Exchange Servers with 0-day exploitation

Blogs > MITS Advisory > Exchange Servers with 0-day exploitation

Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of the Microsoft Exchange Servers. According to Microsoft reports, observations of attacks leveraging critical vulnerabilities on the Exchange Servers are increasing very rapidly. Hackers are exploiting these vulnerabilities to steal critical data including users information and install ransomware. 

Microsoft has issued emergency out-of-band patches to address the security flaws. It is critical that organisations take appropriate action to quickly detect and effectively respond to these exploit attempts.

What’s the Impact?

Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. After successful exploitation activities, attackers can gain access to email accounts and install additional malware/ scanning tools to remain persistent on the network.

Who is doing this and how?

Advanced Persistent Threat (APT) group, HAFNIUM used four zero-day vulnerabilities that require the exposed Exchange server to be able to receive untrusted connections on port 443.

The vulnerability, CVE-2021-26855, named ProxyLogon, allowed the attackers to establish an authenticated connection with the Exchange server and steal the content of mailboxes stored on it. This specific vulnerability does not require any user interaction, prior privileges, or previously acquired credentials, but only an Exchange server that is willing to accept untrusted connections on port 443.

Since then, at least 10 other APTs have followed suit in targeting servers around the world. These vulnerabilities, also called Common Vulnerabilities and Exposures (CVE) are:

• CVE-2021-26855 - allows an unauthenticated attacker to send arbitrary HTTP requests.

• CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065  - allow for remote code execution.

What should you do?

1. Update impacted on-premises Exchange Servers immediately. This includes the installation of the latest Cumulative Update and the Security patch

2. Check whether any unknown tasks and services exist on the Exchange Server and disable them, then run a complete anti-malware scan with the updated signature.

3. Reset all Exchange Server accounts and ensure that a strong password policy is in place.

4. Validate and remove unknown .aspx, .bat, and unknown executable files from the following paths and restore the files from an uninfected backup file:

   • C:\Exchange\FrontEnd\HttpProxy\owa\auth\

   • C:\inetpub\wwwroot\aspnet_client\

   • C:\inetpub\wwwroot\aspnet_client\system_web\

5. Strongly consider using Multi-Factor Authentication (MFA) and enable it for Exchange account logins.

6. Remove unwanted applications from the Exchange server. 

7. Upgrade the operating systems to the latest version and patch all critical vulnerabilities.

In the long run, instil comprehensive 24/7 security monitoring, threat detection and response capabilities.

Below are some of the results after MITS ran the Security scripts on hacked Exchange Servers.