Threat Analysis Unit

TAU Threat Advisory: Microsoft Exchange Servers Targeted with Four Zero-day Exploits

The following advisory from VMware Threat Analysis Unit (TAU) is to provide guidance, best practices and capabilities to identify risk, prevent, detect and respond to this emerging threat.

Summary

On March 2, 2021 Microsoft announced four zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) directly targeting Microsoft Exchange servers hosted locally.

These four zero-day vulnerabilities are chained together to gain access to Microsoft Exchange servers as an entry point to exfiltrate data and persist for malicious gain. In order for the attack to work the threat actor would need to access an on-premises Microsoft Exchange server via port 443. Once accessed, the threat actors will then utilize the above vulnerabilities to gain remote access.

It is best practice if you have Microsoft Exchange Server 2013, 2016, and/or Microsoft Exchange Server 2019 hosted locally to apply the updates provided by Microsoft immediately to protect against these exploits, with an emphasis on prioritizing externally facing Exchange servers.

Threat Actor Attribution

Microsoft identified Hafnium, a state-sponsored threat actor that operates from China, as the group responsible for the recent attacks. Hafnium has also been reported to be responsible for other attacks on internet-facing servers and typically exfiltrate data to file sharing sites. After gaining access to a vulnerable workload, Hafnium will install a web shell that allows them to steal data, upload files, and execute almost any command. Hafnium will then perform a memory dump of an LSASS.exe executable to harvest cached credentials using this web shell. This will enable them export mailboxes and stolen data from the workload and upload it to file-sharing services, where they could later retrieve it.

Detections and Recommended Response Actions

The Microsoft Exchange Server team has created a script to run a check for Hafnium  IOCs to address performance and memory concerns. That script is available here.

Microsoft Senior Threat Intelligence Analyst Kevin Beaumont has created a Nmap script that can be used to scan a network for potentially vulnerable Microsoft Exchange servers.

To use the script, download it from his GitHub page and store it in /usr/share/nmap/scripts and then use the nmap –script http-vuln-exchange command.

Nmap script showing potentially vulnerable Microsoft Exchange server.

Once you have determined what Exchange servers need to be updated, you need to make sure your servers have a currently supported Cumulative Update (CU) and Update Rollup (RU) installed.

Administrators can find more information on the supported updates and how to install the patches in an article from the Microsoft Exchange Team published today.

VMware Carbon Black Cloud Endpoint And Workload Protection Best Practices

Patch
Prioritize installing the recommended patches in your Microsoft Exchange environment as these vulnerabilities enable unauthenticated remote code execution and file-writes. If you are leveraging VMware Carbon Black Workload, you can quickly identify what assets have these critical exploitable CVE’s within in your vCenter or within the VMware Carbon Black Cloud platform. In the platform, risk is prioritized based on how exploitable each CVE is.

TAU Threat Advisory: Microsoft Exchange Servers Targeted with Four Zero-day Exploits

Network
Our TAU also recommends implementing egress network ACLs for all externally facing web services in your environment.

Windows Operating Systems
VMware Carbon Black customers running the 3.6 sensor versions are protected out of the box without any need to configure rules relating to the post-compromise credential theft techniques disclosed. The latest versions of the VMware Carbon Black Cloud sensors will also detect and block suspect PowerShell usage typically associated with post-compromise behaviors using the AMSI detection capabilities.

VMware Carbon Black Cloud customers utilizing NGAV and EDR detection analytics will generically identify and alert on behaviors associated with Web Shell activity, Reverse Shells, and unusual command interpreter behaviors.

TAU Threat Advisory: Microsoft Exchange Servers Targeted with Four Zero-day Exploits

VMware TAU also recommends customers to enable the following Anti-Malware engine settings within the VMware Carbon Black Cloud console to ensure the best possible protection:

  • Delay executes for cloud scan
  • Submit unknown binaries for analysis

In order to take full advantage of the most up-to-date threat intelligence detection and prevention rules, customers must be running 3.6 or greater VMware Carbon Black Cloud sensor versions and running NGAV.