This week it was reported that tens of thousands of organizations around the world were compromised using several Microsoft Exchange 0-days. Since then attackers have been busy targeting the compromised organizations in what is now presumed to be a more devastating attack than 2020’s SolarWinds incident.
In the days since this was announced, numerous channels for remote access have been left spread out among credit unions, town governments, and small businesses, reports Reuters. It is not just the US affected by this flaw: tens of thousands of Asian and European organizations have also been hit, and are continuing to be hit, despite rapid emergency patches from Microsoft.
The specific vulnerabilities – CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 – are believed to have been exploited by a newly discovered threat actor called Hafnium, which is presumed to be a Chinese nation-state actor, though China officially denies any involvement. Whilst Microsoft initially played these down as “limited, targeted attacks”, these vulnerabilities are believed to be more widely exploited moving forward – so much so that the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has ordered affected agencies to immediately apply patches for any on-premise Exchange systems, or fully disconnect vulnerable servers if this is not possible, to prevent further exploitation of these CVEs. The latter will leave many organizations without access to a pivotal communication tool.
Screenshot of HAFNIUM’s profile within the Blueliv Threat Context module.
Below is a breakdown of the individual CVEs from Microsoft:
- CVE-2021-26855: CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
- CVE-2021-26857: CVSS 7.8: an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. However, this vulnerability needs to be combined with another or stolen credentials must be used.
- CVE-2021-26858: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
- CVE-2021-27065: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
Details of CVE-2021-26855 within Blueliv’s Threat Context.
When utilized as a part of a wider attack chain these vulnerabilities can lead to “Remote Code Execution (RCE), server hijacking, backdoors, data theft, and potentially further malware deployment”.
At the time of writing, officials are striving to notify the many victims of this attack and advise them on best practices moving forward. What is known is that all those affected seem to use web versions of Outlook, which they also host on their own computers as opposed to cloud servers. Despite this seemingly limiting the fallout for many organizations, US officials are still concerned that, if not dealt with soon, these vulnerabilities could have “far-reaching consequences”, as other actor groups are expected to leverage the vulnerabilities in the coming days.
ESET researchers have additionally observed the espionage threat actors Calypso, Tick, LuckyMouse, APT41, Mikroceen, Websiic, and Tonto Team leveraging CVE-2021-26855 to target governments, law firms, private companies, and medical facilities. The targets observed so far are mainly located in the United States, although attackers have also targeted some entities in Europe, Asia, and the Middle East. Researchers have also observed a cryptojacking campaign deploying DLTMiner.
Threat Actor profile of Threat Group-3390, a.k.a. LuckyMouse, taken from Blueliv’s Threat Context.
Activity in the Cybercriminal Underground
Blueliv researchers have noticed a lot of interest regarding these vulnerabilities in top-tier underground forums.
In the English-speaking forum Raidforums, the moniker “Mannix” shared a modified version of the Acunetix Web Vulnerability Scanner, capable of scanning CVE-2021-26855 vulnerable Microsoft Exchange servers.
Multiple Russian-speaking threat actors also showed interest in CVE-2021-26855 on the exploit forum, sharing Github POCs and discussing on how to exploit the vulnerability. The threat actor “2fed” posted an offer to urgently buy working exploits for CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021–27065. “2fed” offered to pay at least 15K USD.
What should CSOs do in response to these attacks?
Many high profile organizations have already been affected by this attack, with many more expected to follow. To prepare themselves, potential victim organizations using Microsoft Exchange should follow the advice of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and look to immediately apply patch fixes from Microsoft or completely cut off access to the affected servers until this issue is resolved.
Looking forward, following this and the SolarWinds hack, it is clear that the c-suite should be doing all it can to protect its organization from an inevitable incident at the hands of a vulnerability in a third-party solution. Only by proactively working towards better security hygiene at every level of the organization can CSOs begin to create real defenses against whatever security threat may come their way.
To give themselves the best possible chance, CSOs would be wise to invest in full threat solutions, such as Blueliv’s Threat Compass, which are built to monitor, detect, prevent against, and ultimately remediate security incidents – even when successful. Utilizing deep contextual threat intelligence gathered by Blueliv’s Threat Context, organizations can benefit from third-party assessments that offer users invaluable insights and actionable data on the risks and vulnerabilities lurking outside their environment. Users also benefit from unique, dynamic vulnerability scores separate from those created by NIST, and real-time monitoring of actors, ensuring patches are adequately prioritized.