News We Recently Launched AD Migrator and AD Reporter.

Learn About Exchange Servers Attacked By Hafnium Zero-Days

  author
Written By Andrew Jackson
Anuraag Singh
Approved By Anuraag Singh
Published On September 16th, 2024
Reading Time 5 Minutes Reading

Summary: Are you among those users who want to know about Exchange Servers attacked by hafnium zero-days? If yes, then you are landed on the correct article. Here, we will provide information about the hafnium attack.

Recently, many Exchange administrators, users, IT companies, and other industry verticals have seen an increase in attacks against on-premises Exchange Servers. This attack target is the email server which is most often used by small & medium companies as well as large organizations with on-premise Exchange Server also affected by this attack but the Exchange Online isn’t vulnerable to this type of attack.

The Exchange Server hafnium attack is done by the Chinese state-sponsored threat group hafnium and it is to be believed that it has affected more than 21,000 organizations. It major targets are based in the United Stated across various industry verticals like – law firm, universities, IT companies, defense, NGO’s, policy think tank, etc. The impact of these attack are growing as the four zero-day vulnerability.

This is a nation wide attack and many other criminal organization organizations are exploited the vulnerabilities. Including the new ransomware attacks, having the potentials of other malicious activities. The Hafnium attack is considered as the broad attack and the seriousness of these exploits means protecting the systems which is critical.

How Does Exchange Server Hafnium Attack work?

This attack is extensively an automated attack that seeks an unpatched Exchange Server that I based on current information right now. Attackers take the advantage of the four zero-day vulnerability and conduct the remote searches for the Exchange Server which are exposed to the internet to gain access to any server through OWA.

After that, they can create a web shell to control the compromised Exchange Server remotely to gain unauthorized access to the critical systems like – Active Directory and they also steal the companies or organization information.

Exchange Servers Attacked By Hafnium Zero-Days | Technical Details

Microsoft is providing complete information from their side to their customers to understand the techniques used by hafnium to exploit these vulnerabilities & enable the more effective defense for future attacks against any unpatched systems.

1. CVE-2021-26855: It is SSRF (Server-side request forgery) vulnerability in Exchange through which it allows the attacker to send arbitrary HyperText Transfer Protocol (HTTP) request & it is authenticated as Exchange Server.

2. CVE-2021-26857: In the UMS (Unified Messaging Services) it is an insecure deserialization vulnerability. It is presented where the untrusted user controllable data is deserialzed by a program. This vulnerability provides the Hafnium ability to run the code as SYSTEM on the Microsoft Exchange Server. For this, it requires the admin permission or any other vulnerability to exploit.

3. CVE-2021-26858: In Exchange it is the post-authentication arbitrary file write vulnerability. When the Hufnium could authenticate with MS Exchange Server then they can use this vulnerability to write a file to any path or location on the server. Also, they comprise a legitimate administrator credentials or could authenticate by exploit the CVE-2021-26855 SSRF vulnerability.

4. CVE-2021-27065: In Exchange it is the post-authentication arbitrary file write vulnerability. When the Hufnium could authenticate with MS Exchange Server then they can use this vulnerability to write a file to any path or location on the server. Also, they comprise a legitimate administrator credentials or could authenticate by exploit the CVE-2021-26855 SSRF vulnerability.

Note: If your Exchange Server database file gets corrupted and goes into Offline/Dismounted state. It is very necessary to repair the .edb file from corruption but the manual solution requires in-depth knowledge, technical skills, & hands-on experience to repair the corrupted Exchange database file.

Pro Tip: In such case, if users want to avoid the technicality and complexity of the manual method, users can use the SysTools EDB File Recovery Tool which supports dismounted or offline .edb file (Public & Private) and repair EDB File from corruption in a simplified manner via Quick or Advance scan mode option without using any command. After recovery, users can easily use this advance utility to export recovered EDB mailboxes to Live Exchange Server, Office 365, and multiple file formats.

Download purchase

How to Protect MS Exchange Server from Recent Attacks?

Well, Microsoft is providing a regular method for tools to update the software and this extraordinary situation calls for the advanced approach. Also, with the regular software updates, it provides the specific the older as well as the software which is out of support. Their intention behind is this to make the user business protected in a quick way.

The first step is to make sure that all the relevant security updates should be applied to each and every system. For that, users have to find the Exchange Server version they are running & apply the updates. It will provide protection from unknown attacks & give the users company or organization time to update their servers to a particular version that has full security update.

In the next step, users have to identify whether any system have been compromised and if that’s the case then instantly remove it from the network. Microsoft has provided the series of steps & tools to help which include – script that allows users to scan for signs of compromise, Microsoft Safety scanner of new version to identify the suspected malware, etc… All these tools are available now and Microsoft is encouraging its users to deploy them.

Bringing It All Together

Now users know about Exchange Servers attacked by hafnium zero-days, how it works, about it technical details and how to protect the on-premise Exchange Server from the recent attacks. In addition to this, if the users Exchange database file is highly corrupted we have provide an advance solution that helps user to recover and repair the .edb file from corruption in a simplified manner without any hassle.

  author

By Andrew Jackson

I am SQL DBA and SQL Server blogger too. I like to share about SQL Server and the problems related to it as well as their solution and also I do handle database related user queries, server or database maintenance, database management, etc. I love to share my knowledge with SQL Geeks.