News

Exchange Server Zero-Days Get Out-of-Band Security Patches

• By Kurt Mackie
• 03/03/2021

Microsoft has issued out-of-band security patches to address zero-day flaws affecting Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019.

Organizations running those products are advised to patch immediately, as hackers are exploiting these flaws in active attacks.

Microsoft also released security updates for Exchange Server 2010 Service Pack 3, but it's described as a "defense in depth update" for that product, which fell out of support last year.

Update 3/5: For organizations not able to quickly update Exchange Servers with the out-of-band security patches, Microsoft has published these mitigation steps to take.

The Exchange Online service isn't a target of these attacks. The emergency security patches are just getting released for Exchange Server products installed on customers' premises.

Security Patches
An announcement by the Microsoft Security Response Center (MSRC) listed the Knowledge Base articles for the four out-of-band security patches as follows:

• CVE-2021-26855
• CVE-2021-26857
• CVE-2021-26858
• CVE-2021-27065

"We recommend prioritizing installing updates on Exchange Servers that are externally facing," the MSRC indicated. "All affected Exchange Servers should ultimately be updated," it added.

The initial attack uses Exchange Server's port 443, so some mitigation is enabled by restricting untrusted connections on that port or by using "a VPN to separate the Exchange Sever from external access."

The attackers are thought to be members of the "Hafnium" group, acting on behalf of China. They are aiming to gain access to information from industry sectors, "including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs," according to Tom Burt, Microsoft's corporate vice president of customer security and trust, in a Microsoft announcement.

Microsoft doesn't think that this attack is connected with the SolarWinds Orion software hack, Burt added. He credited researchers at Dubex and Volexity for discovering the Hafnium activity.

A more detailed description of the Hafnium attack methods on Exchange Server can be found in this announcement by Microsoft's security team members. It describes the vulnerabilities that are getting addressed. Hafnium is disguising the attacks, in part, by leveraging virtual private servers located in the United States, the security teams explained.

Attacks Discovered in January
Volexity, which posted a Tuesday announcement about the attacks, indicated that its Network Security Monitoring service had detected the Exchange Server zero-day attacks as early as "January 2021." Its investigators first thought that a backdoor had been installed to access Exchange Server e-mail data, but a subsequent "investigation revealed that the servers were not backdoored and uncovered a zero-day exploit being used in the wild."

Volexity described the exploit as a "zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855)," which was being used to steal mailbox content. The exploit can be remotely run and "does not require authentication of any kind."

"The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail," Volexity explained. The identity of the server's fully qualified domain name is needed, and then the attacker can send the server a series of requests to gain information. That information is used to send another server request, which will bypass authentication.