ADVERTISEMENT

Another earthquake in cybersecurity: an in-depth look at the Microsoft Exchange ProxyLogon zero-day flaws

Microsoft logo on building
Pierluigi Paganini
Pierluigi Paganini Contributor
Mar 10, 2021 Updated: 28 September 2021 6 min read
 “Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”

Four zero-day vulnerabilities exploited by Chinese hackers

  • The first zero-day, tracked as CVE-2021-26855, is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange that could be exploited by an attacker to authenticate as the Exchange server by sending arbitrary HTTP requests.
  • The second vulnerability, tracked as CVE-2021-26857, is an insecure deserialization issue that resides in the Unified Messaging service. The flaw could be exploited by an attacker with administrative permission to run code as SYSTEM on the Exchange server.
  • The third vulnerability, tracked as CVE-2021-26858, is a post-authentication arbitrary file write vulnerability in Exchange.
  • The last vulnerability, tracked as CVE-2021-27065, is another post-authentication arbitrary file write vulnerability in Exchange.
“Hafnium primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”
 Microsoft.

Microsoft’s response to the incident

Interim mitigations if unable to patch Exchange Server 2013, 2016, and 2019: Implement an IIS Re-Write Rule and disable Unified Messaging (UM), Exchange Control Panel (ECP) VDir, and Offline Address Book (OAB) VDir Services.”
reads the post published by Microsoft
  • %IIS installation path%\aspnet_client\*
  • %IIS installation path%\aspnet_client\system_web\*
  • %Exchange Server installation path%\FrontEnd\HttpProxy\owa\auth\*
  • Configured temporary ASP.NET files path
  • %Exchange Server Installation%\FrontEnd\HttpProxy\ecp\auth\*
ADVERTISEMENT
Microsoft also released a PowerShell script called Test-ProxyLogon.ps1 that can be used to search for indicators of compromise (IOC) related to these attacks in Exchange and OWA log files.
Exchange Server security updates scheme
  1.      Download the update but do not run it immediately.
  2.      Temporarily disable file-level antivirus software.       
  3.      Select Start, and type CMD.
  4.      In the results, right-click Command Prompt, and then select Run as administrator.
  5.      If the User Account Control dialog box appears, choose Yes, and then select Continue.
  6.      Type the full path of the .msp file, and then press Enter.
  7.      After the installation is finished, re-enable the antivirus software, and then restart the computer. (You might be prompted by the installer to restart.)

Who were the victims of ProxyLogon attacks?

"The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail.”
“Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”
ADVERTISEMENT