As attacks against the four Exchange vulnerabilities disclosed last week, the scope of the exploit attempts has expanded and CISA and security experts are encouraging defenders to not just apply the fixes, but search their networks for signs of previous compromise.
When Microsoft initially disclosed the attacks targeting the Exchange flaws, it said that one specific group, which it called Hafnium, was behind the activity. The attacks began as far back as January and Microsoft said they had hit a small number of organizations. But soon after the disclosures last week, researchers quickly found that many other organizations had been compromised too, with many of the victims in industries or sectors that aren’t typically targets for APT groups. In the days that followed, it became clear that once the details of the flaws became public, Hafnium was not the only group exploiting the Exchange flaws and thousands of organizations had been compromised. The vulnerabilities are quite dangerous and exploiting them is not especially difficult, particularly the SSRF flaw (CVE-2021-26855) that attackers are using for initial access to Exchange servers.
Over the weekend, the Cybersecurity and Infrastructure Security Agency issued an updated advisory warning that the attack activity is ongoing and widespread and urging enterprises to address the flaws in their environments right away. That includes not just applying patches, but also looking for indications that any server has been compromised. Microsoft has released a tool that will test Exchange servers for those indicators automatically.
“CISA is aware of widespread domestic and international exploitation of these vulnerabilities and strongly recommends organizations run the Test-ProxyLogon.ps1 script—as soon as possible—to help determine whether their systems are compromised,” CISA said in its advisory.
“CISA is aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers. This particular type of attack is scriptable, allowing attackers to easily exploit vulnerabilities through automated mechanisms.”
The vulnerabilities affect a subset of Exchange servers deployed on premises, and do not affect cloud-based deployments such as Office 365. Although on-premise Exchange is less popular than it was even just a few years ago thanks to the migration to the cloud, there are still thousands of Exchange servers online, and attackers are taking advantage of the fact that many enterprises cannot just take their Exchange servers offline on a moment’s notice to patch. Email is at the heart of how many organizations operate and downtime for those servers usually is planned well in advance. With details of the vulnerabilities having been public for more than a week now, many different kinds of adversaries have had the chance to study them and develop the tools needed to exploit them. Having multiple type of adversaries exploiting the vulnerabilities adds to the urgency to patch, but it doesn’t make that process any easier.
For organizations that have not had the chance to install the patches, Microsoft has published an extensive set of mitigations that can alleviate the effects of the vulnerabilities, but they are not permanent solutions. Some of the mitigations will take various Exchange services offline, however, and they should not be considered replacements for patching.
“These mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack. We strongly recommend investigating your Exchange deployments using the hunting recommendations here to ensure that they have not been compromised. We recommend initiating an investigation in parallel with or after applying one of the following mitigation strategies,” Microsoft’s advisory says.
The mitigations include implementing IIS rewrite rules that will filter out HTTPS requests that are used to exploit the SSRF flaw, disabling the UM service, and disabling the Exchange Control Panel.