Perch bulletin: Critical zero-day Microsoft Exchange vulnerability observed in the wild
Microsoft released a critical patch today that addresses multiple 0-day vulnerabilities for Microsoft Exchange.
If you’re hosting an Exchange server, we recommend applying patches immediately for CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
Background
During an investigation of suspicious activity, Volexity discovered that an adversary, identified as HAFNIUM, used a 0-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855) to steal contents from several users’ mailboxes.
Exploitation only requires an attacker to know where an Exchange server is running and an email address to extract. This is an unauthenticated vulnerability that doesn’t require any special information about your infrastructure.
It was also determined that HAFNIUM was able to chain the SSRF vulnerability with a remote code execution (RCE) vulnerability to write ASPX web shells to disk and then used the web shells to steal credentials and copies of the Active Directory database, as well as add new users.
This vulnerability only affects on-premises Exchange servers.
According to our latest intelligence, HAFNIUM is a new Chinese state-sponsored threat actor that has been primarily targeting US-based targets across a wide range of industries.
Our SOC has also been working with the ConnectWise Incident Response team to hunt through our platforms and identify any customers who may have been compromised by this attack, and we’ve already discovered at least one of the web shells mentioned by Microsoft.
Signatures
The PerchLabs team has deployed two signatures for all customers based on the data released by Microsoft and Volexity:
alert http any any -> $HOME_NET any (msg:"[Perch Security] Microsoft Exchange Authentication Bypass (CVE-2021-26855)"; http.method; content:“POST”; http.uri; pcre:"/\/owa\/auth\/Current\/themes\/resources\/[a-zA-Z0-9_-]+\.(css|gif|eot|ttf)/U”; tag:session,5,packets; reference:url, www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; classtype:web-application-attack; sid:900269; rev:1; metadata: created_at 2021_03_02, updated_at 2021_03_02, cve CVE_2021_26855;)
alert http any any -> $HOME_NET any (msg:"[Perch Security] Microsoft Exchange Remote Code Execution (CVE-2021-26855)"; http.method; content:“POST”; http.uri; pcre:"/\/ecp\/(default\.flt|main.css|[a-z]\.js)/U”; tag:session,5,packets; reference:url, www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; classtype:web-application-attack; sid:900270; rev:1; metadata: created_at 2021_03_02, updated_at 2021_03_02, cve CVE_2021_26855;)
References
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com
Next: CVE spotlight: CVE-2021-21972 (VMware vCenter Server RCE)
Share this on:
Subscribe to our blog