Microsoft has issued out-of-band updates for zero day vulnerabilities impacting on-premise Exchange Servers that are currently being exploited by at least one APT (advanced persistent threat) group, dubbed Hafnium. It is suspected that Hafnium has seized control of hundreds of thousands of MS
Exchange Servers worldwide and has hacked at least 30,000 U.S. organizations.
The updates affect MS Exchange Server 2013, 2016 and 2019. Microsoft Exchange Server 2010 is being updated for defense in depth purposes. Please note that Microsoft 365 a/k/a Exchange Online and Azure Cloud deployments have reportedly not been impacted. The vulnerabilities are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. Microsoft advises that all of these affected systems should be patched immediately.
The goals of the APT actors appear to be:
- the exfiltration of data from targeted networks via email accounts
- the installation of malware to gain persistent access to, and control of, a victim’s environment.
Resources:
- MSRC (Microsoft Security Response Center) mitigation guidance.
- MS Exchange Server team developed script to check for HAFNIUM IOC’s (indicators of compromise)
- MSRC Technical Details
- MS Cumulative Updates (KB5000871) and 2010 Service Pack 3 (KB5000978)
- DHS Emergency Directive 21-02 to federal government agencies
- FireEye blog post (03/04/21), Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
- Krebs on Security (03/05/21), At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software.