A Chinese attack group that is known to target organizations in several industries in the U.S. has been using four separate zero-day vulnerabilities in Microsoft Exchange to gain access to target servers and then steal the contents of users’ inboxes. Microsoft has released out-of-band updates for the flaws Tuesday and is urging customers to apply the patches as quickly as possible.
The most dangerous of the vulnerabilities is a server-side request forgery (SSRF) bug that researchers at Volexity caught being exploited against two of its customers in January. That bug does not require any authentication and the attackers, which Microsoft refers to as Hafnium, were using it to gain access to Exchange server and then exfiltrate data from users’ inboxes.
“Through its analysis of system memory, Volexity determined the attacker was exploiting a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855). The attacker was using the vulnerability to steal the full contents of several user mailboxes. This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and what account from which they want to extract e-mail,” Volexity researchers said in a post.
Once the attackers had exploited this bug for initial access, they would install a webshell on the compromised Exchange server to enable persistence. Hafnium was also using three other previously unknown flaws in Exchange for further operations on servers. Two of the bugs are arbitrary file-write vulnerabilities that enabled the attackers to write any file to any path on the server. Both of those flaws require authentication. The third flaw allowed the attackers to run code as System on the server. Taken together, the four zero days represent a powerful set of tools for accessing and taking control of enterprise mail servers.
Hafnium is a newly identified attack group, and Microsoft researchers said the group typically goes after organizations in verticals such as defense, infectious disease research, law, education, and think tanks. The group runs its operations through leased virtual private servers in the U.S., but is based in China, Microsoft said. Though Hafnium is the only group known to have exploited these bugs, that likely won’t be the case for long now that some details are public.
"We know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems."
“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack,” Tom Burt, corporate vice president of customer security and trust at Microsoft, said.
The Volexity researchers said the amount of initial information needed to exploit the SSRF vulnerability is quite low.
“In order to exploit this vulnerability, the attacker must also identify the fully qualified domain name (FQDN) of the internal Exchange server(s). Using a series of requests, Volexity determined that this information could be extracted by an attacker with only initial knowledge of the external IP address or domain name of a publicly accessible Exchange server. After this information is obtained, the attacker can generate and send a specially crafted HTTP POST request to the Exchange server with an XML SOAP payload to the Exchange Web Services (EWS) API endpoint,” the researchers said.
“This SOAP request, using specially crafted cookies, bypasses authentication and ultimately executes the underlying request specified in the XML, allowing an attacker to perform any operation on the users’ mailbox.”
Microsoft's Burt emphasized that the newly disclosed flaws were not connected to the SolarWinds intrusion, which also targeted Microsoft's internal network.