Executive Summary

On Tuesday, 2 March, Microsoft released an out-of-band patch to address multiple remote code execution (RCE) vulnerabilities in Microsoft Exchange. Four of these vulnerabilities are connected to attacks by a nation-state threat group known as HAFNIUM, dating back to at least January 6, 2021. HAFNIUM chained together several of these vulnerabilities to exploit vulnerable Exchange Servers in their attacks to access full mailboxes of interest.

The four vulnerabilities exploited in these attacks (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) affect on-prem deployments of Microsoft Exchange 2013, 2016, and 2019.

Arctic Wolf is actively updating detections against these vulnerabilities, which include IOCs and TTPs shared by Microsoft, and will continually monitor customer environments for indicators of attack.

 Impact

CVE-2021-26855

• A server-side request forgery (SSRF) vulnerability in Exchange allows an attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857

• An insecure deserialisation vulnerability in the Unified Messaging service.
• Exploiting this vulnerability can allow an attacker to run code as SYSTEM on the Exchange server.
• This vulnerability requires administrator privileges or another vulnerability to exploit. Microsoft has observed HAFNIUM chain CVE-2021-26855 linked with this one to authenticate with elevated privileges.

CVE-2021-26858 & CVE-2021-27065

• These two are post-authentication arbitrary file write vulnerabilities in Exchange.
• If an attacker can authenticate with the Exchange server, then they can use one of these vulnerabilities to write a file to any path on the server. Microsoft observed HAFNIUM chain CVE-2021-26855 linked with this one to authenticate with elevated privileges.

Who is the HAFNIUM threat group?

• Microsoft has assessed HAFNIUM as a state-sponsored threat group operating out of China based on observed victimology, tactics, and procedures.