On March 2, 2021 Microsoft detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server.
Over the next few days, over 30,000 organisations in the US were attacked as hackers used several Exchange vulnerabilities to gain access to email accounts and install web shell malware, giving the cyber criminals ongoing administrative access to the victims' servers.
On the same day, Microsoft announced they suspected the attacks were carried out by a previously unidentified Chinese hacking group they dubbed Hafnium. According to the Microsoft Threat Intelligence Center (MSTIC), Hafnium is suspected to be state-sponsored and operating out of China, primarily targeting organisations in the United States across multiple industry segments and operating primarily via leased virtual private servers (VPSs) in the U.S.
Microsoft has released updates addressing Exchange Server versions 2010, 2013, 2016, and 2019. The software vulnerabilities involved include CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065—together, these are commonly referred to as ProxyLogon.
According to Gartner analyst Peter Firstbrook, what the hackers are really looking for is a rich attack environment, and targeting on-premises software in organisations that don’t pay much attention to legacy software updates is fertile ground.
“A lot of customers have already moved to online Exchange, at least the more savvy customers have. That leaves behind the late adopters and less mature organisations that just keep carrying on with the old platforms. This is the richest attack environment,” Firstbrook said.
“These people are busy running their businesses and are not paying attention. They have IT generalists running Exchange instead of specialised admins. That is why Microsoft is trying to get everyone to pay attention to this hack, because this community tends not to pay attention to these things on a day-to-day basis.”
The hackers' endgame is not the on-premises servers they put web shells in, but setting themselves up for future attacks of higher value targets those servers may be connected to, said Firstbrook.
“Even if these organisations are not the primary target, they can be a conduit to other organisations they are connected to," he said. "For example, if I can hack into your Exchange server and your customer is the Defence department, then I can impersonate you and send phishing messages to the Defence department.
"Since it all looks legit and coming from the right server, it can be very tough to identify this as a threat. The hackers are setting themselves up with a rich attack infrastructure to go after other higher-value targets. The people who got infected may not be the ultimate target."
Here's how the hack has played out so far.
Exchange Server hack timeline
January 3, 2021: Cyber espionage operations against Microsoft Exchange Server begin using the Server-Side Request Forgery (SSRF) vulnerability CVE-2021-26855, according to cyber security firm Volexity.
January 5: Researcher Cheng-da Tsai ("Orange Tsai") and security firm Devcore disclose related vulnerabilities to Microsoft. The timing results in some speculation about whether the exploit leaked from Devcore or Microsoft, BankInfoSecurity later reported.
February 26-27: Earlier targeted exploits turn global as Hafnium hackers accelerate the back-dooring of vulnerable servers.
March 2: Microsoft releases an emergency security update to plug the four flaws in Exchange Server ver. 2013-2019 to counter the Hafnium attack.
March 2: Microsoft Threat Intelligence Center (MSTIC) announces Chinese Hacker Group Hafnium was responsible for the attack targeting on-premises Exchange Software.
March 3: The Cybersecurity and Infrastructure Security Agency (CISA) issues Emergency Directive 21-02 for all federal agencies to disconnect from Microsoft Exchange on-premises servers and begin incident response procedures.
March 5: Microsoft recommends customers investigate Exchange deployments to ensure they are not compromised.
March 6: The Wall Street Journal reports the Exchange Server hack may have infected up to 250,000 organisations.
March 7: Hackers attack Exchange servers at European Banking Authority. "Access to personal data through emails held on [those] servers may have been obtained by the attacker…. As a precautionary measure, the EBA has decided to take its email systems offline," the EBA announced.
March 5-8: Microsoft sees increased attacks by malicious actors beyond Hafnium, also targeting the vulnerabilities the Chinese group exploited.
March 8: The CISA issues an alert recommending five steps organisations can take to address Exchange vulnerabilities immediately. The process starts with creating a forensic image of the system.
March 10: ESET Research finds 10 Advanced Persistent Threat (APT) cyber crime groups are exploiting the Exchange flaws for various purposes. This includes groups known as LuckyMouse, Calypso, TontoTeam, and DLTMiner.
March 10: According to Reuters, up to 60,000 Exchange Servers in Germany are exposed to Exchange Server vulnerabilities.
March 13: CISA adds seven Malware Analyst Reports (MARs) to identify webshells associated with Exchange vulnerabilities.
March 11-15: According to Check Point Software's observations, the number of attempted Exchange attacks increased 10X, from 700 to 7,200 in these four days.
March 15: Microsoft releases a "one-click" On-Premises Mitigation Tool to assist customers who do not have dedicated IT security to apply updates to Exchange Server.
March 18: Microsoft announces their Defender Antivirus and System Center Endpoint Protection now automatically mitigates CVE-2021-26855 on any vulnerable server.
March 22: Researchers from F-Secure report thousands of cyber attacks continue daily due to unpatched Exchange vulnerabilities. They state that only half of Exchange Servers visible on the internet have applied required patches.
March 31: CISA releases supplemental direction on Emergency Directive for Exchange Server Vulnerabilities.
April 13: The Department of Justice announced that the FBI was granted a search and seizure warrant by a Texas court that allows the agency to copy and remove web shells from hundreds of on-premises Microsoft Exchange servers owned by private organisations.
April 22: Cybereason researcher Lior Rochberger releases an extensive report showing how the Promotei cryptocurrency botnet has exploited the Exchange vulnerabilities to install crypto mining software for Monero coins.
Looking forward: The case for auto-updates, API security
According to Gartner's Firstbrook, in the case of Exchange in particular, the very people who use on-premises servers to do business as usual and don’t want to deal with managing updates are the very ones who need to take advantage of auto updates.
“The issue is patchable, but a lot of people Microsoft is trying to contact are not paying attention. All these people should be in online Exchange but are not. If you can’t patch an on-premises server, you should move to the cloud.” he said. ‘But for a small mom-and-pop shop, that costs a lot of money and may not be practical for them.”
Looking to the future, the emerging use of Application Programming Interfaces (APIs) as a way to interconnect web infrastructure platforms, apps, and systems is a new area of security vulnerability and risk exposure that organisations simply are not paying attention to, Firstbrook argued. (CVE-2021-26855 involves a SSRF request aimed specifically at the Exchange Web Services API endpoint.)
“The initial Exchange attack was on an API. So was the SolarWinds attack. Most organisations are not paying attention to these APIs,” Firstbrook said.
“Every major SaaS app has robust APIs, and there is a whole reseller community that uses APIs to integrate platforms. So instead of attacking Salesforce, they go after a small vendor doing the API. Both the Exchange and SolarWinds cases were API flaws or improper management of credentials.”
Firstbrook believes the shift away from traditional software development to a more containerised and service-oriented approach will increase criminals' focus on APIs.
“We will probably see more attacks on APIs in the coming years. No organisation has someone in charge of API security, and there is not a big API security marketplace. That will be a future area of investment—to invest in people, tools, and processes to better understand and protect those corporate APIs,” he said.
“That is a rich attack vector we really haven’t been paying attention to.”