Microsoft has released emergency patches for Exchange

Microsoft has released emergency patches for four 0-day vulnerabilities found in the code of the Exchange mail server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).

The company warned that Chinese hackers from the Hafnium group are already exploiting these problems. For starting the attack, hackers only need to gain access to the local Microsoft Exchange server on port 443.

  • CVE-2021-26855 – SSRF vulnerability that allowed sending arbitrary HTTP requests and bypassing authentication.
  • CVE-2021-26857 – Unified Messaging deserialization issue. Using this bug gave a hacker the ability to run code with SYSTEM privileges on the Exchange server. For the exploit to work properly, administrator rights or another vulnerability were required.
  • CVE-2021-26858 – An arbitrary file write vulnerability (after authentication with Exchange).
  • CVE-2021-27065 is another random file write vulnerability (also after authenticating with Exchange).

Previously, this hack group attacked various American organizations, including infectious disease researchers, law firms, higher education institutions, defence contractors, political think tanks and NGOs.

The newest Hafnium attacks were recorded as early as 2021, and they exploited all four zero-day vulnerabilities in Exchange.

The hackers used these bugs as links in an exploit chain that involved bypassing authentication, gaining administrator privileges, and then installing an ASPX web shell on compromised servers.Microsoft representatives said.

Having secured themselves on the Exchange server, the criminals stole the contents of mailboxes and address books, transferring this information to their remote server (most often file hosting services such as Mega were used for this purpose).

The first attacks on their clients’ servers were discovered by Volexity specialists, who have already prepared their own report on this malicious campaign. Microsoft also reports that it received a warning about the attacks from Danish firm Dubex experts.

Along with the listed above vulnerabilities in Exchange, the developers have fixed three other errors (CVE-2021-27078, CVE-2021-26854 and CVE-2021-26412) discovered during the incident investigation.

Microsoft engineers recommend that administrators install patches as soon as possible, or at least secure port 443 from possible attacks.

Let me remind you that I talked about the fact that Microsoft left open one of the internal servers of the search engine Bing.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *