• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Exchange Server Vulnerabilities Actively Exploited in the Wild

March 8, 2021 By Ryan Estes

Email

(Updated 03/10/2021 to include defensive tips)

As the cybersecurity community continues to reel with the sweeping effects of the SolarWinds attack, the Microsoft Threat Intelligence Center (MSTIC) has released information about another widespread campaign targeting Exchange servers. It has been found that a state-sponsored threat actor operating out of China, which they are calling HAFNIUM, has been exploiting 0-day vulnerabilities in on-premise Exchange server software. There are four known vulnerabilities identified by the MSTIC since the incident occurred which target on-premise Exchange servers only. Cloud Exchange servers are not affected by these vulnerabilities.

The attack is performed by first exploiting a server-side request forgery (SSRF) vulnerability allowing for the full contents of a user’s mailbox to be stolen. The attacker only needs to know the server running the Exchange software and the account they want to steal from (CVE-2021-26855). The attacker then chains this exploit with a secondary exploit that allows for remote code execution on the targeted Exchange server (CVE-2021-27065). Another vulnerability is also part of this chained exploit allowing attackers to write a file to any path on the server (CVE-2021-26858). The fourth vulnerability allows attackers to run code as SYSTEM after exploiting an insecure deserialization vulnerability in the Unified Messaging service (CVE-2021-26857).

In addition to the four primary Indicators of Compromise (IoCs), Microsoft has released PowerShell scripts and various tools on their GitHub to help identify these IoCs within your Exchange servers. Volexity, who spotted these attacks occurring in the wild, also released an in-depth write-up on various IoCs, proofs-of-concept, and demonstrations to assist with this detection effort. A similar write-up can be found by Microsoft as well.

Microsoft has released a patch for all four vulnerabilities, as well as some others, and they urge everyone with on-premise Exchange servers to patch their systems immediately. Information about the security updates can be found here. Although HAFNIUM is attributed to be the first known entity to exploit these vulnerabilities, Microsoft continues to see increased attacks on unpatched systems by actors beyond this actor.

Threat Response Measures

  1. Identify and patch vulnerable Exchange Server systems with the Microsoft-issued security updates
  2. Utilize alternative mitigations provided by Microsoft where you cannot immediately deploy patches.
  3. Use Microsoft’s PowerShell script to search for indicators of compromise on your Exchange server.
  4. Enable WatchGuard security services for additional protections

WatchGuard Protections

Panda AD360

Panda AD 360 has detections for the PowerShell payloads and many of the webshells involved in this attack.

IPS

The Firebox’s Intrusion Prevention Service (IPS) has signatures that detect and block the first stage in the attack’s exploit chain.

Gateway AntiVirus

Gateway AntiVirus has multiple signatures to detect and block the webshells used in the attack.

APT Blocker

APT Blocker’s successfully detects the malicious PowerShell backdoors used in this attack.

Firebox Access Portal and VPN

The first attack stage for this threat requires an Exchange server exposed to the internet. You can mitigate this stage of the attack by protecting the Exchange server behind the Firebox’s Access Portal on supported appliances.

For complete details about WatchGuard’s response to this issue, see this knowledge base article.

Share This:

Related

Filed Under: Editorial Articles, Featured Tagged With: Infosec news, Microsoft, Software vulnerabilities, Updates and patches

Comments

  1. Klaus Richter says

    March 9, 2021 at 11:12 am

    Watchguard introduce IPS Signatures to prevent the vulnurabilitys in Watchguard firewalls?

    Reply
  2. Zuv says

    March 9, 2021 at 11:14 am

    Any suggested settings from watchguard to help with this?
    Reverse-proxy? block /ecp folder with snat rules?

    Our company patched day of the patch’s release, but we hit days before (on the 27th)
    We deleted the installed webshell and plan a rebuild this weekend.

    But any pointers on settings that might have prevented this attack on the firewall side would be very helpful.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use