Alert Logic® is actively researching multiple exploits targeted at on-premises versions of Microsoft Exchange Server, which can allow for authentication bypass, remote code execution, and email account access. When chained together, these exploits have been used to harvest email content and deploy malware.
Microsoft has released a patch for the affected versions, which include Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019 (Exchange online is not affected.) It is recommended to immediately install the appropriate updates, to backup any data stored on those servers, and to change passwords for all affected accounts to protect against these attacks. For more information, refer to Recommendations for Mitigation.
According to Microsoft, the vulnerabilities recently being exploited are:
- CVE-2021-26855: A server-side request forgery (SSRF) in Exchange which allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server
- CVE-2021-26857: An insecure deserialization vulnerability (where untrusted user-controllable data is deserialized by a program) in the Unified Messaging service; this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server
- CVE-2021-26858/CVE-2021-27065: A post-authentication arbitrary file write vulnerability in Exchange; if HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server
For more information on these exploits and the attackers, refer to Microsoft’s security blog.
Alert Logic Coverage
Vulnerability Scanning: Alert Logic has released authenticated and unauthenticated vulnerability scan coverage to identify vulnerable assets.
Network IDS: Alert Logic has released telemetry signatures to identify exploitation of these vulnerabilities. It is important our solution is able to properly decrypt the SSL connections for signatures to detect these attacks. Alert Logic is continuing research and monitoring to identify additional detection opportunities.
Note: Customers who use the Alert Logic® network IDS and web application IDS may need to upload SSL/TLS keys and certificates to have encrypted traffic inspected. This decryption process requires that these keys and certificates be uploaded through the Alert Logic console. In both cases, the data is encrypted in transit and at rest.
Web Application Firewall: Alert Logic is actively researching these exploits to determine whether web application firewall coverage can detect or block attacks.
Log Management: Alert Logic has released telemetry signatures to identify the exploitation of these vulnerabilities.
Alert Logic Security Operations Center: Alert Logic security analysts are actively threat hunting and leveraging this telemetry data for indicators specific to these attacks.
For more information on how Alert Logic detected and responded to this vulnerability, refer to Alert Logic's security blog.
Recommendations for Mitigation
Microsoft has released a set of patches to address these vulnerabilities in the following versions of Microsoft Exchange Server:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
Because these vulnerabilities are actively being exploited, it is highly recommended to install these updates immediately to protect against these attacks. To download these updates, refer to the Microsoft Security Response Center. Additional information and frequently asked questions are also available in the Microsoft Exchange Team Blog.
This section will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click the FOLLOW button at the top of the article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.
03/11/2021: On March 8, 2021, Alert Logic released telemetry signatures for network IDS to identify exploitation of these vulnerabilities. The Alert Logic SOC is actively threat hunting the telemetry data for the vulnerabilities listed.
03/12/2021: On March 10, 2021, Alert Logic released unauthenticated scan detection to identify vulnerable assets.
03/12/2021: On March 12, 2021, Alert Logic released a security blog post on how we identified and responded to this vulnerability.