Microsoft has released emergency patches for four 0-day vulnerabilities found in the code of the Exchange mail server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).
The company warned that Chinese hackers from the Hafnium group are already exploiting these problems. For starting the attack, hackers only need to gain access to the local Microsoft Exchange server on port 443.
- CVE-2021-26855 – SSRF vulnerability that allowed sending arbitrary HTTP requests and bypassing authentication.
- CVE-2021-26857 – Unified Messaging deserialization issue. Using this bug gave a hacker the ability to run code with SYSTEM privileges on the Exchange server. For the exploit to work properly, administrator rights or another vulnerability were required.
- CVE-2021-26858 – An arbitrary file write vulnerability (after authentication with Exchange).
- CVE-2021-27065 is another random file write vulnerability (also after authenticating with Exchange).
Previously, this hack group attacked various American organizations, including infectious disease researchers, law firms, higher education institutions, defence contractors, political think tanks and NGOs.
The newest Hafnium attacks were recorded as early as 2021, and they exploited all four zero-day vulnerabilities in Exchange.
Having secured themselves on the Exchange server, the criminals stole the contents of mailboxes and address books, transferring this information to their remote server (most often file hosting services such as Mega were used for this purpose).
The first attacks on their clients’ servers were discovered by Volexity specialists, who have already prepared their own report on this malicious campaign. Microsoft also reports that it received a warning about the attacks from Danish firm Dubex experts.
Along with the listed above vulnerabilities in Exchange, the developers have fixed three other errors (CVE-2021-27078, CVE-2021-26854 and CVE-2021-26412) discovered during the incident investigation.
Microsoft engineers recommend that administrators install patches as soon as possible, or at least secure port 443 from possible attacks.
Let me remind you that I talked about the fact that Microsoft left open one of the internal servers of the search engine Bing.