CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.
On 2 March 2021, Microsoft reported four critical vulnerabilities affecting Microsoft’s Exchange server – a software used by organisations worldwide to manage their email, scheduling and collaboration.
It was assessed that hackers had exploited these vulnerabilities to target organisations using the software as early as January 2021. This may have allowed the hackers to access email accounts, acquire data, and deploy malware onto target machines to maintain persistence, and further compromise victims’ networks.
This incident is not linked to the SolarWinds breach reported in December 2020, which exposed thousands of organisations to a tainted version of SolarWinds’ Orion network management platform. Nonetheless, it underscores how malicious threat actors, by targeting and exploiting widely used software, can simultaneously compromise multiple organisations and in one fell swoop.
EXPLOITATION OF MICROSOFT EXCHANGE SERVER VULNERABILITIES
On 2 March 2021, Microsoft released patches for four zero-day vulnerabilities affecting on-premise versions of Microsoft’s Exchange Server (2013, 2016, and 2019). The vulnerabilities do not directly affect the Exchange Online service or individual email accounts.
- CVE-2021-26855: A Server-Side Request Forgery (SSRF) vulnerability which allowed the hackers to trick the Exchange Server into running commands that it should never have been permitted to run, such as authenticating as the Exchange Server itself;
- CVE-2021-26857: This vulnerability allowed the hackers to run any code under the “SYSTEM” account (i.e. the Local System account) on the Exchange Server, however, it required administrator-level permission or another vulnerability in order to be exploited;
- CVE-2021-26858 and CVE-2021-27065: Upon successful authentication with the Exchange Server by exploiting CVE-2021-26855 or compromising a legitimate server administrator’s credentials, the hackers could use these vulnerabilities to access or modify parts of the server.
Several of these vulnerabilities were reported to Microsoft by security researchers in January 2021. It was later uncovered that hackers had actively exploited these vulnerabilities in-the-wild even before the disclosure. Microsoft’s public announcement and release of the necessary patches was followed by another wave of malicious activity targeting as-yet unpatched Exchange servers.
According to security blog Krebs on Security, “at least 30,000 U.S organisations”, and “hundreds of thousands” of organisations worldwide were affected. These included small businesses, local governments, and large corporations who utilised Microsoft’s Exchange Server software. The hackers would have been able to access the email accounts of victims, and installed additional malware to facilitate long-term access to victim environments. Although many organisations have since installed the necessary patches, these patches would only suffice to plug the initial vulnerabilities, but would not eliminate any follow-on backdoors that hackers may have installed on victims’ systems.
The initial wave of intrusions has been linked to a “highly skilled” and “sophisticated” threat actor. In addition, cybercrime gangs have piled on to leverage these vulnerabilities to launch ransomware attacks. In late March 2021, IT company Acer reportedly received a US$50 million ransom demand, after cybercriminals allegedly leveraged Exchange vulnerabilities to infect its systems with ransomware.
HOW CAN WE LEARN FROM THIS INCIDENT?
This incident underscores the asymmetrical nature of cybersecurity – in which defenders have to protect all the systems, all the time, whereas attackers only have to find a single point of compromise to accomplish their objectives. This is further exacerbated by attackers scaling up their attacks through “supply chain attacks” – in which attackers can compromise trusted and widely used software to gain access to thousands of networks at once.
This incident also features multiple zero-day vulnerabilities, which are notoriously difficult to detect and protect against as they are able to evade most antivirus systems. Such threats highlight the importance of adopting a “defence in depth” approach to cybersecurity, in which organisations employ a series of layered defensive measures to protect their data and assets. Having multiple layers of security controls increases the likelihood that hackers can be swiftly detected and repelled, even after they have successfully breached a network.
Organisations that use Exchange servers are advised to patch to the latest supported version released in March immediately. To safeguard against potential backdoors which hackers may have installed, system administrators are also advised to monitor Exchange log files and Windows Application event logs for any signs of malicious activity.
For further details and mitigation techniques, please refer to SingCERT’s online advisory on Microsoft Exchange Product Vulnerabilities.
Microsoft Security Blog, Krebs on Security, ESET, ZDNet, Bleeping Computer