External Threat Management Analyst

Microsoft Exchange Server Remote Code Execution Vulnerability: RiskIQ’s Response

Key Analytical Findings

  • On March 2, 2021, Microsoft alerted users of their on-premise Exchange Server 2010, 2013, 2016, and 2019 of four previously unknown Zero-Day vulnerabilities.
  • On March 3, 2021, CISA issued Emergency Directive 21-02 in response to the disclosed Zero-Day vulnerabilities. 
  • Microsoft has attributed recent attacks utilizing these Zero-Day attacks to HAFNIUM, a Chinese Advanced Persistent Threat (APT) Team.
  • Microsoft has released patches to remediate these vulnerabilities. 

Detailed Threat Analysis

On March 2, 2021, Microsoft announced that four previously unknown zero-day vulnerabilities were exploited to attack on-premises versions of the Microsoft Exchange Servers. Microsoft has reported that attackers exploited these vulnerabilities to gain access to Exchange servers, gain access to email accounts, and deploy malware (typically web shells) for long-term persistent access to victim organizations. Microsoft credited a security company called Volexity for first observing these exploits on January 6, 2021. These vulnerabilities do not affect Microsoft Office 365 or Azure Cloud deployments of Exchange email servers.

Microsoft has reported they have attributed these attacks to a threat actor group it calls HAFNIUM and assessed it is a People’s Republic of China sponsored campaign. Additional details of HAFNIUM targeting and attack techniques are included in Microsoft’s security blog. Meanwhile, FireEye’s analysis indicates this attack has ties activity it tracks across three unknown attack clusters and provides additional analysis and indicators in their blog.

The four exchange vulnerabilities include:

CVE-2021-26855:  This is the vulnerability attackers utilize during their initial attack, which requires making an untrusted connection to the Exchange Server over TLS/SSL (Port 443). This allows the attacker to exploit a server-side request forgery (SSRF) vulnerability in exchange, allowing the attacker to send arbitrary web requests and authenticate as the Exchange server.

CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065: These are post-authentication arbitrary file write vulnerabilities in Exchange. If an attacker could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on that server. The attacker would first have to exploit the CVE-2021-26855 SSRF vulnerability, or they could compromise a legitimate admin’s credentials through Phishing or other means.

On March 3, 2021, The Department of Homeland Security CISA released Emergency Directive 21-02 concerning these vulnerabilities with specific instructions for government agencies. 

Mitigation Strategies

The exploit has quickly grown from attempts on a few targets to a fully automated, massively orchestrated attack. Upwards of 30,000 organizations may have already been affected. It is imperative that organizations first protect themselves, then assess whether compromise has occurred. The following measures help inform that strategy:

1. Immediately patch Exchange Servers - Those recommended patches are contained within Microsoft KB5000871. The patch is the most immediate and complete control to prevent compromise if it already hasn’t occurred. Information on the Microsoft patches can be found on the following Microsoft Exchange Team Article: https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901

2. Restrict Access -  The initial attack vector targets client access services provided by the Outlook Web Access webpage (the OWA virtual directory) as part of Exchange’s IIS implementation. Exchange handles access to the webpage by two connection classifications - trusted (internal) and untrusted (external). Internet traffic to the OWA page can be configured for trusted only, or the OWA external URL can be unpublished; both configurations remove all internet-based access to OWA. Either approach forces users to access OWA from an internal network or a VPN service. Removing OWA would not affect other mailbox access methodologies such as the Outlook client or Activesync.

3. Analyze Compromise - Microsoft’s patches will not identify or mitigate any existing compromise of an Exchange Server. Customers need to conduct forensic analysis against their systems to understand the impact on the server and their organization. Critical to that analysis is understanding whether any web shells have been installed as backdoors into the system. There are three resources published by Microsoft that will help accomplish this:

    1. The Microsoft Safety Scanner - Recently updated to look specifically for noted IOCs related to the Exchange compromise: https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
    2. Defending Exchange Servers Under Attack - Logging techniques and files to analyze for compromise: https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/
    3. Scan Exchange log files for indicators of compromise - Specific files and logging techniques to detect compromise in Exchange servers. https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log

Exchange Server Security Patches

Microsoft has made the below patches available to protect Exchange servers against the zero-day attacks (but not existing compromise). Install the patches immediately to all on-prem Exchange servers.

