RedSeal Cyber Threat Series
Multiple news sources, security researchers and security agencies have reported on a new attack against tens, if not hundreds, of thousands of Internet accessible Exchange servers configured for Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Outlook Web App (OWA) access. These attacks are being carried out by the China nation/state sponsored hacking group known as Hafnium.
The exploit utilizes 4 Zero Day vulnerabilities in Microsoft Exchange software, three in Exchange and one in Unified Messaging Services.
The four Zero Day Microsoft CVEs are as follows:
• CVE-2021-26855 – allows an attacker to send specific HTTP requests and authenticate to the Exchange Server
• CVE-2021-26857 – insecure deserialization in Unified Messaging allows remote code execution on Exchange sever
• CVE-2021-26858 – post authentication arbitrary file write vulnerability in Exchange
• CVE-2021-27065 – post authentication arbitrary file write vulnerability in Exchange
The result is a persistent web shell that allows attackers to steal data and perform other malicious actions.
RedSeal customers should:
1) Track the Hosts that the vulnerability scanner identifies as Exchange servers (this example was done with Rapid7 data).
2) Report to inventory the existence of hosts with any of the four vulnerabilities required for this exploit
3) Report on the access from subnets indicated as Internet to Exchange servers via TCP 443
4) -optional- Report on the access from ALL subnets to Exchange servers via TCP 443
All of these actions will be performed using the RedSeal Java UI.
For additional details, contact your RedSeal sales representatives or email firstname.lastname@example.org