Blog Post

Security Alert - HAFNIUM targeting Exchange Servers with 0-day Exploits

Simplify IT • 4 March 2021

If you are running On-Premise or Hybrid versions of Microsoft Exchange Server - You need to take action immediately

Microsoft has detected multiple 0-day exploits being used to attack on-premises and hybrid environment versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

Please note: This attack does not impact anyone running Exchange Online exclusively!

Details:
Microsoft is providing the following details to help our customers understand the techniques used by HAFNIUM to exploit these vulnerabilities and enable more effective defence against any future attacks against unpatched systems.


  • CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.


  • CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

  • CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.


  • CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem.

“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.”
Tim Burt - Microsoft

Users of Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019 are advised to apply the updates immediately to protect against these exploits, prioritizing the externally facing Exchange servers.

Microsoft also advises that the initial stage of the attack can be stopped by “restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access”, although the other parts of the attack chain can still be exploited, if other means of access are used.

If you have any concerns about this attack and / or need assistance, please contact us as soon as possible.

Contact Us
Share by: