- March 11, 2021
Recently, Microsoft Threat Intelligence Center released warnings to customers about a series of vulnerability exploitation currently occurring in the wild. If you run a small or midsize business in the United States and you use Microsoft Exchange Servers within your computing infrastructure, then a swift implementation of security patches are overdue – failure to adhere to this warning will most likely put your data at risk of being exploited by Hafnium, a Chinese state-sponsored hacker group.
Hafnium is a state-sponsored advanced persistent threat (APT), which Microsoft has also classified as a highly-skilled and sophisticated actor. By exploiting said vulnerabilities, threat actors were able to access private email accounts and install malicious payload on the Microsoft Exchange server.
This targeted exploitation occurred following the discovery of four zero-day vulnerabilities January 2021. When these zero-day vulnerabilities are exploited, they can provide hackers with all sorts of ways to break-in including Remote Code Execution (RCE), backdoors, server hijacking, data theft, malware deployment, etc.
The four zero-day vulnerabilities that were discovered by Microsoft’s security experts included:
- [CVE-2021-26855: CVSS 9.1] Server-side request forgery (SSRF) vulnerability – leads to crafted HTTP requests sent by unauthenticated attackers.
- [CVE-2021-26857: CVSS 7.8] Insecure deserialization vulnerability in the Microsoft Exchange Unified Messaging Service – allows the deployment of arbitrary code under SYSTEM.
- [CVE-2021-26858: CVSS 7.8 & CVE-2021-27065: CVSS 7.8] Post-authentication arbitrary file write vulnerability – used to write paths within a file.
What Does This Mean for Small and Midsize Businesses?
According to security researchers, small and midsize businesses (SMBs) are often the most targeted groups, as it relates to business losses associated with cyberattacks. Unfortunately, most SMBs are less prepared to defend their critical infrastructures, than larger companies. So, what does the Microsoft Exchange Server vulnerabilities mean for SMBs? Should they be worried? The short answer is: YES!
Therefore, it is imperative that SMBs consult with competent security experts to ascertain the likelihood, probability, and potential impact of the exploited Microsoft Exchange Server vulnerability might pose on their security posture.
Viable Next Steps for SMBs
Microsoft has released security fixes and patches that would shield the servers from being penetrated by hackers. Microsoft has also recommended that all IT administrators and customers use Microsoft Exchange Server to deploy these patches. However, applying this patch does not at all guarantee that your server is fully protected. Hence, some other steps also need to be taken.
Since these attacks surfaced, a number of law enforcement authorities have taken notice and have issued alerts to counter these zero-day attacks – the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert that demanded all federal agencies across the United States to analyze their servers, especially the ones using Microsoft Exchange.
Additionally, Microsoft published a script on GitHub, which allows organizations to verify the security status of your Exchange Servers – this is done by analyzing the indicators of compromise (IOCs) that are linked to the four zero-day vulnerabilities. Therefore, IT administrators at SMBs are advised to monitor all published IOCs to ensure that their infrastructure security posture is resilient to withstand any potential security incidents.
In addition to all the steps highlighted above, Microsoft has also released a number of out-of-band emergency patches for their older versions of Exchange, which were not previously being supported – these versions include Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. However, Microsoft has also said that the emergency patches issued would only be able to patch the four zero-day vulnerabilities listed above, and in no way does that imply that older Exchange Server products are automatically secure.
Therefore, if you run a small or midsize business in the United States and use Microsoft Exchange Servers, a security patch is highly recommended so as to maintain the security resilience of your critical infrastructures. All in all, security experts aligned with business goals and objectives must consistently run a system-wide check to ascertain the health of daily operational systems, including email servers and cloud storage systems.