Another earthquake in cybersecurity: an in-depth look at the Microsoft Exchange ProxyLogon zero-day flaws

On March 3, Microsoft released emergency out-of-band security updates that address four zero-day issues in all supported Microsoft Exchange versions that were being actively exploited in the wild.

The company decided to quickly address the issues because it was aware of at least one state-sponsored hacker group exploiting them in attacks. Microsoft revealed that a China-linked threat actor group, known as Hafnium, has chained the above vulnerabilities to target on-premises Exchange servers to access email accounts and install backdoors to maintain access to victim environments.

“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.” reads the advisory published by Microsoft.

 “Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”

Unsurprisingly, Chinese authorities denied any involvement in the recent attacks.

Four zero-day vulnerabilities exploited by Chinese hackers

Let’s take a closer look at the vulnerabilities addressed by the tech company.

  • The first zero-day, tracked as CVE-2021-26855, is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange that could be exploited by an attacker to authenticate as the Exchange server by sending arbitrary HTTP requests.
  • The second vulnerability, tracked as CVE-2021-26857, is an insecure deserialization issue that resides in the Unified Messaging service. The flaw could be exploited by an attacker with administrative permission to run code as SYSTEM on the Exchange server.
  • The third vulnerability, tracked as CVE-2021-26858, is a post-authentication arbitrary file write vulnerability in Exchange.
  • The last vulnerability, tracked as CVE-2021-27065, is another post-authentication arbitrary file write vulnerability in Exchange.

The Hafnium cyberespionage group exploited the flaws in targeted attacks against US organizations. The China-linked group focused on cyber espionage campaigns aimed at US-based organizations in multiple industries, in some cases the threat actors also interacted with victim Office 365 tenants.

“Hafnium primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”


Hafnium has previously hacked internet-facing servers by exploiting vulnerabilities and used legitimate open-source frameworks like Covenant for command and control. Once the attackers gained access to a victim network, they typically exfiltrated data to file-sharing services like MEGA.

Microsoft’s response to the incident

Tom Burt, Microsoft Corporate Vice President, explained that once they gained access to a vulnerable Microsoft Exchange server, Hafnium hackers would use remote access to steal data from an organization’s network.

“First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network,” wrote Burt.

Fearing a massive exploitation of these flaws in the wild, Microsoft shared Indicators of Compromise (IoCs) for these attacks and immediately updated the signatures for its Microsoft Defender to detect web shells that were deployed by the threat actors on the compromised servers.

Microsoft also updated the Microsoft Support Emergency Response Tool (MSERT) to detect the web shells employed in the attacks against the Exchange servers and remove them. The MSERT tool is a self-contained executable file that scans a computer for malware and reports its findings, it is also able to remove detected malware. Microsoft also provided alternative mitigation techniques for customers that are not able to apply the security updates released by the company.

Interim mitigations if unable to patch Exchange Server 2013, 2016, and 2019: Implement an IIS Re-Write Rule and disable Unified Messaging (UM), Exchange Control Panel (ECP) VDir, and Offline Address Book (OAB) VDir Services.”

reads the post published by Microsoft

Microsoft points out that administrators could use MSERT to make a full scan of the install or perform a ‘Customized scan’ of the following paths where malicious files from the threat actor have been observed:

  • %IIS installation path%\aspnet_client\*
  • %IIS installation path%\aspnet_client\system_web\*
  • %Exchange Server installation path%\FrontEnd\HttpProxy\owa\auth\*
  • Configured temporary ASP.NET files path
  • %Exchange Server Installation%\FrontEnd\HttpProxy\ecp\auth\*

“These remediation steps are effective against known attack patterns but are not guaranteed as complete mitigation for all possible exploitation of these vulnerabilities. Microsoft Defender will continue to monitor and provide the latest security updates,” concludes Microsoft.

These scans will remove the malicious code without quarantining them, but as reported by Bleeping Computer, administrators that would like to scan for web shells associated with these attacks without removing them can use a new PowerShell script released by CERT Latvia.

