Very High
Multiple Microsoft Exchange zero-day vulnerabilities - ProxyLogon Exploit Chain
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(2 users assessed)Very High
(2 users assessed)Unknown
Unknown
Unknown
Multiple Microsoft Exchange zero-day vulnerabilities - ProxyLogon Exploit Chain
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Microsoft disclosed four actively exploited zero-day vulnerabilities being used to attack on-premises versions of Microsoft Exchange Server. The vulnerabilities identified are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which affect Microsoft Exchange Server. Exchange Online is not affected.
In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Microsoft released details on an active state-sponsored threat campaign (attributed to HAFNIUM) that is exploiting on-prem Exchange Server installations. Microsoft’s observation was that these were limited, targeted attacks, but as of March 3, 2021, ongoing mass exploitation has been confirmed by multiple sources. More in the Rapid7 analysis tab.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportTechnical Analysis
The Microsoft Exchange team has released Cumulative Updates (CUs) for Exchange Server 2016 and Exchange Server 2019
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-june-2021-quarterly-exchange-updates/ba-p/2459826
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
Vendors
- Microsoft
Products
- Microsoft Exchange Server 2016 Cumulative Update 19,
- Microsoft Exchange Server 2019 Cumulative Update 8,
- Microsoft Exchange Server 2019,
- Microsoft Exchange Server 2013 Cumulative Update 22,
- Microsoft Exchange Server 2019 Cumulative Update 2,
- Microsoft Exchange Server 2016 Cumulative Update 13,
- Microsoft Exchange Server 2013 Cumulative Update 23,
- Microsoft Exchange Server 2019 Cumulative Update 3,
- Microsoft Exchange Server 2016 Cumulative Update 14,
- Microsoft Exchange Server 2019 Cumulative Update 4,
- Microsoft Exchange Server 2016 Cumulative Update 15,
- Microsoft Exchange Server 2019 Cumulative Update 5,
- Microsoft Exchange Server 2019 Cumulative Update 6,
- Microsoft Exchange Server 2016 Cumulative Update 16,
- Microsoft Exchange Server 2016 Cumulative Update 17,
- Microsoft Exchange Server 2019 Cumulative Update 7,
- Microsoft Exchange Server 2016 Cumulative Update 18,
- Microsoft Exchange Server 2013 Cumulative Update 21,
- Microsoft Exchange Server 2016 Cumulative Update 12,
- Microsoft Exchange Server 2016 Cumulative Update 8,
- Microsoft Exchange Server 2019 Cumulative Update 1,
- Microsoft Exchange Server 2016 Cumulative Update 9,
- Microsoft Exchange Server 2016 Cumulative Update 10,
- Microsoft Exchange Server 2016 Cumulative Update 11
Metasploit Modules
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report- Vendor Advisory (https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/)
- Government or Industry Alert (https://us-cert.cisa.gov/ncas/alerts/aa21-209a)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
On March 2, 2021, the Microsoft Threat Intelligence Center (MSTIC) released details on an active state-sponsored threat campaign leveraging four zero-day vulnerabilities to attack on-premises instances of Microsoft Exchange Server. In the attacks Microsoft observed, the threat actor used these vulnerabilities to access on-premises Exchange servers, which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
The zero-day vulnerabilities disclosed on March 2, 2021 are:
- CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allows an attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
- CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
- CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
Microsoft has released out-of-band patches for all four vulnerabilities as of March 2, 2021.
Microsoft Exchange customers should apply the latest updates on an emergency basis and take steps to harden their Exchange instances. We strongly recommend that organizations monitor closely for suspicious activity and indicators of compromise (IOCs) stemming from this campaign. Rapid7 has a comprehensive list of IOCs available here.
For further information on the HAFNIUM-attributed threat campaign and related IOCs, see Microsoft’s blog here: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Affected products
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
Security updates are available for the following specific versions of Exchange:
- Exchange Server 2010 (for Service Pack 3 – this is a Defense in Depth update)
- Exchange Server 2013 (CU 23)
- Exchange Server 2016 (CU 19, CU 18)
- Exchange Server 2019 (CU 8, CU 7)
Exchange Online is not affected.
Technical analysis and guidance
Microsoft said on March 2 that the attacks they observed were “limited and targeted.” Rapid7 detection and response teams, however, have been detecting indiscriminate exploitation of Exchange servers since February 27, 2021, including but not limited to the attacker behaviors below:
- Attacker Tool – China Chopper Webshell Executing Commands
- Attacker Technique – ProcDump Used Against LSASS
More information on attacker behaviors and a timeline of widespread Exchange exploitation is available here.
We strongly recommend that organizations both apply all updates for on-premises Exchange Server installations on an emergency basis and examine their environments for signs of compromise.
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Some evidence that reverse-proxy and/or decoupled CAS/HUB <—> DAG architecture might provide enough passive protection to interfere with the attack chain. Going to be difficult to assess until more details are provided on how these CVEs work.
@chavez243ca Thanks! That’s fair, although I suspect with the widespread interest the community will probably continue to push out details at a solid pace.