Exchange, Hafnium and You. How to Respond

As everyone has likely heard by now, Microsoft released emergency security updates on March 2, 2021 for Microsoft Exchange. These updates addressed four zero-day vulnerabilities that were being exploited as part of an attack campaign that has been attributed to Hafnium, a nation state backed Advanced Persistent Threat (APT) actor.

What Happened

By leveraging the below vulnerabilities, the threat actors are able to execute an attack referred to as ProxyLogon that allows for pre-authentication remote code execution (RCE) on any Exchange Server 2013, 2016, or 2019, and all it takes is for port 443 to be open:

• CVE-2021-26855 – Server-side request forgery (SSRF) that allowed arbitrary HTTP request to authenticate
• CVE-2021-26857 – insecure deserialization vulnerability that allows attackers to run code as SYSTEM
• CVE-2021-26858 – post-authentication arbitrary file write, allows attackers to write files to any path on the server
• CVE-2021-27065 – post-authentication arbitrary file write, allows attackers to write files to any path once authenticated leveraging CVE-2021-26855 or valid admin credentials

What you end up with is an attacker’s ability to not only exfiltrate data, such as emails, but also to setup persistence in the environment and begin making lateral movements to further compromise the environment.

How Can You Respond

Most security incidents require you to respond with a set of common actions. This typically boils down to (in simplest terms) identification, remediation, mitigation, and resumption of normal activities. There can be any number of sub-divisions or recategorization of these actions, but these are the basics. The first part of this global incident response has already been done for you. The threat has been identified, now is the time to act.

Patching

This is one of those rare ‘all-hands-on deck’ situations. No matter how you achieve it, your first step should be applying the security updates from Microsoft to deal with these vulnerabilities since it’s the  easiest step and it helps prevent you from being compromised by these vulnerabilities if you haven’t already been attacked. If, for whatever reason, the updates cannot be applied to exposed systems there are alternative mitigations available from Microsoft.

Luckily for our partners that use RMM or N‑central^® and have Patch Management enabled it should be easy for you to approve, rollout, and verify the updates are installed. If you must apply patches manually for whatever reason, follow Microsoft’s guidance.

Patches are Applied, What Next?

Applying the updates alone is not enough, this is only a mitigation step that helps protect a system from being attacked via these vulnerabilities. You still need to determine if a system has been compromised by this attack. For this, you will need to know what the Indicators of Compromise (IoC) are for this attack. The Microsoft Intelligence Center (MSTIC) has provided those here if you want to manually search for IoCs or automate your own solution.

To save you some trouble, we have prepared a 24×7 Check for RMM and a Service Monitor for N‑central that can be used to check for one of the primary indicators related to the initial compromise of a system using vulnerability CVE-2021-26855. While this can help get your efforts jump started you will still have to perform additional evaluation of your Exchange Servers to validate they haven’t been compromised.

You can download the scripts here:

CVE-2021-26855 IOC for N-Central

CVE-2021-26855 IOC for RMM

Microsoft has also updated its Microsoft Security Scanner (MSERT) with new signatures to identify web shells associated with ProxyLogon. Given how simple it is to use, it would be a good idea to run this as well on any suspect systems.

Indicators of Compromise Were Found. Now What?

Because this attack allows the threat actors to gain a persistent foothold in an environment, a safe assumption to operate under is that attackers have done so if you find any IoCs. Isolate the affected Exchange Server and follow the guidance provided by Microsoft here.

It may be necessary and a good idea to bring in an outside incident response team to assist at this point as evicting an attacker who already has access can prove difficult for those without the skillset needed to deal with APT groups.

 

Lewis Pope is Head RMM Nerd for N‑able.