Recently, Pondurance was notified of the zero-day exploits affecting numerous on-premises Microsoft Exchange servers. If you have on-premises Exchange servers, there is a very good chance exploits have been attempted against you. This is especially true if you have not patched recently. Below is what we know so far and recommendations to patch. If you think you’ve been breached, please reach out to us at 888-385-1720.
Microsoft shared that they have detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Servers. In these attacks, the threat actor exploited vulnerabilities in CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. They used these to access on-premises Exchange servers giving them access to email accounts and the ability to install additional malware to facilitate long-term access to the victim’s environment.
Microsoft updated their Safety Scanner with signatures to find malicious payloads associated with this incident. The scanner can be found here and would need to be run on publicly exposed on-premises Exchange Servers. For more information on how to use the scanner including screenshots, please view this article from Bleeping Computer.
Microsoft also addressed the vulnerabilities in their Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server stating that the following versions are affected:
“The versions affected are:
Microsoft Exchange Server 2013
Microsoft Exchange Server 2016
Microsoft Exchange Server 2019
Microsoft Exchange Server 2010 is being updated for Defense in Depth purposes.”
Microsoft revealed that they identified the threat actor as state-sponsored Hafnium. “Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs. While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States.”
The Exchange Server team created a script to run a check for Hafnium IOCs available on GitHub. While it is relatively easy to detect IOCs, it is more difficult to confirm their success. The more monitoring that you have in place (i.e. EDR, logs, network, etc.), the easier the confirmation process will be.
We recommend reviewing your Exchange server patches and making sure that you’re patching against the vulnerabilities listed in the Microsoft article. It is important to be prepared to patch as soon as significant vulnerabilities are announced.
We also recommend putting a plan in place for the next zero-day exploit, as we believe this will not be the last. A managed detection and response service can help prepare you as well as actively protect your business and customers. Learn more about managed detection and response in our eBook: 5 Things to Consider When Choosing an MDR Provider