Digital Footprint Customer Response

RiskIQ has provided a few methodologies to understand how customers are affected by the Exchange exploits. A customer can either find the data via a dashboard, query against it via asset filtering, or download the data as JSON via the API. All three options are provided herein.

Workspace Query

Obtain a list of all Exchange Servers that are not on the proper cumulative update or roll-up version:

Web Component Name & Version !in ("Outlook Web App 14.3.513", "Outlook Web App 15.1.2106", "Outlook Web App 15.1.2176", "Outlook Web App 15.2.721", "Outlook Web App 15.2.792", "Outlook Web App 15.0.1497", "Microsoft Exchange 14.3.513", "Microsoft Exchange 15.1.2106", "Microsoft Exchange 15.1.2176", "Microsoft Exchange 15.2.721", "Microsoft Exchange 15.2.792", "Microsoft Exchange 15.0.1497") | Web Component Name & Version ^= "Microsoft Exchange" or Web Component Name & Version ^= "Outlook Web App" | Status in ("Approved Inventory")

List all Exchange Servers that are on the proper cumulative update or roll-up version, and require the security hotfix is installed:

Web Component Name & Version in ("Outlook Web App 14.3.513", "Outlook Web App 15.1.2106", "Outlook Web App 15.1.2176", "Outlook Web App 15.2.721", "Outlook Web App 15.2.792", "Outlook Web App 15.0.1497", "Microsoft Exchange 14.3.513", "Microsoft Exchange 15.1.2106", "Microsoft Exchange 15.1.2176", "Microsoft Exchange 15.2.721", "Microsoft Exchange 15.2.792", "Microsoft Exchange 15.0.1497") | Status in ("Approved Inventory", "Candidate")

A PowerShell command can then be used to validate the specific patch version:

Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion

The AdminDisplayVersion should return versions equal to that of the following, or the server is unpatched:

Exchange 2013 Versions 15.00.1497.012 

Exchange 2016 CU18 15.01.2106.013 

Exchange 2016 CU19 15.01.2176.009 

Exchange 2019 CU7  15.02.0721.013 

Exchange 2019 CU8  15.02.0792.010

Threat Intelligence Dashboard

Each customer workspace is provided with a threat intelligence dashboard that includes a listing of all Exchange Servers detected in an attack surface. That dashboard can be viewed here:

https://app.riskiq.net/a/main/index#/dashboards/379/RiskIQ%20Attack%20Intelligence%20Dashboard

API Download

RiskIQ’s customer success team provides a Postman Collection, that provides an easy way to quickly pull the matching Exchange systems in a JSON payload. The collection also allows sample script generation to better facilitate the ingestion of information in existing systems and workflows.

Analyst Assessment

Following on the heels of significant state-sponsored cyber espionage leveraging vulnerabilities with SolarWinds, this latest attack focuses on vulnerabilities associated with common web-facing servers and applications still found in a large number of private and public sector entities. Both attacks continue to highlight the importance of maintaining visibility into an organization’s full attack surface and reducing that footprint to minimize overall exposure and associated risk.

Complete reduction of risk of compromise of external digital assets is not realistic. Still, the continuous discovery and monitoring of that attack surface will accelerate triage and response when quick reaction times matter, as seen here with Chinese exploitation of MS Exchange servers as well as the Russian-sponsored SolarWinds attacks. 

Reference URLs

  1. https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b
  2. https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers
  3. https://cyber.dhs.gov/ed/21-02/
  4. https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
  5. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor