Chinese cyberespionage group hacks US organizations with Exchange zero-day flaws

Microsoft has released emergency patches for four previously unknown vulnerabilities in Exchange Server that a cyberespionage group was exploiting to break into organizations. The flaws allow the extraction of mailbox contents and the installation of backdoors on vulnerable servers.

Microsoft attributes the attacks to a Chinese APT group dubbed Hafnium that has a history of exploiting vulnerabilities in internet-facing servers and targeting Office 365 users. The group has targeted entities in the US including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

Authentication bypass

The attacks were initially spotted in January by researchers from security firm Volexity after observing unusual connections and data transfers to suspicious IP addresses from the Exchange servers of some of its customers. A subsequent investigation revealed suspicious POST requests to legitimate resources on the Exchange servers, leading the researchers to suspect they had been backdoored.

It turned out, however, that those particular servers had not been backdoored and the attackers were leveraging a zero-day server-side request forgery (SSRF) vulnerability—now tracked as CVE-2021-26855—to bypass authentication and extract the contents of user mailboxes available on the servers.

“The attacker was using the vulnerability to steal the full contents of several user mailboxes,” the Volexity researchers said in a report. “This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract email.”

This vulnerability has limitations depending on how the Exchange server was configured. If all the Exchange functionality is running on a single server, attackers need the user’s domain security identifier (SID) to access their mailbox. While this value is not considered secret, it’s hard to obtain it without access to the organization’s internal environment, the researchers said.

However, this Exchange configuration is not very common, as organizations typically split the Exchange functionality across multiple servers for load balancing, availability and other reasons. In such a multi-server setup where the servers are configured in a Database Availability Group (DAG), the attacker doesn’t need the user’s domain SID to access their mailbox.

Remote code execution

Further monitoring led the researchers to discover additional attacks at other organizations where the hackers combined this SSRF flaw with another unknown vulnerability that allows for remote code execution. This vulnerability, now tracked as CVE-2021-27065, was being used to write ASPX Web shells on the servers. This gave attackers a foothold from which they conduct further attacks such as credential dumbing, adding rogue user accounts, stealing Active Directory databases and moving laterally. The researchers observed both new and known webshells being used including SIMPLESEESHARP, SPORTSBALL, China Chopper and ASPXSPY, as well as typical system administration tools like Sysinternals PsExec and ProcDump, the WinRAR command utility and commands to drop the process memory of lsass.exe.

“While the attackers appear to have initially flown largely under the radar by simply stealing emails, they recently pivoted to launching exploits to gain a foothold,” the researchers said. “From Volexity’s perspective, this exploitation appears to involve multiple operators using a wide variety of tools and methods for dumping credentials, moving laterally, and further backdooring systems.”

Microsoft describes CVE-2021-27065 as an arbitrary file write vulnerability and has identified an additional one used as part of the attack chain that it tracks as CVE-2021-26858. These two arbitrary file write flaws require authentication, but attackers can achieve that by exploiting the SSRF issue or by using stolen credentials.

Additionally, the company identified an insecure deserialization vulnerability in the Unified Messaging service (CVE-2021-26857) that can be exploited to achieve remote code execution with SYSTEM privileges on a vulnerable server. This vulnerability requires administrator permissions to exploit.

Mitigating the Microsoft Exchange Server zero-day flaws

Microsoft advises organizations to deploy the newly released Exchange Server updates as soon as possible. Both Microsoft and Volexity have released indicators of compromise that can be used to detect if such attacks have occurred in an organization.

“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,” Tom Burt, Microsoft’s corporate vice president for Customer Security & Trust, said in a blog post. “Promptly applying today’s patches is the best protection against this attack.”