THE THREAT
In response to the ongoing exploitation of recently disclosed Microsoft Exchange server zero-day vulnerabilities, Microsoft has released new mitigations for organizations that are currently unable to apply the required security patches. Importantly, Microsoft has also released the Microsoft Support Emergency Response Tool (MSERT). The MSERT tool can be used to detect and remediate known threats abusing these vulnerabilities.
Organizations are strongly recommended to ensure that security patches or mitigations are deployed to prevent exploitation. The MSERT tool should be used to help identify potentially malicious actions that may have occurred prior to patch or mitigation deployment.
What we’re doing about it
- eSentire teams have deployed detection content across our services in response to these attacks
- esENDPOINT identifies suspicious Exchange processes and post-exploitation activity associated with known attacks
- eSentire's BlueSteel engine identifies malicious PowerShell activity associated with this threat
- esLOG identifies exploitation of CVE-2021-26857 and CVE-2021-27065
- esNETWORK identifies exploitation of CVE-2021-26857 and CVE-2021-26855
- In parallel to detection activity mentioned above, we are actively reviewing customer environments for Indicators of Compromise (IoCs)
- MVS has local plugins available to identify all related vulnerabilities
- MVS customers seeking assistance with their review or scans, please contact your MVS consultant or the eSentire Security Operations Center (SOC)
- eSentire security teams continue to track this topic and additional detection measures are currently under review
What you should do about it
- All affected versions of Microsoft Exchange should be prioritized for immediate patching
- Specific guidance on updating these systems can be found here
- If security patches cannot be deployed, organizations should enforce the mitigation steps provided by Microsoft until patching becomes possible
- Mitigation actions will impact some Exchange functions
- Organizations are strongly encouraged to use the MSERT tool to identify and remediate malicious actions
- This action is recommended even if organizations have already run the Microsoft PowerShell script for identifying known Indicators of Compromise (IoCs)
- esENDPOINT customers are advised to deploy endpoint agents to on-premise Exchange servers for ongoing monitoring
Additional information
Confirmed vulnerable on-premises Microsoft Exchange Servers:
- Microsoft Exchange Server 2010
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Exploited Vulnerabilities:
- CVE-2021-26855 (CVSS Score: 9.1/10) – Is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange, which allows a threat actor to send an arbitrary HTTP request and authenticate as the Exchange server.
- CVE-2021-26857 (CVSS Score: 7.8/10) – Is an insecure deserialization vulnerability in the Unified Messaging service and requires administrator privileges or the use of another vulnerability to exploit. This vulnerability gave HAFNIUM the controls to run code as SYSTEM on an exchange server.
- CVE-2021-26858 / CVE-2021-27065 (CVSS Score: 7.8/10) – Are post-authentication arbitrary file write vulnerabilities in Microsoft Exchange and require either compromising an admin’s credentials or the use of CVE-2021-26855.
Microsoft has provided mitigations to defend against attacks exploiting all of the previously stated vulnerabilities. It should be noted that applying the mitigation actions will result in functionality degradation in Exchange servers. The functionality impact of each mitigation action is outline in detail in the official release. Microsoft has released a free Nmap script to scan for CVE-2021-26855.
References:
[1] https://msrc.microsoft.com/update-guide/releaseNote/2021-Mar
[2] https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
[3] https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
