Some of you may know of HAFNIUM if you took a chemistry class in school. In this context however, HAFNIUM is a group of state-sponsored hackers targeting On-Premises Exchange Servers utilizing a series of zero-day vulnerabilities. As many as 30,000 organizations have been compromised in this email server hack, with the estimated numbers growing every day since awareness of the issue. National programs like the White House National Security Council and the Cybersecurity and Infrastructure Security Agency are following the issue closely calling the exploit “an active threat”.
So how did this happen?
There are 4 key points of entry that have been exploited to target On Premises Exchange Servers.
- CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server
- CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is de-serialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit
- CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials
- CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials
Image Source: Any IP Ltd
Are the Servers Safe Now?
Once the hackers infiltrated, they were then able to deploy web shells on the compromised servers, which allows them to steal data and perform additional malicious attacks. HAFNIUM was able to download the Exchange offline address book from compromised systems which contains information about an organization and its users. Two helpful articles from Microsoft are Defending Exchange Servers Under Attack and Web Shell Attacks Continue to Rise.
Read the whole security blog here. It describes in detail what I mentioned above plus some.
You know who was safe from these attacks? Everyone in the cloud. The attacks specifically targeted On-Premises Exchange Servers so if you had made the move, you would have been protected. Finchloom specializes in migration to the cloud. Even if your business was not compromised by these attacks, many businesses now see another utility of moving to the cloud… this may be your sign to migrate. Contact Finchloom today for a free consultation on how you can move your on-premises servers to the cloud.