IOTW: Microsoft Exchange, The FBI & A Lack Of Patching

The Microsoft Exchange hack is still in progress because some organizations still haven't patched the on-premises version of the software yet. As we reported last month, the zero-day attack has infected companies of all sizes across multiple industries. 

The cyberattack is worrisome enough that the U.S. Federal Bureau of Investigation (FBI) has been quietly removing the web shells from infected systems unbeknownst to American citizens, acting on a warrant issued by the Department of Justice, because so many organizations lack the cybersecurity expertise or focus they need to deal with the issue themselves. 

The Facts

On March 2, 2021, security firm Volexity discovered a Microsoft Exchange flaw that allowed hackers to install web shells to exfiltrate data and credentials. According to Microsoft, the four CVEs involved include:

• CVE-2021-26855
• CVE-2021-26857
• CVE-2021-26858
• CVE-2021-27065

The first CVE provides access. The last three enable code execution. Bloomberg reported that 120,000 systems had been infected and less than 10,000 remained unpatched as of March 22, 2021. Microsoft released patches for all four vulnerabilities on March 2 which targeted Microsoft Exchange 2013, 2016 and 2019 servers and a security update on April 14. The company also identified the Chinese state-sponsored hacking group which Microsoft calls "HAFNIUM" had successful breached infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and non-government organizations (NGOs).

On April 14, NIST published four other unique CVEs, all of which involve remote execution. They include:

• CVE-2021-28480
• CVE-2021-28481
• CVE-2021-28482
• CVE-2021-28483

The operative words now are "discovery" and "remediation." While the FBI's efforts are arguably necessary, organizations cannot rely on the agency for their safety. In addition to gaining remote control of the Exchange Servers, bad actors are also installing DearCry ransomware on compromised Exchange servers. Worse, other bad actors in addition to HAFNIUM are exploiting the vulnerabilities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is encouraging organizations to examine their systems for tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs). In fact, the agency reposted TTP info provided by Volexity to help administrators determine whether their company's server has been compromised. As a first incident response step, the agency recommends forensic activities that involves the collection of four artifacts: memory, all registry hives, all windows event logs and all web pages. CISA also encourages companies to read Microsoft's advisory and security blog post for additional information. 

Quick Tips

This cyberattack underscores the necessity of patching. However, since this was a zero-day attack, there was no way to combat it until the exploit was discovered, Microsoft issued emergency patches and companies actually installed them. 

If your company lacks a cybersecurity expert, team or focus: Run the Microsoft Exchange On-premises Mitigation Tool which automatically detects breaches and installs a patch. Otherwise:

1. CISA has discovered and posted 10 webshells used in the attacks, which are only some of them. There is a detailed analysis of each one here.
2. Read Volexity's blog post which lists TTPs and what to do about them, including identifying signs of a compromise.
3. Do a forensic analysis which includes collecting artifacts so triage can be performed.
4. Install the April 13 Microsoft Exchange security update which resolves the vulnerabilities.