Global Cybersecurity Crisis: 60,000 Organizations Hacked Due to Microsoft Exchange Vulnerability
According to Bloomberg, more than 60 thousand organizations worldwide have been hacked due to exploitation of vulnerabilities in Microsoft Exchange (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065).
Microsoft discovered a hacker group known as Hafnium that carried out attacks using zero-day vulnerabilities in Microsoft Exchange servers.
To carry out the attack, the cybercriminals needed access to the local Microsoft Exchange server through port 443. If access was obtained, the attackers exploited the following vulnerabilities to gain remote access:
- CVE-2021-26855 is a Server Side Request Forgery (SSRF) vulnerability in Exchange that allows an attacker to send arbitrary HTTP requests and authenticate as an Exchange server.
- CVE-2021-26857 – Insecure Deserialization Vulnerability in the Unified Messaging Service. Insecure deserialization occurs when untrusted user-controlled data is deserialized by a program. Exploitation of this vulnerability gave the HAFNIUM hacker group the ability to run code as SYSTEM on an Exchange server. This requires administrator permission or other vulnerability.
- CVE-2021-26858 – Vulnerability for writing arbitrary files after authentication in Exchange. If the HAFNIUM hacker group can authenticate to the Exchange server, it can exploit this vulnerability to write a file to any path on the server. Hackers could have authenticated using the SSRF CVE-2021-26855 vulnerability or by compromising administrator credentials.
- CVE-2021-27065 – Vulnerability for writing arbitrary files after authentication in Exchange. If the HAFNIUM group can authenticate to the Exchange server, they can exploit this vulnerability to write a file to any path on the server. They could authenticate using the SSRF CVE-2021-26855 vulnerability or by compromising the legitimate administrator’s credentials.
After gaining access to a vulnerable Microsoft Exchange server, Hafnium installs a web shell that allows them to steal data, upload files, and execute almost any command on the compromised system.
Because of the severity of the attacks, Microsoft recommends that administrators “install security updates immediately” to protect Exchange servers from these attacks.
Administrators can find more information about supported updates and how to install hotfixes in the Microsoft Exchange Team article.
US officials said that measures to assess and remediate the consequences are being taken at all levels of the US government.
“Although the Hafnium group is based in China, they operate primarily from rented virtual private servers (VPS) in the United States”, — Microsoft said in a blog post.
Microsoft has also released a PowerShell script that administrators can use to check for vulnerabilities in Microsoft Exchange, called ProxyLogon.
The commands must be run manually to check for Indicators of Compromise (IOC) in the Exchange HttpProxy logs, Exchange log files, and Windows application event logs.
The PowerShell script is available in the Microsoft Exchange Support Engineer GitHub repository called Test-ProxyLogon.ps1.
The US Cyber and Infrastructure Security Agency (CISA) strongly recommends that all organizations use this script to check for a vulnerability in the servers they are using.
Let me remind you that only recently I talked about another crisis: Cybersecurity experts compiled lists of companies affected by the SolarWinds hack.