Threat Update - Mass Exploitation of On-Prem Exchange Servers

On March 2nd, Microsoft released an urgent software update to patch 4 critical vulnerabilities in Exchange Server 2010, 2013, 2016, and 2019.

Our IR and Forensics teams are actively helping organizations patch, investigate, and remediate. We’ve seen threat actors using these flaws to obtain remote access to Exchange servers and then attempt to exfiltrate sensitive information, including entire mailboxes.

Please be aware that attackers will likely use remote access to highly privileged Exchange servers to pivot to other critical systems, such as Domain Controllers.

Microsoft has reported that HAFNIUM, a state-sponsored APT operating from China, has been exploiting these vulnerabilities. According to Microsoft, Exchange Online is not vulnerable.

If you need ANY help, please contact your Varonis account team or reach out via our incident response page and we’ll do everything we can to ensure you’re safe, even if you aren’t a current customer.

Vulnerability overview

There are four CVEs being exploited in the attack:

• CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
• CVE-2021-26857 is used for a privilege escalation to gain SYSTEM permissions on the server
• CVE-2021-26858 and CVE-2021-27065 are used to write files to any directory on the server.

Threat groups chain these vulnerabilities together in an attack chain. See the analysis by Veloxity.

Example attack flow

1. Target vulnerable Exchange servers who have open HTTP 443
2. Exploit the SSRF vulnerability to obtain access and authenticate as the Exchange server
3. Gain SYSTEM by exploiting CVE-2021-26857, execute malicious code, and dump credentials and hashes (e.g., ProcDump)
4. Use the Exchange server permissions to directly access the DC to elevate privileges or/and create persistency.
5. Extract Mailbox information and other sensitive files
6. Install WebShell, exfiltrate information, and upload to common file-sharing websites

The Microsoft team released some PowerShell scripts to help you search for exploitation artifacts such as manually created .aspx files. Researcher Kevin Beaumont also released a quick-and-dirty nmap script to find potentially vulnerable servers in your environment.

How to protect yourself

• Ensure all your Exchange servers across all domains are fully patched. This means applying the latest Cumulative Update and the latest Security Update from Microsoft.
• Check your Varonis DatAlert dashboard for:
  • Abnormal activity by Exchange-related service accounts.
  • Malicious external connections via Web and DNS (requires proxy & DNS telemetry via Edge)
  • Atypical data access and device authentication activity originating from external-facing mail servers
  • Atypical external upload activities, especially sensitive data (requires classification)

Varonis threat models identify these and other hallmarks of sophisticated threat actors.

If you notice any suspicious activity in your environment, please reach out to us.

Stay safe, stay alert.