Over the last week, security vulnerabilities have been discovered in Microsoft Exchange. Initially, talk was of targeted attacks –Then the Microsoft Threat Intelligence Center (MSTIC) quickly discovered that the Chinese Advanced Persistent Threat Group, Hafnium, were behind them. However, it has since become clear that several threat actors were aware of the vulnerabilities before the security patch was released and so far, more than 10 Advanced Persistent Threat Groups have been identified, which have been able to compromise systems in a variety of ways.
Microsoft Exchange versions 2013, 2016 and 2019 with publicly accessible Outlook Web App (OWA) are affected. It’s important to note that the cloud version, Microsoft Exchange Online, which can be procured within the scope of Office 365 and Microsoft 365, is not affected.
According to Microsoft, attacks were first noted by the IT security firm Volexity on 28 February 2021—long before Microsoft released patches. From this point, the Cyber Response Centers at various security solution vendors detected large scale scans of Microsoft Exchange servers, using, among others, the online scanning providers Shodan and Cenys.
An attack can only be launched when the Exchange server allows an external connection through port 443. Once this has been established, attackers exploit CVE-2021-26855 and authenticate themselves on the Exchange server.
After authentication, a combination of CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 embeds malware into the system via remote access. As soon as remote access (aka reverse shell) has been established, in the majority of cases, a web shell is then installed to keep the door open for attackers, who can then install other tools and steal data.
This reverse shell can be used not only to steal internal corporate data, but tools such as Procdump can also be leveraged to read process runtime data and , therefore, login data among other things can be extracted. Internal data includes offline address books and, in some situations, even entire mailboxes We assume that successful Microsoft Exchange authentication means that the Microsoft Active Directory can also be accessed
It is recommended to immediately block all access to the Exchange server at the perimeter firewall in order to analyse the system and to prevent the loss of anymore data.
We are now aware of a range of the Advanced Persistent Threat Group’s attack scenarios that can be checked for in just a few steps.
Use the Exchange Server Health Checker script available on the GitHub developer platform to analyse your Exchange server. If anything suspicious is detected, more in-depth forensic analyses may be necessary, which is why we recommend backing up the Exchange server before starting the search. Additionally, the domain controller event and firewall logs should be backed up in case subsequent forensic analysis is required. Please note: if anything is detected that suggests the server has been compromised, reporting obligations may apply as the attackers theoretically had access to mailboxes. It should be possible to see more detailed information about the data leak in correlation with the firewall log.
If an attack is detected, there are three ways to purge the system. The most secure way for customers, who would like to continue using their local environments, is the reinstall the Microsoft Exchange server and attack the existing mailboxes and address books to the new system. The second possibility is to recover the Microsoft Exchange server from a backup and to attach the mailboxes to the recovered system. The third method is to install the security updates on the affected Microsoft Exchange server and then check the system for indicators of compromise (IOCs). In this scenario, the use of modern endpoint security products or next generation firewall systems is recommended. A list of up-to-date IOCs can be found in the following Microsoft blog:
However, according to what we know right now, we can not be completely certain that only the named malware hashes, command and control servers or MITRE ATT&CK techniques are a threat. This means that the third method mentioned above cannot guarantee the secure operation of the Microsoft Exchange server in the future. Since the 11/03/2021, Microsoft has confirmed reports of encryption attacks using DearCry Ransomware, which is based on the ProxyLogon vulnerability (CVE-2021-26855) discussed here.
This incident should serve as an opportunity to closely review your IT architecture. Even hosted applications should not be directly connected to the internet, but always protected with an appropriate security gateway with SSL decryption switched on. The use of Software as a Service such as Exchange Online provides a much higher level of protection as these systems are centrally monitored and protected by the vendor—in this case, Microsoft.
Our Bechtle Microsoft and Security Competence Centres are available to offer support in everything from the installation of a new Exchange server, the installation of urgently recommended patches, forensics and IT security consultation to planning and configuring a highly-modern, secure and cloud-based working environment. Get in touch with your Bechtle account manager or email@example.com. We are by your side as your reliable partner even in this turbulent times.
The Federal Office for Information Security (BSI) has declared a red threat level and assumes that tens of thousands of systems in Germany have already been infected. Current BSI guidelines can be at its website here (German).