Four vulnerabilities have been identified in Microsoft Exchange that open organisations up to malicious attacks. Here are the key details you need to know.
What are the vulnerabilities and how are they being exploited?
Four critical vulnerabilities have been identified to impact on-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Exchange Online has not been affected.
- CVE-2021-26855: CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered
- CVE-2021-26857: CVSS 7.8: an insecure deserialisation vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. This vulnerability needs to be combined with another or stolen credentials must be used
- CVE-2021-26858: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths
- CVE-2021-27065: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths
Microsoft has stated these vulnerabilities can be used as part of an attack chain that allows attackers to gain access to Exchange and, ultimately, an organisation's email. From there, attackers are able to use malicious code to gain remote administrative access, which can then be used to steal data from the organisation's network.
When did this happen?
- 5th January - it's believed that a principal security researcher from security testing firm DEVCORE reported two of the four vulnerabilities to Microsoft for the first time
- 27th January and 2nd February - two further firms (Dubex and Volexity) state they informed Microsoft of attacks related to the vulnerabilities on these dates (respectively)
- 2nd March - Microsoft patched four flaws in Exchange servers 2013 - 2019, as well as issuing a patch for Exchange 2010 (which is technically no longer supported)
- 2nd March onwards - organisations globally begin to investigate the vulnerabilities and patch their Exchange servers, leading to reports of over 30,000 potential hacks
(For a more detailed timeline, visit KrebsOnSecurity.)
What are the risks for organisations using the Exchange servers that are impacted?
Microsoft has acknowledged that the vulnerabilities have been exploited by China-based group, Hafnium, in addition to 'multiple' other actors. With wide-scale media coverage of the vulnerabilities, organisations will find themselves in a 'race' to patch their servers before one of these actors targets them.
The aim of these groups is to gain access to sensitive / privileged data and exfiltrate this. Depending on the organisation being targeted, this can range from citizens' personal information, including financial details, to corporate data such as intellectual property.
No conclusive information has been provided about the impacts of data stolen through this specific hack yet - but we can confidently predict what might happen. Once they've stolen data, typically hackers will either sell it to a third party (such as another criminal group, a nation state or even competitors), ransom it back to the organisation it has been taken from, or share it online without selling it. The first course of action is the most common, and who data is sold to will depend on the type of data that has been exfiltrated. In particular, personal data that has been stolen can be used by criminals to fraudulently impersonate individuals, usually for financial gain.
As detailed below, the first step to mitigating this risk is patching your affected Exchange server. However, if your organisation has already been successfully attacked, patching the servers won't curb the actions of criminals already inside your network.
What can you do about this hack to keep your data safe?
If you are running any of the affected Exchange servers, you will need to immediately patch them. Microsoft has issued guidance to affected organisations here.
To determine whether you have been compromised through the vulnerabilities, Microsoft recommends two steps:
- Check patch levels of Exchange server
- Scan Exchange log files for indicators of compromise using a script that Microsoft has created (the script is available here)
If you uncover evidence of compromise, your next step will be to conduct forensic analysis and to triage the incidents. The US Cybersecurity & Infrastructure Security Agency has provided detailed guidance on next steps here.
Why has this been such big news?
There are two main reasons the Exchange vulnerabilities and the subsequent hacks have been such big news.
The first is the volume of organisations that could be affected and why they're being targeted. Microsoft has stated that Hafnium 'primarily targets entities in the United States', stealing information from organisations such as 'infectious disease research, law firms, higher education institutions, defence contractors, policy think tanks and NGOs'.
Initial reports put the number of affected organisations at 30,000 but the latest figures from Bloomberg doubled this to 60,000. There's also no clear common link between the organisations being targeted at this stage, which implies the cybercriminals are exfiltrating a wide range of data to see what they end up with (as opposed to conducting highly targeted attacks on one or more linked organisations to one ultimate goal).
The second is the time taken between the vulnerabilities being reported to the patches being issued. Of course, it's prudent not to advertise zero-day vulnerabilities before remediations are available, as you're only effectively advertising targets to cybercriminals. However, questions are already being asked about why it took Microsoft two months after the first reports to issue the updates.