HAFNIUM Targeting Exchange Servers with Zero-Day Exploits

Complete Tech Solutions > Technology  > Security  > HAFNIUM Targeting Exchange Servers with Zero-Day Exploits
j

HAFNIUM Targeting Exchange Servers with Zero-Day Exploits

Recent exploitations of on-premises Microsoft Exchange Server products have been highlighted starting around the 3rd of March utilising zero-day exploits. When successfully exploited these allow for an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers. This allows attackers to gain persistent system level access to the servers, mailbox accesses and credential level access on the Exchange server.

Vulnerabilities

There are four specific techniques highlighted by Microsoft as being utilised as part of the exploitation of these vulnerabilities:

  • CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability. This allows for an arbitrary HTTP request and authenticate as the Exchange server.
  • CVE-2021-26857 is an insecure deserialisation vulnerability in the Unified Messaging service. Insecure deserialisation is where untrusted user-controllable data is deserialised by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
  • CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

How to Determine if you Have Been Compromised

Microsoft have released several scripts within their GitHub page which can be found here. Run script Test-ProxyLogon.ps1 which scans for known IoCs and highlights any potential exploitations, allowing for you to get a quick indicator whether potential compromise has occurred.

Admin
No Comments

Post a Comment

Comment
Name
Email
Website