As many as 30,000 businesses and government agencies across the US have been targeted by an aggressive hacking campaign that exploits vulnerabilities in versions of Microsoft Exchange Server, with some experts claiming that “hundreds of thousands” of Exchange Servers have been exploited worldwide. Microsoft is attributing these exploits to a cyber espionage organization known as HAFNIUM, operating out of mainland China.
Microsoft Exchange Server is used by millions of organizations for email and calendar, as well as a collaboration solution. This exploit vector targets Microsoft Exchange Servers able to receive untrusted connections from an external source. Among its capabilities is a Remote Code Execution (RCE) attack that allows attackers to install backdoors into the network for later use. Once installed, these backdoors can remain active even after the original exploit is patched.
On March 2nd, Microsoft released several patches for their on-premises versions of Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. These patches were in response to several in-the-wild exploits targeting CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 vulnerabilities. The online Microsoft Exchange Server service is unaffected.
Since the release of these patches, HAFNIUM has accelerated their exploitation of these vulnerabilities, probably looking to compromise as many organizations as possible before companies can apply the Microsoft patches.
FortiGuard Labs received notification of these vulnerabilities as part of our membership in MAPP (Microsoft Active Protections Program). We posted a Threat Signal report with details about this exploit on March 3rd. We also released four FortiGuard IPS patches on March 3-4 to protect Fortinet customers from these exploits. Default FortiEDR and FortiXDR deployments will detect and block post-exploitation activity, including dumping the LSASS memory, running the Nishang and PowerCat tools described in the Microsoft blog. We also posted a FortiGuard Outbreak Alert on March 9th. Other updates below:
According to Microsoft, HAFNIUM is a state-sponsored cyber-espionage group that primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Their primary objective is to gain access to valuable networks for the purpose of exfiltrating data to file sharing sites like MEGA. However, recent reports have shown that this is now a global campaign being leveraged by other threat actors as a result of their reversing the out of bounds patch to cause further damage.
In this operation, four specific vulnerabilities (Microsoft Exchange Server Remote Code Execution Vulnerability) were chained together to enable the threat actors to exploit on-premise Exchange servers.
These are the details:
This remote code execution vulnerability exists in Microsoft Exchange Server. A server side request forgery (SSRF) vulnerability allows an exploiter to send arbitrary HTTP requests to authenticate as the Exchange server. This vulnerability is part of an attack chain, and to be successful, an attempt to connect using an untrusted connection on Exchange server port 443 must be allowed.
This is an insecure deserialization vulnerability in the Microsoft Exchange Server’s Unified Messaging service. Exploiting this vulnerability empowers an malicious adversary to run code with elevated privileges (SYSTEM) on the Exchange server. For this vulnerability to be leveraged, certain criteria must be available, such as existing administrator permissions or the chaining of another vulnerability in parallel.
In this Microsoft Exchange Server remote code execution vulnerability, an exploiter can perform a post authentication arbitrary file write. Once authentication is made to the server, an actor can place a file to any location on a server. This vulnerability can be chained by compromising known Exchange administrator credentials or through unauthorized authentication performed by exploiting CVE-2021-26855 (SSRF).
This remote code execution vulnerability allows a malicious adversary to perform a post authentication arbitrary file write on a vulnerable Microsoft Exchange Server. Once authenticated, an actor can place a file to any location on a server. This vulnerability can be chained by compromising known Exchange administrator credentials or by exploiting CVE-2021-26855 (SSRF) to authenticate.
If you believe that your organization is vulnerable to this exploit, we recommend the following actions:
Out of Band patches were made available from Microsoft for download on March 2nd, 2021. They are for the CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 vulnerabilities. It is recommended that all available patches for affected Microsoft Exchange servers be applied immediately.
Microsoft has also issued alternative mitigations for organizations unable to immediately patch or update their affected Microsoft Exchange Servers.
There is a possibility that Microsoft Exchange Server 2010 may also be vulnerable. This version is NOT protected by the four vulnerability patches issued by Microsoft listed above. Microsoft has provided defense-in-depth guidance for organizations running Exchange 2010.
The FortiGuard Labs team was immediately contacted by Microsoft concerning these vulnerabilities through our membership in their MAPP process (Microsoft Active Protections Program), a program we have participated in since 2005.
The following IPS signatures were released on March 3-4, 2021 to detect and stop exploits targeting the four vulnerabilities identified in this exploit. All Fortinet customers with an active subscription and current update are already protected.
The following IPS signatures will protect against the following disclosed proof of concepts:
MS.Exchange.Server.ProxyRequestHandler.Remote.Code.Execution Update: 3/15
MS.Exchange.Server.CVE-2021-27065.Remote.Code.Execution Update: 3/17
Default FortiEDR and FortiXDR deployments will detect and block post-exploitation activity, including dumping the LSASS memory, running the Nishang and PowerCat tools described in the Microsoft blog.
The latest version of FortiEDR (5.0) will detect exploitation attempts of the China Chopper malware. Update: 3/26
The latest version of FortiClient can detect and patch the vulnerabilities identified in this report.
Three signatures have been added to the FortiWeb security service to prevent attackers from performing remote code execution on Microsoft Exchange Servers (CVE-2021-26855, CVE-2021-27065, and CVE-2021-26858)
FortiGuard Labs has the following AV coverage in place for publicly known samples as:
To ensure organizations are fully protected against these threats, we highly recommended they apply all available patches as soon as possible.
FortiGuard Labs will continue to monitor this issue and provided additional updates should new information or proof of concept code related to this event become available.
According to Microsoft, the initial exploit requires the ability to make an untrusted connection to Exchange server port 443. In addition to restricting untrusted connections, Fortinet customers can use FortiVPN to separate the Exchange server from external access. However, this mitigation strategy is only effective against the initial portion of the attack (CVE-2021-26857). Other portions of the chain can still be triggered if attackers already have access or if they can convince an administrator to run a malicious file. If this tactic is used, it is still recommended that organizations prioritize installing all available Exchange Server patches immediately.
Due to the ease of disruption this exploit enables, and the potential for damage to daily operations, it is essential that organizations keep all AV and IPS signatures up to date. It is critical that organizations establish a regular security assessment and patching routine. This ensures that all known vendor vulnerabilities are consistently addressed and updated to prevent attackers from establishing a foothold within the network.
Update: 3/25: Samples mentioned by US-CERT in the latest malware analysis report are not publicly available at this time. For reference, a comprehensive list of all known China Chopper malware protections can be found here. FortiGuard Labs will update this blog and Threat Signal should they become available.