Microsoft has released emergency out-of-band security updates for all supported Microsoft Exchange versions to fix four zero-day vulnerabilities that are actively being exploited in targeted attacks. These four zero-day vulnerabilities are chained together to gain access to Microsoft Exchange servers, steal email, and deploy additional malware and backdoors for increased access to the network.

If you use on-prem Microsoft Exchange Servers, assume you’ve been hit or very soon will be targeted. We recommend you patch immediately, externally validate the patch has been deployed successfully, and hunt for the presence of these webshells and other indicators of compromise.

On your Exchange servers, examine these filesystem paths:

  • C:\inetpub\wwwroot\aspnet_client\
  • C:\inetpub\wwwroot\aspnet_client\system_web\   (if system_web exists)

If you see unfamiliar .aspx files with random names, and their contents appear like log output with an ExternalUrl line indicating the use of “JScript” code, there is a strong possibility your system is compromised.

For the attack to work, remote attackers would need to access an on-premise Microsoft Exchange server on port 443. If access is available, the threat actors would then utilize the following vulnerabilities to gain remote access:

  • CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
  • CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

This is yet another reason BW Cyber Services ALWAYS recommends you determine the operational need to have Outlook Web Access (OWA) turned on and accessible (default is port 443 referenced above). If not needed, disable this at your firewall. Further, ensure critical patches are installed as soon as possible when released by a vendor.

How BW Cyber Services Can Help

In response to the concerns outlined above, BW Cyber Services can help develop cyber programs designed to ensure systems such as email which process your organization’s information remain secure. Go here to learn more about our services. If you have any questions or would like more information, please contact BW Cyber Services at info@bwcyberservices.com.