In a March 5 update, Microsoft notes that the company “continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple threat actors, well beyond Hafnium.”
The Biden administration is expected to form a task force to explore reported links between the Microsoft Exchange attacks and China, according to CNN.
How can I check my servers and their vulnerability? What must I do now ?
Microsoft has asked administrators and customers to apply security patches immediately. However, just because the patches are being applied now doesn’t mean the servers weren’t already compromised before. Alternative options are also available if immediate patching is not possible.
The Redmond giant also published a script on GitHub, which IT administrators can use and which includes indicators of compromise (IOCs) linked to the four vulnerabilities. IOCs are listed separately here.
On March 3, CISA issued an emergency directive that directed federal agencies to immediately scan any servers running Microsoft Exchange and apply company-provided patches. If suspicious indicators are detected, going back to 1er September 2020, CISA requires agencies to disconnect affected devices from the internet to limit the risk of further damage.
Microsoft continues to investigate and we will update as additional information becomes available.
Source: ZDNet.com