Article

March 10, 2021

March 2021 Microsoft Exchange Server Hack - How to Remediate & Get Help

For those running a Microsoft Exchange environment still, the server hack incident that occurred late last week means you may have immediate steps to take to protect your data.

Below is a quick synopsis from our partners at Quest Technology Management that should help you uncover whether these zero-day attacks are affecting your company.

If you want to discuss the below mitigation suggestions or need help implementing them, please contact Opkalla and we can set up a call to discuss (at no cost).

How the Microsoft Exchange Server Attack Works:

  • Threat Actors gain access to a Microsoft Hosted Exchange server either with stolen passwords or by using the zero-days to disguise the hackers as personnel who should have access.
  • Hackers create a web shell to control the compromised server remotely.
  • They then use that remote access to steal data from a target’s network (actively or at a later date).
  • The zero-days are present in Microsoft Exchange Server 2013, 2016, and 2019.

The Four Vulnerabilities Are:

  • CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allowed the attackers to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857, an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is when untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Hafnium the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858, a post-authentication arbitrary file write vulnerability. If Hafnium could authenticate with the Exchange server, then it could use this vulnerability to write a file to any path on the server. The group could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
  • CVE-2021-27065, a post-authentication arbitrary file write vulnerability. If Hafnium could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Immediate Steps You Can Take (Prior to Patch):

  • Vulnerability Scan for known vector
  • Block/Log/Alert Publicly known vector (IP Addresses: 165.232.154[.]116, 157.230.221[.]198, 161.35.45[.]41, 45.77.252[.]175
  • Update and conform Network IDS has been updated to the latest updates.
  • Enable GEO Blocking (even though it has been observed that some data exfiltration has been tracked to US Domestic IPs); most are still foreign.
  • Explicitly Block/Filter Outbound Internet communication from your exchange server to the internet (only on allowed ports)
  • Deploy NextGen AV to all exchange servers/web servers/Domain Controllers and most importantly enable Blocking mode/Script Control.
  • Save off your firewall logs; ensure that they are logging to an SIEM/Syslog (and logs are configured appropriately for allows)
  • Change passwords to Exchange OS (Local) password, change Domain admin/or any domain privileged account)
  • Issue a companywide password change (enforce complex passwords)

Patch

Implement/Schedule for Emergency CCB/Change Control to Patch for zero-day vulnerabilities.

We’re here to help. If you want to discuss these mitigation suggestions or need help implementing them, please contact Opkalla and we can set up a call to discuss (at no cost).

Get Started

Get experienced help with your next IT decision.

Talk with a Technology Advisor