Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Multiple Critical Vulnerabilities for Microsoft Exchange
Image
Published : 03/03/2021
Reference:
Advisory #2021-0003
Version:
1.2 (Updated on 16 March 2021)
Affected software:
Microsoft Exchange Server 2010 is out of support but is being updated for Defence-in-Depth purpose
Microsoft Exchange Server 2013, 2016 and 2019
Type:
Zero-day, vulnerabilities chain leading to remote code execution
CVE/CVSS:
Actively exploited in known attacksNot related to known attacks, but still dangerous enough to patch
Sources
Microsoft’s blog - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
IOCs and more context (Updated by Microsoft on 8 March 2021) - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Frequently Asked Questions (Updated by Microsoft on 8 March 2021) - https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
Extensive Incident Response guide (Updated by Microsoft on 16 March 2021) : https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/
Risks
Microsoft has detected multiple 0-day exploits being used to attack on-premise versions of Microsoft Exchange Server in limited and targeted attacks.
In the attacks observed, the threat actor used these vulnerabilities to access on-premise Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments. All this could be done without any need for authentication.
UPDATE 16/03/2021: It has been determined that malicious actors are installing web shells in vulnerable systems.
Organisations and companies that do not take action can become the victim of ransomware or data exfiltration.
Description
Microsoft has released several security updates for Microsoft Exchange Server to address vulnerabilities that have been used in limited targeted attacks.
The report mentions 4 of the 7 vulnerabilities patched that are used in these attacks.
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858 & CVE-2021-27065 are post-authentication arbitrary file write vulnerabilities in Exchange. Authentication is possible by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
The following CVEs are not related to the attacks but should be patched as well: CVE-2021-26412, CVE-2021-26854 and CVE-2021-27078.
UPDATE 16/03/2021: It is important to make a distinction between the "on-premises", "hybrid" and "online" setups of Microsoft Exchange. On-premises software means that the software is installed in the company itself, on the computers and servers of the company. Hybrid means that the software is installed both in the company and online (in the cloud). The Hafnium cyberattack has an impact on these two setups. There is no impact on companies whose Exchange services are only online (in the cloud).
Recommended Actions
CERT.be recommends prioritizing installing updates (Updated on 8 March 2021) on Exchange Servers that are externally facing. All affected Exchange Servers should ultimately be updated with the highest priority.
After patching, Exchange administrators can run a Health Checker script to determine the status of each Exchange server.
Then remove all web shells.
Overview of all the steps to be followed: Multiple Security Updates Released for Exchange Server - updated March 12, 2021 - Microsoft Security Response Center
Update 16/03/2021 : Microsoft has launched a tool to automate things for customers with little expertise. One-Click Microsoft Exchange On-Premises Mitigation Tool - March 2021 - Microsoft Security Response Center
Companies and organisations that experience difficulties with these steps are advised to hire an ICT partner or external expert to perform these actions.
Check your environment for signs of compromise
- Scan Exchange server logs for Indicators of Comprise (IOCs)
- Scan hosts for IOCs such as web shell hashes, known paths and filenames, LSASS process memory dumps
For more information on how to check your environment and use the IOCs: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ (Updated by Microsoft on 8 March 2021)
For more information on how to investigate an remediate (Updated by Microsoft on 16 March 2021): Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities – Microsoft Security Response Center
References
Webcast from Microsoft: https://aka.ms/EMEAExchangeOOBMarch2021PM
Slides for this webcast: https://aka.ms/ExOOB
Updated slides on 9 March 2021: https://webcastdiag864.blob.core.windows.net/2021presentationdecks/March%202021%20Exchange%20Server%20Security%20Update%20-%20EN.pdf
Advanced hunting queries
- Microsoft Defender for Endpoint: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/
- Azure Sentinel: https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/