Four zero-day vulnerabilities in Microsoft Exchange servers have been used in the attack

Microsoft published out-of-band advisories to address four zero-day vulnerabilities in Microsoft Exchange Server that have been exploited in the wild. Microsoft attributes the exploitation of these flaws to a state-sponsored group it calls HAFNIUM. The group has historically targeted U.S.-based institutions, which include “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs,” according to the Microsoft blog.

CVE-2021-26855 is a SSRF vulnerability in Microsoft Exchange Server. An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted HTTP request to a vulnerable Exchange Server. In order to exploit this flaw, Microsoft says the vulnerable Exchange Server would need to be able to accept untrusted connections over port 443. Successful exploitation of this flaw would allow the attacker to authenticate to the Exchange Server.

Volexity, one of three groups credited with discovering CVE-2021-26855, explained in its blog post that it observed an attacker leverage this vulnerability to “steal the full contents of several user mailboxes.” All that is required for an attacker to exploit the flaw is to know the IP address or fully qualified domain name (FQDN) of an Exchange Server and the email account they wish to target.

CVE-2021-26857 is an insecure deserialization vulnerability in Microsoft Exchange. Specifically, the flaw resides in the Exchange Unified Messaging Service, which enables voice mail functionality in addition to other features. To exploit this flaw, an attacker would need to be authenticated to the vulnerable Exchange Server with administrator privileges or exploit another vulnerability first. Successful exploitation would grant the attacker arbitrary code execution privileges as SYSTEM.

CVE-2021-26858 and CVE-2021-27065 are both arbitrary file write vulnerabilities in Microsoft Exchange. These flaws are post-authentication, meaning an attacker would first need to authenticate to the vulnerable Exchange Server before they could exploit these vulnerabilities. This could be achieved by exploiting CVE-2021-26855 or by possessing stolen administrator credentials. Once authenticated, an attacker could arbitrarily write to any paths on the vulnerable server.

Microsoft’s blog says its researchers observed the HAFNIUM threat actors exploiting these flaws to deploy web shells onto targeted systems in order to steal credentials and mailbox data. The attackers reportedly were also able to obtain the offline address book (OAB) for Exchange. Possessing this information would be useful for a determined threat actor performing further reconnaissance activity on their target.