On March 3, 2021, Microsoft announced it had detected multiple exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. The exploits utilized a zero-day attack against four separate vulnerabilities in Exchange Server, which were disclosed on March 2.
Exploiting these four vulnerabilities together allows threat actors to take control of an on-premises Exchange server and access email accounts or install malware, which could be used for other, long-term attack activities. Microsoft has since released emergency patches for the vulnerabilities.
Microsoft Threat Intelligence Center (MSTIC) observed attacks carried out by Hafnium, a group assessed to be state-sponsored and operating out of China, primarily targeting US-based organizations running on-premises Exchange servers. Exchange Online is not affected. This belief is based on observed victimology, tactics, and procedures
What you should know
This is the first time MSTIC is discussing Hafnium’s activity. Hafnium are a highly sophisticated and highly skilled threat actor. In the past, they targeted entities in the United States to exfiltrate information from several industries, including higher education institutions, law firms, infectious disease researchers, defense contractors, policy think tanks, and NGOs.
According to their blog post, this is the eighth time in the past 12 months that Microsoft has publicly disclosed nation-state groups targeting institutions critical to civil society; other activity they disclosed has targeted healthcare organizations fighting Covid-19, political campaigns, and others involved in the 2020 elections, and high-profile attendees of major policymaking conferences.
While Microsoft currently believes these vulnerabilities were exploited primarily by Hafnium, the public disclosure of the vulnerabilities means other threat actors will also begin targeting them. Coalition is sharing this information with you to highlight the critical nature of these vulnerabilities and the importance of patching all affected systems immediately.
These patches will help protect against these exploits, and maintaining up-to-date software is an absolute must to help reduce the risk of future attacks.
Why this matters and how to spot it
Email servers contain a wealth of valuable information regarding your company’s structure and operations and may even contain highly sensitive information. While email is not a secure communications medium and should never be used to transmit sensitive information like healthcare or financial data, it is not unusual for internal emails to contain such data.
Moreover, these four software vulnerabilities allow an attacker to install software on an Exchange server, which could be used to achieve any number of malicious objectives. Although email servers are usually placed in a demilitarized zone (DMZ) network, they can be used as a conduit to access internal networks. An attacker might also install malware to bypass email security like encryption; messages are encrypted when they leave the email server. So malware would be able to observe and possibly steal that data before it is protected.
Checking the version of Exchange is the first step to identify how this impacts you. All recent versions of Exchange Server are vulnerable, including the 2013, 2016, and 2019 (latest) versions. Exchange 2010 is partially affected — only one of the four vulnerabilities is present, but Microsoft has still issued a patch to address it. You can look for more details of the specific vulnerabilities by reviewing the vulnerability disclosures and patch detail pages:
- Exchange Server 2010
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
What you should do
Based on our threat intelligence scanning, we detected multiple customers who have an on-premises Microsoft Exchange Server that could be vulnerable to this recently-discovered set of flaws. They have been notified and given details on how to address the issue. Coalition’s threat intelligence also confirms attackers are actively seeking out and targeting vulnerable organizations, so applying patches is a critically time-sensitive priority.
Microsoft has also released tools to search for Indicators of Compromise (IOCs). If your organization is running an on-premises Exchange Server, we strongly recommend using those tools or other security scanning tools to detect compromised servers.
Actions you need to take:
Patches are available and need to be installed immediately if you are running an affected version of Exchange. Links to patches are available from Microsoft. If you are not responsible for your organization's IT, please share this notice with the appropriate personnel responsible for administering Exchange. If the patches have already been applied, no further action is necessary! Below are the specific actions we recommend:
- Apply all current patches to the Exchange server to stop the vulnerability: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
- Disable PowerShell within the environment
- Tenant wide password resets. Reset the krbtgt password TWICE (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password)
- Rebuild the compromised Exchange server, if possible
- Filter egress traffic: restrict the services that hosts in the internal networks can access to prevent malware data exfiltration to a C2.
- Begin with a DENY ALL outbound policy, packet filter, or firewall rule. This creates a "nothing leaves the network without explicit permission" security baseline.
- Next, add rules to allow authorized access to the external services identified in the egress traffic enforcement policy.
- Add granular, restrictive rules to allow administrators access to network and security systems outside the firewall.
- Lastly, add rules to allow servers the org to operate from the trusted network to communicate with Internet-hosted servers.
- Restrict Internet access to authorized sources: the default egress traffic policy for trusted networks is to allow any source address in outbound packets. List the IP subnet numbers or individual IP addresses of hosts that are authorized (trusted) to make use of externally hosted services.
- Block IP spoofing. Only allow source addresses from the IP network numbers assigned to internal networks to pass through the firewall (trusted, DMZ, guest). This includes primary and secondary network numbers, and subnets that are routed to the Internet through the firewall (including addresses reserved for VPN clients).
- Only allow traffic from address space the org actually uses. Apply appropriate subnet masks to internal networks, i.e., masks that are sufficiently long to identify only that fragment of the IP network number that are being used.
- Block traffic from any RFC 6761 or RFC 4913 private addresses from being forwarded over the Internet access circuit.
- Block outbound traffic from VLAN workgroups or entire network segments that has no business establishing client connections to Internet servers.
- Block broadcast traffic. Most Internet-facing firewalls operate in routed mode where broadcasts will not pass across LAN segments. Understand the implications of using transparent (layer 2) firewalls in Internet firewall deployments.
- Block all outbound traffic from internal servers that have no business establishing client connections to destinations outside the trusted networks. An example might be an intranet server that relies entirely on internally provided services (DNS, mail, time, etc.) and by design uses no applications that require Internet access.
- Block outbound traffic with destinations that are listed on DROP (Don’t router or peer) or BGP filter lists. Spamhaus, for example, maintains lists of networks that have been hijacked by spammers, phishers, botnet C&C’s and other malicious traffickers. Data centers, universities, and large end user networks especially benefit from this kind of filtering when their ISPs do not implement them.
Technical information regarding this vulnerability and affected versions:
- On-premises versions of Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.
- Exchange Server 2010 is vulnerable to one of the four exploits and should be patched as soon as possible.
- Hybrid with Exchange Online is impacted if your on-premises component is running one of the affected versions.
- Exchange Online is not affected.
If you have questions or concerns regarding your Exchange infrastructure, contact us. If you are a Coalition customer and believe this vulnerability has been exploited in your organization, please call Coalition claims toll-free at +1 833.866.1337.