UPDATED: On 2 March, Microsoft announced that ProxyLogon — a series of zero-day vulnerabilities — had been identified in the Exchange Server application.
Microsoft was reportedly made aware of the vulnerabilities in early January, while attacks exploiting them appear to have begun by 6 January. However, patches were only released by Microsoft on 2 March. Microsoft Exchange Online is unaffected.
What is behind the global wave of Microsoft Exchange attacks?
Initially, the vulnerabilities were being exploited in limited, targeted attacks towards entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks, and NGOs. The original attacks were associated with a sophisticated nation state threat group known as Hafnium.
However, since Microsoft’s announcement, numerous other less sophisticated threat actors have tried to capitalise on this flaw within Exchange environments by automatically scanning the internet for vulnerable Exchange servers and running the exploit, resulting in a global influx of cyber-attacks of various types. The exploit is primarily designed to install a backdoor in vulnerable Exchange servers which can be used later by threat actors.
The associated CVEs documented for these vulnerabilities are:
- CVE-2021-26855
- CVE-2021-26857
- CVE-2021-26858
- CVE-2021-27065
The vulnerabilities impact:
- On-premise Exchange Server 2013
- On-premise Exchange Server 2016
- On-premise Exchange Server 2019
If exploited together, these vulnerabilities allow a threat actor to remotely compromise an Exchange server, which can lead to various consequences, including the theft of mailboxes and credentials, the installation of backdoors, and potentially the deployment of malware.
Since these exploits are typically automated, the threat actors would need to manually investigate each exploited target and determine whether progressing with the attack was worthwhile.
It is unclear how many organisations have been compromised so far, although current estimates place this figure at 200,000. In this systemic wave of attacks, organisations from all sectors have faced exploitation, including banks, credit unions, telecommunication providers, public utilities, and police, fire, and rescue units.
Who are the Hafnium group?
Hafnium, a Chinese state-sponsored threat group, is understood to be behind the initial attacks. Their main focus has been cyber espionage, primarily targeting entities in the United States in the following sectors: infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks, and NGOs.
While Hafnium is based in China, the group attempts to disguise its activities by connecting to organisations from leased servers in countries such as the United States.
Are organisations being targeted by Hafnium, or another group?
While the Microsoft vulnerability is thought to have originally been exploited by the Hafnium Group, many of the organisations affected by the Exchange exploits do not fit Hafnium’s target profile.
As such, it is more likely that the activity affecting the majority of organisations’ Exchange servers is the result of less sophisticated, opportunistic threat actors, most likely cybercriminal groups who have managed to get their hands on the zero day exploit.
What can affected organisations expect?
Because of the widespread knowledge of this vulnerability across users of on-premise Microsoft Exchange servers, multiple criminal groups have been trying to develop tools and attacks to exploit this flaw. Typically, attacks around this vulnerability are carried out in three stages:
- First, the threat actors gain access to an Exchange server either with stolen credentials or by using the previously undiscovered vulnerabilities to disguise themselves as someone who should have access.
- Second, they create a web shell (basically, a backdoor) to control the compromised server remotely.
- Third, they may look to carry out further activities, such as deploying additional malware or capturing data. The first two steps are typically automated, while the third step is only carried out if the target is deemed attractive to the threat actor, following manual investigation.
What organisations need to do now
In addition to installing the patches, which should be done as a first priority, organisations can further protect themselves by placing their Exchange server behind a VPN, and by restricting untrusted connections to the Exchange server port.
These measures will prevent a threat actor from gaining initial access. However, if they already have access, the remaining vulnerabilities could still be exploited.
As such, installing the patches remains the only solution to achieve comprehensive protection. Organisations are also advised to follow Microsoft's recommended steps in their blog post here, to determine if they have been compromised.
Microsoft has also provided various tools available on its GitHub page.
Following these steps should be sufficient. S-RM’s Cyber Response team does not believe a full forensic investigation will be required, unless there has been evidence found that this CVE has been exploited, by following the guidance from Microsoft or following the script on GitHub above.
Get in touch with the S-RM Cyber Incident Response Team to discuss this threat, and your wider cyber advisory, testing, and response requirements.
