Preface
The news propagated earlier this week that the Chinese hackers were actively targeting Microsoft Exchange servers, the cybersecurity community warned that the zero-day vulnerabilities they were exploiting might have allowed them to hit countless organizations around the world. Now it’s becoming evident that Microsoft Exchange Server software have led a compromise of around 30,000 United States Organizations including government and commercial. Almost all verticals including Fire & Police departments, hospitals, educational institutions, banks, credit units and non-profits, none of them were badly affected.
Microsoft had rolled-out a patch to fix four zero-day exploits in Exchange Server a few days ago, but that hasn’t stopped a hacking group from taking advantage of the situation. According to Microsoft, the vulnerabilities in Exchange Server are being targeted by a previously unknown Chinese hacking group known as “Hafnium.”
According to Microsoft, the vulnerabilities allowed hackers to gain access to email accounts, and also gave them the ability to install malware that might let them back into those servers at a later time.
According to the sources, the attack has been ongoing since January 6th, but ramped up in late February. Microsoft released its patches on March 2nd and that clearly indicates that the attackers had almost two months to carry out their operations.
Both the White House National Security Advisor, Jake Sullivan, and former director of the Cybersecurity and Infrastructure Security Agency Chris Krebs have tweeted about the severity of the incident.
This large-scale attack for the state-run organizations should remind us to the SolarWinds attacks that compromised US federal government agencies and companies last year.
A Microsoft spokesperson confirmed that the company is working closely with the Cybersecurity and Infrastructure Security Agency(CISA) other government agencies, and security companies, to ensure best possible guidance and mitigation for our customers.
Details on Vulnerabilities and it’s Importance
The critical vulnerabilities impact on premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. However, Exchange Online is not affected. Below are the few CVEs:
- CVE-2021-26855: CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
- CVE-2021-26857: CVSS 7.8: an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. However, this vulnerability needs to be combined with another or stolen credentials must be used.
- CVE-2021-26858: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
- CVE-2021-27065: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
If used in an attack chain, all of these vulnerabilities can lead to Remote Code Execution (RCE), server hijacking, backdoors, data theft, and potentially further malware deployment. In summary, Microsoft says that attackers secure access to an Exchange Server either through these bugs or stolen credentials and they can then create a web shell to hijack the system and execute commands remotely.
But unlike the SolarWinds incident, the researcher points out, the Exchange-hacking campaign could be caught early, at least way before its widespread use. The early detection may give victims a chance to both patch their systems and remove the hackers before they can take advantage of their foothold inside organizations.
Way Forward
As the proverb says, it’s easier to stop the attack than to repair the damage after the attack. However, keeping an organization safe from cyber-attacks is a complex undertaking that requires the involvement of everyone connected to it. Even third-party companies that are connected with your organizations should comply with security practices to stop cyber-attacks.
In fact, every industry should take on an active approach instead of a passive one, when it comes to cyber security. Organizations should switch from a reactive plan of action to embracing the hackers’ point of view for testing the strength of the IT infrastructure. Conducting Vulnerability Assessment (VAPT) periodically to identify the vulnerabilities in your organization’s IT security framework can go a long way in preventing cyber-attacks. If your business is gradually moving towards digital transformation, Web Application Audit and Mobile Application Audits can yield lot of proactive measures before we face any data breaches.
In fact, it is better to prevent the destruction before it happens. And in order to do so, everyone connected with the organization would have to work together in bringing an effective plan. Consequently, it will help in creating a cyber-hygienic environment and reduce the risks that are surrounding us.
And incase you are not able to build the proactive incident response plan for your organization, any managed security services provider (MSSP) can assist you to implement and monitor the same on behalf of you.
