Multiple news sources, security researchers and security agencies have reported on a new attack against tens, if not hundreds, of thousands of Internet accessible Exchange servers configured for Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Outlook Web App (OWA) access. These attacks are being carried out by the China nation/state sponsored hacking group known as Hafnium.
The exploit utilizes 4 Zero Day vulnerabilities in Microsoft Exchange software, three in Exchange and one in Unified Messaging Services.
The four Zero Day Microsoft CVEs are as follows:
- CVE-2021-26855 – allows an attacker to send specific HTTP requests and authenticate to the Exchange Server
- CVE-2021-26857 – insecure deserialization in Unified Messaging allows remote code execution on Exchange sever
- CVE-2021-26858 – post authentication arbitrary file write vulnerability in Exchange
- CVE-2021-27065 – post authentication arbitrary file write vulnerability in Exchange
The result is a persistent web shell that allows attackers to steal data and perform other malicious actions.
Things to consider:
- Track the Hosts that the vulnerability scanner identifies as Exchange servers
- Report on inventory the existence of hosts with any of the four vulnerabilities required for this exploit
- Report on the access from subnets indicated as Internet to Exchange servers via TCP 443
- Optional - Report on the access from ALL subnets to Exchange servers via TCP 443
For additional details, contact your RedSeal sales representatives or email [email protected]
Author Bill Burge is senior network security engineer at RedSeal. You can read more RedSeal blogs here.
