Microsoft Exchange zero-day vulnerability: What do you need to know?

What is Microsoft Exchange Server?

Microsoft Exchange Server is a popular business email and calendar system used by hundreds of thousands of companies, governments, educational establishments, and financial institutions. It’s licensed as both a service and an on-premises solution, with the latter being more in-demand.

However, Microsoft Exchange Servers has long become a target of various state-sponsored hacker groups. Attackers are persistent in placing backdoors and launching malware attacks on the Exchange Server system, putting millions of accounts at stake.

Which vulnerabilities can affect Microsoft Exchange?

Each Microsoft Exchange vulnerability that hackers can exploit within the Exchange Server can vary in its nature and gravity and target different elements of the system. Some of the most common types of vulnerabilities that target Microsoft Exchange Server are:

• Privilege escalation, which can lead to an attacker gaining control over the Exchange Server.
• Remote code execution (RCE), which can hand the Exchange Server’s remote control over to hackers.
• Denial of service (DoS), which can overwhelm the Exchange Server and make it unavailable.
• Information disclosure, through which malicious actors can access sensitive user data without permission.

Critical Exchange zero-day vulnerabilities explained

According to reports, Microsoft became aware of four critical Exchange vulnerabilities in early January of 2021. On March 2, emergency patches for the exploits were released. Patches were available for the 2010, 2013, 2016, and 2019 versions of Exchange, meaning that the vulnerability goes back for more than ten years.

Unfortunately, by the time the emergency fixes came out, the attacks had already begun. In fact, according to some researchers, the bugs were already being exploited before Microsoft caught wind of the issues. Here are the vulnerabilities:

• CVE-2021-26855 was a server-side request forgery that enabled an attacker to bypass authentication. It led the attacker to access the content of multiple user mailboxes.
• CVE-2021-26857 was an insecure deserialization vulnerability in the Exchange Unified Messaging Service that led to privilege escalation to the SYSTEM level.
• CVE-2021-26858 and CVE-2021-27065 were both post-authentication file write vulnerabilities. Combined with the CVE-2021-26855 authentication vulnerability, this MIcrosoft Exchange exploit enabled the hacker to write a file to any path on the server allowing them to achieve remote code execution (RCE).

So in a chain attack, these vulnerabilities could enable RCE, server hijacking, data theft, backdoor creation, and malware installation.

How hackers used to exploit these Microsoft Exchange vulnerabilities

Once malicious actors find their way into the systems, they tend to hold onto it tightly. That’s what happened with Microsoft Exchange zero-day vulnerabilities: Even after successful patches in 2021, hackers continued to abuse the Exchange Server.

Hafnium

According to Microsoft, a Chinese-backed hacker organization called Hafnium accessed various organizations’ email accounts.

The attacks worked by exploiting the previously mentioned cybersecurity vulnerabilities to gain access to Exchange. Then they created web shells to control the compromised servers remotely. Now they can use remote access to create backdoors, install malware, and steal data from organizations. Attackers also used malware to access email data.

After the patch was released in 2021, Hafnium responded by ramping up its hacking efforts. By March 5, the estimated number of affected organizations was more than 30,000 in the US alone and hundreds of thousands globally. It includes police, hospitals, energy, transportation, airports, and prison institutions. Over 20% of victims are government and military organizations.

By March 11, 2021, attacks were doubling every hour, with the US, Germany, and the UK being the most popular targets.

DearCry

On March 12, 2021, Microsoft reported a new kind of attack exploiting the vulnerabilities. Hackers were using the compromised servers to distribute a type of ransomware, DearCry. The ransomware used to infect the target and demand a ransom payment of $16,000.

What are the new Microsoft Exchange zero-day vulnerabilities?

The current Microsoft Exchange vulnerabilities are much less critical than they were just a couple of years back. In fact, no major events shook the Microsoft Exchange Server since the onslaught of attacks in 2021. However, security vulnerabilities occur occasionally, even if they are more quickly fixed and less significant.

• ZDI-23-1578 is a flaw in remote code execution (RCE). It results in the ChainedSerializationBinder class failing to validate user-supplied data and allowing hackers to decentralize malicious data. Whenever an attacker exploits this Microsoft Exchange vulnerability, they can gain the highest level of privilege on Windows because they can run any of their malicious codes at the SYSTEM level.
• ZDI-23-1579 is a fault caused by improper URI validation before accessing the resources, which can lead to attackers accessing sensitive data from Exchange servers. This fault is found in the DownloadDataFromUri method and is a server-side request forgery (SSRF) issue.
• ZDI-23-1580 is also a server-side request forgery (SSRF) vulnerability. It derives from defective URI validation and enables hackers to gain unauthorized access to sensitive resources. This flaw is found in the DownloadDataFromOfficeMarketPlace method.
• The ZDI-23-1581 bug is similar to the previous two and concerns improper URI validation, which can result in hackers gaining sensitive information without authorization. This fault is found in the CreateAttachmentFromUri method.

How can you secure your Exchange Server from these vulnerabilities?

You can mitigate dangers lurking behind zero-day vulnerabilities by following these steps:

• Regularly update software to make sure you always have the latest security patches.
• Check Exchange Server logs for suspicious activity.
• Use multi-factor authentication (MFA), which will prompt you to verify your identity by performing multiple security checks. Apart from a password, it may ask you for a piece of biometric data or a one-time passcode.
• Restrict interaction with Exchange apps to reduce your exposure to unpatched vulnerabilities.

For overall cybersecurity, consider using a VPN that encrypts your online traffic and spoofs your IP address from prying eyes online. You should also consider using additional security tools, such as Threat Protection, which blocks suspicious URLs and malicious attachments from downloading onto your device.