For those running a Microsoft Exchange environment still, the server hack incident that occurred late last week means you may have immediate steps to take to protect your data.
Below is a quick synopsis from our partners at Quest Technology Management that should help you uncover whether these zero-day attacks are affecting your company.
If you want to discuss the below mitigation suggestions or need help implementing them, please contact Opkalla and we can set up a call to discuss (at no cost).
How the Microsoft Exchange Server Attack Works:
- Threat Actors gain access to a Microsoft Hosted Exchange server either with stolen passwords or by using the zero-days to disguise the hackers as personnel who should have access.
- Hackers create a web shell to control the compromised server remotely.
- They then use that remote access to steal data from a target’s network (actively or at a later date).
- The zero-days are present in Microsoft Exchange Server 2013, 2016, and 2019.
The Four Vulnerabilities Are:
- CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allowed the attackers to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857, an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is when untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Hafnium the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
- CVE-2021-26858, a post-authentication arbitrary file write vulnerability. If Hafnium could authenticate with the Exchange server, then it could use this vulnerability to write a file to any path on the server. The group could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
- CVE-2021-27065, a post-authentication arbitrary file write vulnerability. If Hafnium could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
Immediate Steps You Can Take (Prior to Patch):
- Vulnerability Scan for known vector
- Block/Log/Alert Publicly known vector (IP Addresses: 165.232.154[.]116, 157.230.221[.]198, 161.35.45[.]41, 45.77.252[.]175
- Update and conform Network IDS has been updated to the latest updates.
- Enable GEO Blocking (even though it has been observed that some data exfiltration has been tracked to US Domestic IPs); most are still foreign.
- Explicitly Block/Filter Outbound Internet communication from your exchange server to the internet (only on allowed ports)
- Deploy NextGen AV to all exchange servers/web servers/Domain Controllers and most importantly enable Blocking mode/Script Control.
- Save off your firewall logs; ensure that they are logging to an SIEM/Syslog (and logs are configured appropriately for allows)
- Change passwords to Exchange OS (Local) password, change Domain admin/or any domain privileged account)
- Issue a companywide password change (enforce complex passwords)
Patch
Implement/Schedule for Emergency CCB/Change Control to Patch for zero-day vulnerabilities.
We’re here to help. If you want to discuss these mitigation suggestions or need help implementing them, please contact Opkalla and we can set up a call to discuss (at no cost).