Microsoft has published details and out of cycle patches for several 0-day Exchange exploits under active attack.
Microsoft Security Response Center advises:
Due to the critical nature of these vulnerabilities, we recommend that customers apply the updates to affected systems immediately to protect against these exploits and to prevent future abuse across the ecosystem.
The exploits have been linked to the activities of a Chinese based nation-state sponsored group known as Hafnium who have primarily been observed targeting US based organisations. However, now the exploit details are public, all organisations with on-premises exchange servers need to urgently apply the patches to protect their networks. (Exchange Online and Office365 environments are not affected)
Four 0-day vulnerabilities being used by Hafnium have been patched by Microsoft:
CVE-2021-26855: Server Side Request Forgery allowing an attacker to authenticate as the Exchange server
CVE-2021-26857: Insecure deserialisation allowing an attacker to execute code as SYSTEM on the server
CVE-2021-26858 and CVE-2021-27065 are both Post authentication vulnerabilities allowing arbitrary files to be written to the server
By exploiting these vulnerabilities against the Exchange server’s port 443 where it is published to the Internet (as many are) the attackers are able to then install a Web Shell which allows them to establish persistent access, steal data and perform other malicious actions.
The Exchange Server team at Microsoft has published a blog post about this attack which includes a script for checking the patch level of all Exchange servers to assess their vulnerability.
To check for Indicators of Compromise on your Exchange servers, a series of PowerShell commands have been published by Microsoft in this blog post from the Threat Intelligence Center.
