The US government’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive warning all government civilian departments and agencies running an on-premise Microsoft Exchange installation to update or disconnect the product as the impact of four newly disclosed vulnerabilities – CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 – spreads.
The CISA has also called on US agencies to collect forensic images and search for known indicators of compromise (IOCs) in response to active exploitation of the vulnerabilities, which have prompted an out-of-sequence patch from Microsoft.
“This emergency directive will help us secure federal networks against the immediate threat while CISA works with its interagency partners to better understand the malicious actor’s techniques and motivations to share with our stakeholders,” said acting CISA director Brandon Wales.
“The swiftness with which CISA issued this emergency directive reflects the seriousness of this vulnerability and the importance of all organisations – in government and the private sector – to take steps to remediate it.”
Nominet government security expert Steve Forbes commented: “CISA’s directive … for agencies to report back on their level of exposure, apply security fixes, or disconnect the program, is the latest in a series of increasingly regular emergency directives the agency has issued since it was established two years ago.
“Vulnerabilities like these demonstrate the necessity for these coordinated national protective measures to efficiently and effectively mitigate the effects of attacks that could have major national security implications,” he said.
Caution on the part of public sector organisations – the UK’s National Cyber Security Centre has also issued an alert – appears well-advised, as security researchers and observers from around the world weigh in on the vulnerabilities, saying they may be being much more widely exploited than Microsoft’s disclosure would imply.
Brandon Wales, CISA
While Redmond described the attacks as targeted and limited – and likely originating from a Chinese state-backed actor known as Hafnium in its classification matrix – John Hammond of Huntress Security said his own scans had identified over 200 of his firm’s partners’ servers that had received web shell payloads as per Microsoft’s disclosure.
“These companies do not perfectly align with Microsoft’s guidance as some personas are small hotels, an ice-cream company, a kitchen appliance manufacture, multiple senior citizen communities and other mid-market businesses,” said Hammond.
“We’ve also witnessed many city and county government victims, healthcare providers, banks [and] financial institutions, and several residential electricity providers.”
Hammond said that among the vulnerable servers his scans had found over 350 web shells (some clients may have more than one) which potentially indicates automated deployment or multiple uncoordinated actors. He added that the endpoints observed did have antivirus or endpoint detection and response on board, but that the threat actors appeared to be slipping past most defensive products, making patching even more crucial.
“With insight from the community, we’ve seen honeypots attacked, making it clear that threat actors are just scanning the internet looking for low-hanging fruit,” he said.
“These attacks are grave due to the fact that every organisation [relies on] email and Microsoft Exchange is so widely used. These servers are typically publicly accessible on the open internet and they can be exploited remotely. These vulnerabilities can be leveraged to gain remote code execution and fully compromise the target. From there, the attackers have a foothold in the network and can expand their access and do much more damage.”
Red Canary intelligence director Katie Nickels said she, too, was observing activity related to the exploitation of the disclosed vulnerabilities, but there was some good news in that, in this case, post-exploitation activity is highly detectable.
“We will never be able to stop zero-days, but organisations that practice defence-in-depth and maintain behavioural analytics to alert on common attacks should feel confident about their ability to detect this activity,” she said.
“Some of the activity we observed uses the China Chopper web shell, which has been around for more than eight years, giving defenders ample time to develop detection logic for it. [And] while we can never fully prevent all exploitation, defenders can work to decrease the time it takes to identify post-exploitation activity. By catching it as quickly as possible, they can stop adversaries from gaining an additional foothold in their environment and causing significant damage,” she said.