Microsoft announced the release of a critical security update on Tuesday, March 2nd to address four zero-day vulnerabilities that allowed hackers to steal email communications from companies using their Exchange Server products.
Microsoft stated the flaws were being actively exploited in a sophisticated attack chain deployed by the Chinese cyber espionage group HAFNIUM. While Microsoft traditionally releases security updates on the second Tuesday of the month, commonly known as “Patch Tuesday”, the severity of the vulnerabilities called for an additional update ahead of the schedule. Microsoft is urging all customers to install the emergency patches as soon as possible and released a special alert from Tom Burt, Corporate Vice-President, Customer Security and Trust on Tuesday.
“Even though we’ve worked quickly to deploy an update for the HAFNIUM exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack.”
The security updates are available on the Microsoft Security Response Center and address the four security issues with Microsoft Exchange Server 2013, 2016 and 2019 outlined below.
- CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allowed the attackers to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857, an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is when untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
- CVE-2021-26858, a post-authentication arbitrary file write vulnerability. If HAFNIUM could authenticate with the Exchange server, then it could use this vulnerability to write a file to any path on the server. The group could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
- CVE-2021-27065, a post-authentication arbitrary file write vulnerability. If HAFNIUM could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
Microsoft did confirm their Exchange Online service, most commonly used for business email hosting, was not impacted by the attacks, and specifically cited that the exploits had no connection to the SolarWinds-related attacks.
For more information we encourage you to visit the full update from Microsoft at https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/.
How Can Schneider Downs Help?
If you have any questions, we are here to help! In addition to our services and software solutions, our team offers a diverse library of complimentary cybersecurity resources including case studies, whitepapers and security awareness materials. You can explore the library at www.schneiderdowns.com/cybersecurity/resources.
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
If you suspect or are experiencing a network incident, our Incident Response Team is available 24x7x365 at 1-800-993-8937.
Want more cybersecurity content? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, for the latest insight and news in the cybersecurity world.
