Four (4) zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited by Hafnium, which the State Department believes is a state sponsored group that typically targets US entities with the goal of exfiltrating data. The zero-day vulnerabilities in Exchange, according to Microsoft, include the following:
- CVE-2021-26855 – Vulnerability allowing outside party to make untrusted connection to Exchange Server port 443. Also known as SSRF (server side request forgery).
- CVE-2021-26857 – Vulnerability in EUMS (Exchange Unified Messaging Service) that allows arbitrary code deployment.
- CVE-2021-26858 – Vulnerability that allows a program, post authentication, to write and change paths.
- CVE-2021-27065 -Another vulnerability similar to 26858 (see above)
If left unpatched, all these vulnerabilities can be exploited in an attack chain that could lead to RCE (remote code execution) leaving Exchange server vulnerable to being hijacked, back-door data theft, and deployment of future malware. According to various estimates, 30,000-60,000 organizations have been hacked and some 18,000 servers worldwide have been affected. Microsoft Security Intelligence has identified Ransomware called DearCry that is being actively targeted on compromised Exchange servers to cause further havoc.
Six (6) Steps to address Zero-Day Exploits on Exchange Servers: It is important for any organization utilizing on-premise Exchange server(s) to address this serious cybersecurity issue using the following steps:
- Apply Exchange Updates – Microsoft recommends a current supported RU/CU before any security patch is applied. The update will depend on whether you are using Exchange Server 2010, 2016, or 2019. For more information, visit Microsoft Tech Community and Exchange Security Update for Older Cumulative Updates of Exchange Server.
- Scan your System to Determine Compromise – Released by Microsoft, Test-ProxyLogon.ps1 script scans log files to determine if the system has been compromised. If your system has been compromised, notify all stakeholders immediately.
- Apply Security Patch – Apply the security patch to close these vulnerabilities. The easiest way to accomplish this is through the newly released tool by Microsoft called Exchange On-Premise Mitigation Tool (EOMT.ps1). This tool automates the process of both detecting already created back-doors and patching vulnerabilities. In fact, using this tool, you can skip step 2. Do not use the previously released ExchangeMitigations.ps1 script as EOMT is better and recommended by Microsoft.
- Change Existing AD Passwords – Just to be safe, it is a good idea to go ahead and change all existing Active Directory and administrator passwords.
- Scan Exchange Server – This is done using Microsoft Safety Scanner. Although this tool will automatically be downloaded and run in step 3, we recommend running this tool regularly, but is not meant as a substitute for an antivirus software on the server.
- Deploy and Update EDR Tool – Having gone through the first 5 steps will only plug existing vulnerabilities,, but it is not a guarantee of removal of any existing exploits. Therefore, we recommend using EDR (endpoint detection and response) tool like Barracuda/AVAST as an insurance policy of sorts on people’s computers.