By Tim Boivin
The breadth and depth of the multiple Zero Day vulnerabilities being used to attack Microsoft Exchange Servers around the world continues to swell with each passing day – already impacting anywhere from 20,000 to 30,000 organizations in the U.S. alone.
Adversaries can exploit this vulnerability to compromise networks and steal information, encrypt data for ransom, or launch other destructive attacks.
Organizations using Total Access Control (TAC) are not affected.
That is because the Server-Side Request Forgery (SSRF) cited in CVE-2021-26855 requires anonymous access to Exchange, something TAC does not allow.
The victims of the Hafnium Exchange hack run the gamut of vertical industries, including city and county governments, healthcare providers, banks and financial institutions, retailers, a university, an engineering firm, a telecom, and residential electricity providers, according to news reports. In Europe, the European Banking Authority took its email systems offline as a precautionary measure before restoring them.
As of March 5th, Huntress Labs was reporting that at least 800 Exchange servers around the world remained unpatched and “without the hotfix for an up-to-date CU version number.”
The anonymous SOAP request presented to the Exchange Server uses specially crafted cookies and bypasses authentication to execute the underlying request specified in the XML, allowing an attacker to then perform any operation on the user’s mailbox.
However, TAC requires all users to authenticate first to gain access to any server for which it is controlling access requests. In addition, TAC requires user authentication for access requests to the Exchange Web Service (EWS) API endpoint as well.
Thus, the anonymous, arbitrary HTTP requests presented to TAC would not allow the attacker to authenticate, either for the Exchange server or the EWS.
As with any security technology, organizations must not allow improperly secured alternate pathways to resources. These can take the form of direct access to resources from the local network, or other avenues like RDP or VPN connectivity that could bypass the strong protections offered by Total Access Control.
Because of the widespread and indiscriminate exploitation of these vulnerabilities, the Cybersecurity and Infrastructure Security Agency (CISA) recommends that all Exchange Server system owners complete the following steps:
- If you have the capability, follow the guidance in CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities to create a forensic image of your system.
- Check for indicators of compromise (IOCs) by running the Microsoft IOC Detection Tool for Exchange Server Vulnerabilities.
- Immediately update all instances of on-premises Microsoft Exchange that you are hosting.
- If you are unable to immediately apply updates, follow Microsoft’s alternative mitigations in the interim.
Note: these mitigations are not an adequate long-term replacement for applying updates; organizations should apply updates as soon as possible.
- If you have been compromised, follow the guidance in CISA Alert AA21-062A. For additional incident response guidance, see CISA Alert AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity.
Note: Responding to IOCs is essential to evict an adversary from your network and therefore needs to occur in conjunction with measures to secure the Microsoft Exchange environment.
Senior leadership should ask their IT teams:
- What steps it has taken to address these potential vulnerabilities.
- Whether the organization has the technical capability to follow the guidance cited above.
- If it doesn’t have that capability, whether third party IT security support has been requested.
CISA also says that leaders should request frequent updates from in-house or third-party IT personnel on the progress that is being made in implementing the guidance outlined above until it is completed.
Please don’t hesitate to contact us at firstname.lastname@example.org to learn how TAC can prevent these kinds of Zero Day vulnerabilities across your attack surface that led to the Hafnium Exchange attacks.