UPDATE (March 10th, 2021):
ESET researchers have released the results of their detailed probe into the attacks. The article is available here:
Exchange servers under siege from at least 10 APT groups
Microsoft has rushed out emergency updates to address four zero-day flaws affecting Microsoft Exchange Server versions 2013, 2016, and 2019. Threat actors have been observed exploiting the vulnerabilities in the wild to access on-premises Exchange servers, which allowed them to steal emails, download data, and compromise machines with malware for long-term access to the victim networks. Due to the severity of the threat, the Redmond tech titan is urging users to patch their systems immediately.
Indexed as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, the security loopholes are being exploited by the attackers as part of an attack chain. Microsoft’s decision to issue an out-of-band update instead of releasing the fixes as part of its monthly Patch Tuesday bundle underscores the seriousness of the threat. Microsoft attributed the attack to a relatively little-known Advanced Persistent Threat (APT) group codenamed Hafnium.
According to ESET telemetry, at least one of the vulnerabilities is being targeted by multiple cyberespionage groups, to wit LuckyMouse (also known as Emissary Panda or APT27), as well as Tick and Calypso. The flaw, indexed as CVE-2021-26855, is a server-side request forgery vulnerability that allows an attacker to send arbitrary HTTP requests and authenticates them as the Exchange server.
While most attacks have been observed to be against servers located in the United States, APT groups have been targeting the servers of governments, law firms, and private companies in other parts of the world, Germany in particular.
Hafnium
“To date, Hafnium is the primary actor we’ve seen use these exploits, which are discussed in detail by MSTIC here. The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network,” reads Microsoft’s description of the attacks.
The company has also issued a "Defense in Depth update" for Microsoft Exchange Server 2010, which reached end-of-support in October 2020. “We recommend prioritizing installing updates on Exchange Servers that are externally facing. All affected Exchange Servers should ultimately be updated,” said Microsoft.
Computer Emergency Response Teams (CERT) from around the world, including the United States, Europe, Hong Kong, and Singapore, also issued alerts urging users and administrators to install the updates immediately and to consider scanning their Exchange log files for signs of intrusions or compromise.
ESET researchers also advise companies to limit the internet exposure of critical applications, for example by using a Virtual Private Network (VPN).