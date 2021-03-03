



Credit: Dreamstime Microsoft has released security updates for Exchange Server to protect users from vulnerabilities in local versions of the software, with China-based state-sponsored actor Hafnium being the primary group behind the exploits. The vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 affect Microsoft Exchange Server 2013, 2016 and 2019, and are part of an attack chain initiated with the possibility of make a connection to Exchange Server port 443. During this time, Exchange Online is not affected. According to a blog post by Tom Burt, Microsoft’s vice president for customer security and trust, the core exploits group has been called Hafnium by the Microsoft Threat Intelligence Center (MSTIC), which previously targeted U.S. entities. In the past, Hafnium has gathered information from infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and non-governmental organizations. Although it is based in China, its operations have been conducted primarily from virtual private servers leased in the United States. When it comes to Exchange Server exploits, the attack chain begins with an actor having access to an Exchange server, either with stolen passwords or with vulnerabilities, to appear as someone with appropriate access. . Next, the actor creates a web shell to remotely control the compromised server. It then uses this access, through private servers based in the United States, to steal data. While the initial attack can be protected by limiting untrusted connections or configuring a VPN to separate the Exchange server from external access, the rest of the chain can occur if an actor already has access, or if they are can persuade an administrator to run malicious program. drop off. If users want to check if they’ve been compromised, Microsoft has recommended that users scan Exchange log files for signs of a violation.

To identify signs of CVE-2021-26855 exploitation, the log entries will have an empty AuthenticatedUser and the AnchorMailbox will contain the ServerInfo ~ * / * template. Meanwhile, the exploitation of CVE-2021-26858 can be found in the Exchange log file C: Program Files Microsoft Exchange Server V15 Logging OABGeneratorLog. Evidence of CVE-2021-26857 exploitation will be found in Windows application event logs, with events containing the following properties, according to Microsoft: Source: MSExchange Unified Messaging

EntryType: Error

Event message contains: System.InvalidCastException

As for the latest vulnerability, CVE-2021-27065, proof of its exploitation can be found in the Exchange log file C: Program Files Microsoft Exchange Server V15 Logging ECP Server, with Microsoft reporting that all Set- VirtualDirectory properties should never contain a script. Additionally, InternalUrl and ExternalUrl should only be valid Uris. Microsoft added that the Exchange Server exploits were unrelated to the SolarWinds attacks that occurred at the end of last year and that it has so far seen no evidence that the actor behind SolarWinds has found or used a vulnerability in its own products and services.







