Mitigate Microsoft Exchange Server Vulnerabilities

On March 2, 2021, Microsoft announced a series of zero-day exploits targeted towards on-premises Exchange servers, compromising organization email accounts and resulting in remote code execution. The exploits were believed by Microsoft to be facilitated by a state-sponsored China-based group, known as HAFNIUM.

CVE IDs have been assigned to the discovered vulnerabilities as follows:

The affected systems include Microsoft Exchange Server 2013, 2016, and 2019.

The vulnerabilities allow attackers to authenticate as the Exchange server via arbitrary HTTP requests, using a server-side request forgery (SSRF) vulnerability; abuse insecure deserialization in the Unified Messaging service to run code as SYSTEM on an Exchange server (requires administrator access to exploit); and write files to the system arbitrarily after authentication via one of the other vulnerabilities.

Upon exploitation of these vulnerabilities, HAFNIUM deployed webshells on compromised systems to maintain access and full remote code execution, a list of which are found along with other IOCs on Microsoft’s official threat disclosure page for the incident.

US CISA has also released a page disclosing observed behavior, IOCs, and tactics regarding the incident, including those disclosed on Microsoft’s, Volexity’s, and other announcements.

Recommended actions for organizational systems that may be affected are threat hunting, using the provided IOCs, and if present, deploying remediation protocols such as isolating infected hosts from the network, removing all traces of persistence and exploitation, and patching the servers (reimaging if necessary). Microsoft’s Security Response Center released an update with the necessary patches, as well as instructions for remediation and recovery.

Get In Touch 

Call us at (833) 292-1609 or email us at sales@tevora.com 

About the Author

Matt Mosley is the Director of Incident Response at Tevora.