What is Microsoft Exchange Server?
Microsoft Exchange Server is a popular business email and calendar system used by hundreds of thousands of companies, governments, educational establishments, and financial institutions. It’s licensed as both a service and an on-premises solution, with the latter being more in-demand. Initially, Microsoft identified more than 400,000 on-premise servers at risk.
Critical zero-day vulnerabilities
According to reports, Microsoft became aware of four critical vulnerabilities in early January. On March 2nd, the emergency patches for the exploits were released. Patches were available for 2010, 2013, 2016, and 2019 versions of Exchange, meaning that the vulnerability goes back for more than ten years.
Unfortunately, by the time emergency fixes came out, the attacks had already begun. In fact, according to some researchers, the bugs were already being exploited before Microsoft caught wind of the issues. Here are the vulnerabilities:
- CVE-2021-26855 is a server-side request forgery that enables an attacker to bypass authentication. It lets the attacker access the content of multiple user mailboxes.
- CVE-2021-26857 is an insecure deserialization vulnerability in the Exchange Unified Messaging Service, leading to privilege escalation to the SYSTEM level.
- CVE-2021-26858and CVE-2021-27065 are both post-authentication file write vulnerabilities. Combined with the CVE-2021-26855 authentication vulnerability, this exploit enables the hacker to write a file to any path on the server allowing them to achieve remote code execution (RCE).
So in a chain attack, these vulnerabilities can enable RCE, server hijacking, data theft, backdoor creation, and malware installation.
Onslaught of attacks
According to Microsoft, a Chinese-backed hacker organization called Hafnium accessed various organizations’ email accounts.
The attacks worked by exploiting the previously mentioned vulnerabilities to gain access to Exchange. Then they created web shells to control the compromised servers remotely. Now they can use remote access to create backdoors, install malware, and steal data from organizations. Attackers also used malware to access email data.
After the patch was released, Hafnium responded by ramping up its hacking efforts. By March 5th, the estimated number of affected organizations was more than 30,000 in the US alone and hundreds of thousands globally. It includes police, hospitals, energy, transportation, airports, prison institutions. Over 20% of victims are government and military organizations.
By March 11th, attacks were doubling every hour, with the US, Germany, and the UK being the most popular targets.
On March 12th, Microsoft reported a new kind of attack exploiting the vulnerabilities. Hackers are now using the compromised servers to distribute a type of ransomware, DearCry.
The ransomware infects the target and demands a ransom payment of $16,000.
Where are we now?
As mentioned, Microsoft released an emergency vulnerability patch in early March. Unfortunately, by then, tens of thousands of organizations were already attacked. On March 12th, Microsoft reported that there were still 82,000 unpatched MS Exchange servers exposed.
The patch is not a silver bullet, though. Even if all organizations install the security update, some may already have backdoors residing in their servers.
There’s another problem. Now that the attackers know what issues Microsoft patched, reverse engineering the fixes is not out of the question. Last week, at least two proof-of-concept (PoC) exploits were published online.
Publicly available PoCs mean that even more criminals can take advantage of the vulnerabilities. It enables less technically advanced hackers to join in, while more sophisticated groups can simply do it faster.
What to do next?
First, if your organization uses MS Exchange, update it immediately if you haven’t already. Microsoft has also released their Exchange On-premises Mitigation Tool (EOMT) that helps smaller organizations to secure themselves from the threat.
Assume that your organization has been compromised. Even if you applied the patches immediately, that doesn’t mean that your company hasn’t already been compromised.
Stay alert. Unfortunately, this may just be the beginning. Update all your systems, and ensure your staff members know how to use the cybersecurity tools you have available.
Want to read more like this?
Get the latest news and tips from NordVPN