By The Integrity360 Team on March 04, 2021

Microsoft Operation Exchange Marauder Advisory

Breaches, Alerts & Advisories

CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065

Last updated: 16:00 04/03/2021

Integrity360 is actively monitoring a threat known as Operation Exchange Marauder.

The Threat

Operation Exchange Marauder consists of 4 recently disclosed vulnerabilities in Microsoft Exchange server.

CVE-2021-26855
This is a SSRF (Server-Side Request Forgery) vulnerability where a specially crafted HTTP request sent from an unauthenticated, remote attacker could exploit this flaw. The vulnerable Microsoft Exchange server would need to accept inbound untrusted connections over port 443 and successful exploitation would result in full authentication on the Exchange server.

CVE-2021-26857
This vulnerability is specifically in the Exchange Unified Messaging Service in Microsoft Exchange. This insecure deserialisation vulnerability is exploited by an attacker that is already authenticated with administrative privileges (or another vulnerability exploit). Successful exploitation of this vulnerability would allow the attacker code execution privileges as a system user.

CVE-2021-26858 and CVE-2021-27065
These vulnerabilities are classed as arbitrary file write exploits, meaning an attacker can write arbitrarily to any paths on a vulnerable Microsoft Exchange server. These vulnerabilities require an attacker to already be authenticated on the Exchange server.

The Impact

Integrity360 has observed real cases of threat actors exploiting these in the wild, with attackers specifically creating “web shells”, allowing them to backdoor and control the servers remotely (and harvest private organisation data as a result).

Other actions observed by Integrity360 include credential stealing, data exfiltration, user account creation, lateral movement and spear-phishing. Microsoft attributes the bulk of these attacks to a threat actor they are calling “Hafnium”. They describe Hafnium as a state-sponsored threat actor originating from China who conduct their operations via leased virtual private servers. Hafnium are known to dedicate most of their time to attacking Office 365 tenants.

Recommendations 

Microsoft has released several steps organisations can take to assess for indicators of compromise. These include updating (KB5000871) your Microsoft Exchange server, searching for web shells and searching Exchange log files for indicators of compromise.

Should you require assistance directly, please contact your account manager or use our contact form for further assistance. As always, Integrity360 Managed Security Service (MSS) customers will already be managed through our proactive security approach.

Affected Systems

  • Microsoft Exchange Server 2019
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2013

More Information