On March 2, 2021, Microsoft released emergency (out-of-band) patches for four specific zero-day vulnerabilities that threat actors used to access e-mail data from Microsoft Exchange Servers.

Microsoft Threat Intelligence Center (MSTIC) has stated with high confidence that this campaign is alleged to have originated from a Chinese APT operator (HAFNUM) who leases virtual private servers in the United States. The attacker chained four zero-days into a malware package targeting its Exchange Server – Outlook Web App (OWA) component. The campaign can install additional malware to facilitate long-term access to victim environments. These threat elements potentially exposed customers to remote code execution attacks, without requiring authentication.

Microsoft patch details and download locations:

  • CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin's credentials.
  • CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin's credentials.

The following versions of Microsoft Exchange Server are affected:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

World Wide Technology is sharing this information with our customers by not only advising them on how to implement the patches, but also helping them understand their current patch levels to ensure all prerequisites have been met. We encourage all customers with Exchange on-premise servers to apply the recommended patches.

For further information please contact our team at:  MicrosoftCloudPracticeLeadership@wwt.com

Additional technical details:

The Exchange Server vulnerabilities that are being actively exploited are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in today's Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server. Microsoft is strongly urging customers to update on-premise systems immediately. Exchange Online is not affected.

HAFNIUM targeting Exchange Servers with 0-day exploits - Microsoft Security ( https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ )

Other security updates:

Security updates are available for the following specific versions of Exchange:

Note: These fixes can be installed only on servers that are running the specific versions listed previously, which are considered up to date. If your servers are running older Exchange Server cumulative or rollup update, you will need to install a currently supported RU/CU before you can install the security updates.

You can check the update-level of your on-premises Exchange servers by running the Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release). Running this script will tell you if you are behind on your on-premises Exchange Server updates (note that the script does not support Exchange Server 2010).

How to detect indicators of compromise:

After all on-premises Exchange systems have been protected, you can scan Exchange log files for indicators of compromise (IOCs).

  • CVE-2021-26855 exploitation can be detected via the following Exchange HttpProxy logs. These logs are located in the following directory:  %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy. 

Exploitation can be identified by searching for log entries where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of ServerInfo~*/*

The following PowerShell command can be used to to find these log entries:

Import-Csv -Path (Get-ChildItem -Recurse -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy" -Filter '*.log').FullName | Where-Object {  $_.AuthenticatedUser -eq '' -and $_.AnchorMailbox -like 'ServerInfo~*/*' } | select DateTime, AnchorMailbox

If activity is detected, the logs specific to the application specified in the AnchorMailbox path can be used to help determine what actions were taken.

These logs are located in the %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging directory.

  • CVE-2021-26858 exploitation can be detected via the Exchange log files: C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog

Files should only be downloaded to the %PROGRAMFILES%\Microsoft\Exchange Server\V15\ClientAccess\OAB\Temp directory

In case of exploitation, files are downloaded to other directories (UNC or local paths)

The following command can be used to search for potential exploitation:

findstr /snip /c:"Download failed and temporary file" "%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log"

  • CVE-2021-26857 exploitation can be detected via the Windows Application event logs

Exploitation of this deserialization bug will create Application events with the following properties:

  • Source: MSExchange Unified Messaging
  • EntryType: Error
  • Event Message Contains: System.InvalidCastException

The following PowerShell command can be used to query the Application Event Log for these log entries:

Get-EventLog -LogName Application -Source "MSExchange Unified Messaging" -EntryType Error | Where-Object { $_.Message -like "*System.InvalidCastException*" }

  • CVE-2021-27065 exploitation can be detected via the following Exchange log files:

C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server

All Set-<AppName>VirtualDirectory properties should never contain script. 

InternalUrl and ExternalUrl should only be valid Uris.

The following PowerShell command can be used to search for potential exploitation:

Select-String -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\ECP\Server\*.log" -Pattern 'Set-.+VirtualDirectory'

If you have questions about how to implement these patches or your current patch levels, contact us today. 

Technologies