NTG recently learned of multiple urgent security patches for Microsoft Exchange that are needed to prevent issues currently being exploited by a Chinese state sponsored hacker group. Microsoft has assessed HAFNIUM to be responsible for the “0-day” exploits, basing their beliefs on victimology tactics and procedure. According to Microsoft’s website “HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.” The vulnerability allows hackers to steal email files from US-based servers, exploiting four vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019. The security weakness was first discovered by security firm Volexity, documenting attacks as early as January 6, 2021. Microsoft states that HAFNIUM malware tools operate primarily from leased virtual private servers (VPS) in the United States. Acting quickly Microsoft made a security patch available to deter their efforts. Microsoft released a series of patches to address multiple execution (RCE) vulnerabilities in Microsoft Exchange for on-premises and hybrid models, while cloud-based servers are not affected. To mitigate the threat Microsoft is also releasing a patch for Microsoft Exchange 2010, while Microsoft Defender has also been updated to detect HAFNIUM malware tools. CVE-2021-26855 • A server-side request forgery (SSRF) vulnerability in Exchange which allows an attacker to send arbitrary HTTP requests and authenticate as the Exchange server. CVE-2021-26857 • An insecure deserialization vulnerability in the Unified Messaging service. • Exploiting this vulnerability can provide an attacker with the ability to run code as SYSTEM on the Exchange server. • This vulnerability requires administrator permission or another vulnerability to exploit. Microsoft observed HAFNIUM chain CVE-2021-26855 with this one to authenticate with elevated privileges. CVE-2021-26858 & CVE-2021-27065 • These two are post-authentication arbitrary file write vulnerabilities in Exchange. • If an attacker can authenticate with the Exchange server then they can use one of these vulnerabilities to write a file to any path on the server. Microsoft observed HAFNIUM chain CVE-2021-26855 with this one to authenticate with elevated privileges. If you need help updating your security infrastructure or implementing security patches in your existing Microsoft product line NTG can help you with cyber security solutions. We have trained professionals who keep up with trends and best practice for maintaining ecosystems through proactive prevention.
