Microsoft Exchange Server Breach

How did the Microsoft Exchange Server breach happen?

Since early January 2021, security researchers and independent labs detected several critical vulnerabilities within Microsoft’s Exchange Server software. These vulnerabilities allowed hackers, believed to be the Chinese-affiliated group HAFNIUM, to gain access to exchange servers using server-side request forgeries, insecure deserialization, and arbitrary file writing.

This access enabled the hackers to create accounts, redirect data and emails, and laterally move within the server environment. Critically, the timing of these events reveals how the breach went from bad to worse: research labs DEVCORE and Volexity identified vulnerabilities and alerted Microsoft in early January 2021.

Once each of these organizations acted and Microsoft prepared to issue a patch, HAFNIUM escalated their attack tempo to identify as many servers vulnerable to their tools as possible. Ultimately, this has resulted in several reports identifying about 30,000 organizations in the U.S. suffering a compromise.

Why was the Microsoft Exchange Server breach successful?

HAFNIUM’s success underscores a constant challenge: updating legacy systems. Microsoft has acknowledged that the vulnerabilities they identified relate to their on-premises Exchange Server software and not their cloud-based Exchange services. While there are many reasons to consider using on-premises services, this breach highlights the security risks associated with improperly keeping them updated and maintained.

Colossal Data Breaches Offer Cybersecurity Lessons for Every Organization

As cybersecurity experts, we dissect breaches to learn what techniques are used and how they evolve.

Read Insight

What were the vulnerabilities that were leveraged to breach Microsoft Exchange Server?

Microsoft’s on-premises server exchange was compromised using some sophisticated vulnerabilities, allowing the removal of critical data, movement within the system, and execution of code and commands.

While we know much about the methodologies used, and Microsoft has provided indicators of compromise and other recovery tools, some specifics have not been disclosed that would help mitigate possible damage.

However, we do know that HAFNIUM hackers used the following techniques to compromise Exchange Server:

Breach Technique Overview

• They used server-side request forgeries to run commands beyond its intended permissions, including self-authentication, to gain access into Exchange Servers.
• They transferred files out via insecure deserialization. Simply, serialization is a process where blocks of code are summarized for easier reference when writing other sections of code. Insecure deserialization is a process of decoupling that association and, in this case, running any code they desired.
• Finally, hackers exfiltrated data and emails using arbitrary file writing, a vulnerability where attackers write to files anywhere within the server regardless of permissions or accesses granted.

Here are the technical notes on the four vulnerabilities that were leveraged:

• 1) CVE-2021-26855: This vulnerability is a server-side request forgery that would allow an attacker to send requests to the server and bypass the need for authentication. An attacker would only need to know details about the Exchange server itself and the email address it hosts.
• 2) CVE-2021-26857: This vulnerability allows for insecure deserialization within Exchange’s Unified Messaging service. Serialization is when code objects are persisted to disk for use or transmission elsewhere. In this instance, HAFNIUM had shells and scripts – exploitation tools – prepared. Once in an exchange server with forged authentication, they would run deserialization commands while in exchange servers to import and run their tools.
• 3 and 4) CVE-2021-26858 / CVE-2021-27065: Both of these vulnerabilities are for arbitrary file writing after successful authentication into an exchange server. These allowed HAFNIUM to write files to a path on the server, either duplicating valuable information or using a backdoor to extract.

Cybersecurity Lessons Learned & Takeaways to Prevent a Breach

This breach illustrates the volume of organizations still using legacy systems and the security benefits of migrating to a cloud service with a cybersecurity advisor’s support. It also highlights the dedication needed to keep on-premise systems secure. Patching, updating, and managing vulnerabilities and functionality for physical equipment is a significant undertaking.

The decision between moving services to the cloud or keeping them on-premises is complex, and every organization will face different requirements for data protection and availability. However, on-premise equipment has the added challenge of requiring updates and patch management.

Moreover, updates and maintenance are not only for security but for the basic functionality of a server running Exchange. With on-premises equipment, it’s the organization’s responsibility to manage and prioritize what updates are issued, how, and when based on bandwidth, necessity, and regulatory requirements.

Cloud Migration Imperative Plus Keeping On-Prem Legacy Updated

Regardless of your organization’s cloud adoption progress or strategy, every deployed technology requires maintenance and dedicated upkeep to monitor cybersecurity vulnerabilities and performance. As vulnerability management becomes more complicated, cloud services provide a lean, cost-effective means for keeping your environment safe and updated in real-time.

CyLumena works with organizations to assess and recommend a cloud strategy, assist with migration, and put robust cybersecurity controls and monitoring in place.

Contact Us