What is the Microsoft Exchange compromise?
On March 2, Microsoft released patches to tackle four severe vulnerabilities in Microsoft Exchange Server software. There have been reports in the media of up to 100K servers that might have been affected. Most 0-days attacks are quickly patched and remediated given Microsoft's emergency patches. We believe this is why we have seen little scan/detection data in the field from a signals perspective.
While the risk has largely been mitigated at this moment, we will continue to see a small number of orgs who did not apply the known patches and we will continue to monitor for new instances. At this time, our scans indicate that the current number of impacted systems are in the hundreds. The move to cloud based Office 365, seems to have also reduced the scale of this attack which only impacts on-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 installations. Here are more details on the four Microsoft CVEs:
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
What actions has SecurityScorecard taken?
- Threat Intelligence and Information Security scanned for evidence of the breach and SecurityScorecard has identified hundreds of services affected by these vulnerabilities.
- An Atlas questionnaire has been added to address these CVEs for our customers to use internally and with tracked companies.
- We will identify breaches related to the MS Exchange attack and CVEs, which impact our customers, and the scorecards of companies they follow, for both paid and freemium customers.
- SecurityScorecard has added the CVE’s into the platform
How do we access the CVE information?
- Log into your SecurityScorecard account
- Select a Portfolio
- Use the Critical Vulnerabilities filter to access the Microsoft Exchange Server (CVE-2021-26855)
Who can I contact for more information?
Please contact your customer success manager or firstname.lastname@example.org for any additional information.