Industry Happenings
|
March 25, 2021

Microsoft Exchange Hacking Campaign Targets U.S. Organizations – Updated On 11.9.2021

On November 9, 2021, Microsoft released a software update to mitigate significant vulnerabilities that affect on-premises Exchange Servers 2013, 2016, and 2019. An attacker could use these vulnerabilities to gain access and maintain persistence on the target host. These vulnerabilities are different from the ones disclosed and fixed in March 2021 – the security updates released in March 2021 will not remediate against these vulnerabilities.

Applying the update released on November 9, 2021 to Exchange servers is currently the only mitigation for these vulnerabilities.  Microsoft has released security updates for vulnerabilities found in:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

These updates are available for the following specific builds of Exchange Server:

IMPORTANT: If manually installing security updates, you must install .msp from elevated command prompt (see Known Issues in update KB article).

  • Exchange Server 2013 CU23
  • Exchange Server 2016 CU21and CU22
  • Exchange Server 2019 CU10and CU11

The November 2021 security updates for Exchange Server address vulnerabilities reported by security partners and found through Microsoft’s internal processes. We are aware of limited targeted attacks in the wild using these vulnerabilities (CVE-2021-42321), which is a post-authentication vulnerability in Exchange 2016 and 2019. Our recommendation is to install these updates immediately to protect your environment.

These vulnerabilities effect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.

More details about specific CVEs can be found in Security Update Guide (filter on Exchange Server under Product Family).

Inventory your Exchange Servers / determine which updates are needed.

Use the Exchange Server Health Checker script (use the latest release) to inventory your servers. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs and SUs).

Update to the latest cumulative update.

Go to https://aka.ms/ExchangeUpdateWizard and choose your currently running CU and your target CU to get directions for your environment.

What If you encounter errors during or after installation of Exchange Server updates?

If you encounter errors during installation, see the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates.

Known issues with update.

After installation of November SUs on your on-premises Exchange servers when in hybrid, you might see OWA redirection URL for hybrid users provide an incorrectly encoded URL, causing the redirect to fail with the “Something went wrong” error. This issue is still being investigated. As a workaround, please go to https://outlook.office.com/owa/ directly.

How to check to see if the exploit was attempted on our servers. We installed November 2021 SU on our Exchange 2016/2019 servers, is there something that we can check to see if exploit was attempted on our servers before the fix for CVE-2021-42321 was put in place?

Run the following (updated) PowerShell query on your Exchange server to check for specific events in the Event Log:

Get-WinEvent -FilterHashtable @{ LogName=’Application’; ProviderName=’MSExchange Common’; Level=2 } | Where-Object { $_.Message -like “*BinaryFormatter.Deserialize*” }

If events are found, please work with your Security Response team to analyze the server further.

Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013 Here.

November 2021 Exchange Server Security Update Here.


On March 2, 2021, Microsoft released a series of security updates meant to patch newly discovered zero-day vulnerabilities in Microsoft Exchange Server.  Microsoft Exchange is used by millions of organizations to manage their email and calendar systems, giving this vulnerability the potential to cause catastrophic damage to affected groups if exploited. An estimated 30,000 US organizations have already been compromised through this vulnerability, which can allow attackers to remotely execute malicious code to gain full control of the targeted systems. Microsoft is attributing these attacks to cyber espionage organization, HAFNIUM, based in mainland China.

Required Actions
As per DHS/CISA guidance, they are tracking a serious issue with Microsoft Exchange. We cannot emphasize enough that exploitation is widespread and indiscriminate and we are advising all system owners to complete the following actions.

Please complete the checklist and provide feedback to your leadership on the actions you have taken and any challenges completing the recommended steps.

AlienVault
SEDC MSS (AlienVault) includes NIDS detection signatures for both Hanfium CVE-2021-26855 and CVE-2021-26857. Two other CVEs for Hafnium, CVE-2021-26858, and CVE-2021-27065, have no NIDS detection signatures currently but AlienVault Open Threat Exchange (OTX) has threat intelligent feeds (“pulses”) available for them to enrich associated events that arise attendant to a Hafnium exploitation attempt.

For the actively detected CVEs, CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server, which permits remotes access and compromise by a remote threat actor.

The following NIDS signatures detect CVE-2021-26855 and are escalated in a Hafnium AV alarm via directive #46875 “AV Attacks, Microsoft Exchange – Attempted ECP Privilege Escalation (CVE-2021-26855)”:

2847423: “ETPRO EXPLOIT Microsoft Exchange – Attempted ECP Privilege Escalation (CVE-2021-26855)”

4002538: “AV EXPLOIT Microsoft Exchange Vulnerability Scan Detected (CVE-2021-26855)”

CVE-2021-26857 is a local host vulnerability that provides privilege escalation to an attacker to run code as SYSTEM on the Exchange server. This then permits further remote code executions.

The following NIDS signatures detect CVE-2021-26857 and are escalated in a Hanium AV alarm via directive #46877 (“AV Attacks, Microsoft Exchange – Possible RCE Inbound (CVE-2021-26857):

2847418 “ETPRO EXPLOIT Microsoft Exchange – Possible RCE Inbound (CVE-2021-26857)”

2847419 “ETPRO EXPLOIT Microsoft Exchange – Possible RCE with WebShell Inbound M1 (CVE-2021-26857)”

2847420 “ETPRO EXPLOIT Microsoft Exchange – Possible RCE with WebShell Inbound M2 (CVE-2021-26857)”

VMware Carbon Black – Please ensure you are on sensor version 3.6 or above.

The Threat Analysis Unit (TAU) has updated the Advanced Threats and AMSI Threat Intelligence watchlists, for detections related to the post-exploitation activity.  TAU is also testing and refining additional detections as well as potential prevention rules. As these become available this post will be updated with additional information. The detections that are provided in the watchlist and any preventions that could be released will be dependent on the latest agent versions of the CBC products (3.6 or greater). Bottom Line Up Front: These 0-day vulnerabilities only exist on on-premise Exchange servers. If you are not running an on-premise exchange (O365 for example) you are not impacted by these vulnerabilities.

As always, you should prioritize installing the recommended patches in your Exchange environment as these vulnerabilities enable unauthenticated remote code execution and file-writes. TAU also recommends implementing egress network ACLs for all externally facing web services in your environment.

In order to take full advantage of the most up-to-date threat intelligence detection and prevention rules, VMware Carbon Black Endpoint Standard customers must be running 3.6 or greater CBC sensor versions. Customers running 3.6 sensor versions are protected out of the box without any need to configure rules relating to the post-compromise credential theft techniques disclosed. The latest versions of the CBC sensors will also detect and block suspect PowerShell usage typically associated with post-compromise behaviors.

References
https://cyber.dhs.gov/ed/21-02/
https://us-cert.cisa.gov/ncas/alerts/aa21-062a
https://us-cert.cisa.gov/ncas/current-activity/2021/03/02/microsoft-releases-out-band-security-updates-exchange-server
https://otx.alienvault.com/pulse/603eb1abdd4812819c64e197/
https://community.carbonblack.com/t5/Threat-Research-Docs/Microsoft-Exchange-0-Days-CVE-2021-26855-CVE-2021-26857-CVE-2021/ta-p/101318

The Most Innovative Utilities Start With Meridian

Learn more about how Meridian can help you.