It has recently been revealed that several zero-day flaws in Microsoft Exchange server email software are being exploited by a previously undetected Chinese hacking group labelled Hafnium. Not only are they stealing email contents, but also leaving behind “back doors” – or covert channels to enable remote access to a core network. Reports indicate that between 30,000 and 60,000 organisations worldwide have been infiltrated, including approximately 7,000 in Australia.
The Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate primarily responsible for securing military communications, has issued a “high alert”, urging organisations to patch their Exchange email servers as soon as possible, as Australian organisations are being specifically targeted by the attackers.
The attack leverages previously undiscovered vulnerabilities in Exchange Server Outlook Web Access.
The ACSC website summarises the severity and potential consequences of the vulnerability and subsequent exploitation.
“Microsoft has identified that if successfully exploited, these CVEs together would allow an unauthenticated attacker to write files and execute code with elevated privileges on the underlying Microsoft Windows operating system. Microsoft has observed instances where the attacker has uploaded web shells to maintain persistent access to compromise Exchange servers.”
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) advises organisations using Exchange to urgently patch the following Common Vulnerabilities and Exposures (CVEs):
- CVE-2021-26855– server-side request forgery (SSRF) vulnerability in Exchange.
- CVE-2021-26857– insecure deserialization vulnerability in the Unified Messaging service.
- CVE-2021-26858– post-authentication arbitrary file write vulnerability in Exchange.
- CVE-2021-27065– post-authentication arbitrary file write vulnerability in Exchange
Microsoft has released security patches for the following versions of Microsoft Exchange:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
The ACSC also advises Microsoft has taken the unusual step of releasing a patch for the out of support Exchange Server 2010 (service pack 3).
The ACSC is monitoring the situation and is able to provide assistance and advice as required. If your organisation has been affected, please contact us for assistance.
Author: David Steele, Agilient Consultant