Technical details about the scripts are available on the CERT-LV project’s GitHub repository.

Researchers at the Microsoft Exchange Server team also released an open-source script that could be used by administrators to check if their installs are affected by the ProxyLogon flaws.

“Formerly known as Test-Hafnium, this script automates all four of the commands found in the Hafnium blog post,” states Microsoft. “It also has a progress bar and some performance tweaks to make the CVE-2021-26855 test run much faster.”

This script automates the tests for the four zero-day vulnerabilities in Microsoft Exchange Server, but doesn’t remove any malicious code that could have been installed on the compromised installs.

Microsoft also released a PowerShell script called Test-ProxyLogon.ps1 that can be used to search for indicators of compromise (IOC) related to these attacks in Exchange and OWA log files.

On March 9, due to the severity of the vulnerabilities and the risks for its customers, Microsoft released security updates for Microsoft Exchange servers running unsupported Cumulative Update versions that are affected by the above vulnerabilities, collectively tracked as ProxyLogon. Microsoft aims to temporarily protect the servers of its customers until they can install the latest updates for the Exchange servers.

“To help customers more quickly protect their environments in light of the March 2021 Exchange Server security updates, Microsoft is producing an additional series of security updates (SUs) that can be applied to some older (and unsupported) Cumulative Updates (CUs),” state the Microsoft Exchange team. 

“This is intended only as a temporary measure to help you protect vulnerable machines right now. You still need to update to the latest supported CU and then apply the applicable SUs. If you are already mid-update to a later CU, you should continue with that update.”

Exchange Server security updates scheme

How to install the the March 2021 Microsoft Exchange Server security updates

To install the updates, follow this step-by-step procedure:

  1.      Download the update but do not run it immediately.
  2.      Temporarily disable file-level antivirus software.       
  3.      Select Start, and type CMD.
  4.      In the results, right-click Command Prompt, and then select Run as administrator.
  5.      If the User Account Control dialog box appears, choose Yes, and then select Continue.
  6.      Type the full path of the .msp file, and then press Enter.
  7.      After the installation is finished, re-enable the antivirus software, and then restart the computer. (You might be prompted by the installer to restart.)

Who were the victims of ProxyLogon attacks?

At least tens of thousands of Microsoft customers may have been hacked by threat actors exploiting the ProxyLogon vulnerabilities, including business and government agencies. According to the experts at security firm Volexity, the attacks began in January and intensified in recent weeks.

Volexity experts were investigating the compromise of Microsoft Exchange servers belonging to one of its customers who discovered that the intruders exploited the CVE-2021-26855 flaw to access the content of user mailboxes.

“The attacker was using the vulnerability to steal the full contents of several user mailboxes. This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment,” reads the analysis published by Volexity.

"The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail.”

Volexity experts observed an escalation of the attacks in late February, when attackers started chaining multiple vulnerabilities and targeting a larger number of victims.

Microsoft confirmed the attacks against the Exchange servers that aimed at stealing emails and install malware to gain persistence in the target networks. 

“In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments,” wrote Microsoft.

“Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”

Cybersecurity expert Brian Krebs speculates that at least 30,000 Microsoft customers were impacted by the hacking campaign.

“At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity,” reported Krebs. “The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.”

Another notorious victim of the ProxyLogon attacks is the European Banking Authority, which recently announced the compromise of its email system.

The EU financial regulator disclosed the incident and took offline its email systems in response to the attack as a precautionary measure. The financial agency has launched an investigation into the incident and notified the relevant authorities, EBA is currently working with a team of forensic experts.

According to the EBA, personal data through emails that were maintained on that compromised the email systems may have been obtained by the attacker.

Multiple security firms and international CERTs are still investigating ProxyLogon attacks, waiting for additional information administrators are urged to install the security updates released by Microsoft as soon as possible to protect their servers.

Leave a Reply

Your email address will not be published. Required fields are markedmarked