March 2021 Microsoft Exchange Server Hack - How to Remediate & Get Help
For those running a Microsoft Exchange environment still, the server hack incident that occurred late last week means you may have immediate steps to take to protect your data.
Below is a quick synopsis from our partners at Quest Technology Management that should help you uncover whether these Zero Day Attacks are affecting your company.
If you want to discuss the below mitigation suggestions or need help implementing them, please contact Opkalla and we can set up a call to discuss (at no cost).
How the Microsoft Exchange Server attack works:
Threat Actors gain access to a Microsoft Hosted Exchange server either with stolen passwords or by using the zero-days to disguise the hackers as personnel who should have access.
Hackers create a web shell to control the compromised server remotely.
They then use that remote access to steal data from a target’s network (actively or at a later date).
The zero-days are present in Microsoft Exchange Server 2013, 2016, and 2019.
The four vulnerabilities are:
CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allowed the attackers to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857, an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is when untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Hafnium the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858, a post-authentication arbitrary file write vulnerability. If Hafnium could authenticate with the Exchange server, then it could use this vulnerability to write a file to any path on the server. The group could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
CVE-2021-27065, a post-authentication arbitrary file write vulnerability. If Hafnium could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
Immediate steps you can take (prior to patch):
Vulnerability Scan for known vector
Block/Log/Alert Publicly known vector (IP Addresses: 165.232.154[.]116, 157.230.221[.]198, 161.35.45[.]41, 45.77.252[.]175
Update and conform Network IDS has been updated to the latest updates.
Enable GEO Blocking (even though it has been observed that some data exfiltration has been tracked to US Domestic IPs); most are still foreign.
Explicitly Block/Filter Outbound Internet communication from your exchange server to the internet (only on allowed ports)
Deploy NextGen AV to all exchange servers/web servers/Domain Controllers and most importantly enable Blocking mode/Script Control.
Save off your firewall logs; ensure that they are logging to an SIEM/Syslog (and logs are configured appropriately for allows)
Change passwords to Exchange OS (Local) password, change Domain admin/or any domain privileged account)
Issue a companywide password change (enforce complex passwords)
Patch
Implement/Schedule for Emergency CCB/Change Control to Patch for zero-day vulnerabilities.
We’re here to help. If you want to discuss these mitigation suggestions or need help implementing them, please contact Opkalla and we can set up a call to discuss (at no cost).