ipopba - stock.adobe.com

Microsoft Shares IOC Scan Tool, as Attacks on Exchange Servers Expand

ASPR urges healthcare entities to patch critical flaws in some Exchange servers as attacks and exploits increase. Microsoft issues an IOC scanning tool to support mitigation efforts.

The Assistant Secretary for Preparedness and Response is urging healthcare entities to path the four critical vulnerabilities found in certain Microsoft Exchange Servers, under active exploit. Microsoft also released a tool that scans log files for indicators of compromise (IOCs).

Early last week, Microsoft issued an out-of-band software update for the set zero-day vulnerabilities found in Exchange servers 2013, 2016, and 2019; three of which are remote code execution (RCE) flaws.

At the time, the Department of Homeland Security Cybersecurity and Infrastructure Security Agency warned that a successful exploit of any one of the three RCE flaws would enable an attacker to take control of the victim’s network, while an exploit of the fourth vulnerability would hand the hacker access to sensitive information.

Since the flaws’ disclosure, cyberattacks against these vulnerable endpoints have drastically increased. A report from KrebsOnSecurity showed that 30,000 US entities have already been exploited due to the unpatched flaws.

The flaws include a server-side request forgery (SSRF), which allows attackers to send arbitrary HTTP requests and authenticate as the Exchange server. Another vulnerability, CVE-2021-26857, is found in the Unified Messaging service, enables the deserialization of untrusted user-controllable data by a program.

The impacted Exchange servers also have post-authentication arbitrary file write flaws, which allows an authenticated hacker to write a file to any path on the server.

The flaws can be remotely exploited without authentication and chained together, allowing the attacker to extract emails, write webshells (ASPX files) to disk, and conduct other nefarious activities like credential dumping, adding user accounts, and stealing copies of the Active Directory database.

Observations of the successful exploits found hackers using the vulnerabilities to move laterally to other connected systems and environments on the victims’ network.

The attacks on vulnerable Exchange servers have been tied to nation-state actors from China, called HAFNIUM. At the time of the disclosure, the exploits were occurring in a limited, targeted campaigns. But Microsoft warned the exploits would likely increase in the near future.

Over the weekend, CISA warned of widespread domestic and international exploitation of the vulnerabilities and gave an emergency directive to all federal agencies to apply the patches or to mitigate the flaw. 

“We cannot stress enough the seriousness of this vulnerability; it is widespread and is indiscriminate,” ASPR officials warned. “Exploitation of this vulnerability before patch installation permits an adversary to gain persistent access to and control of entire enterprise networks which is likely to persist even after patching.”

“Please immediately speak with your IT officials to determine what steps your organization has taken, and if your organization does not have the technical capability to verify network integrity please consider bringing in a third party to assist you as soon as possible,” they added.

Entities can leverage the Microsoft IOC tool to determine whether the enterprise network has been compromised through an Exchange flaw exploit.

The provided script automates all four of the commands leveraged by the HAFNIUM exploit and also includes a improvements for its performance and a progress bar.

Administrators can leverage the tool to check all Exchange servers and save the output. The tool is able to filter malformed or malicious cookies that have been observed in past exploits.

Researchers stressed the tool can help in defense of known patterns but not the SSRF itself.

The tech giant also released alternative mitigations for those unable to immediately apply the software update. However, these mitigations will not remediate the risk if an Exchange server has already been compromised, nor if the servers lack adequate protection.

As such, entities should leverage the IOC tool to first ensure the enterprise environment has not been compromised, prior to applying either the patch or the alternative mitigation steps. Microsoft also recommended entities launch an investigation in parallel to any mitigation strategies.

The recommended alternatives to patching include implementing an IIS Re-Write rule and disabling Unified Messaging, Exchange Control Panel VDir, and Offline Address Book VDir Services.

Microsoft warned these mitigations can impact some functionality. And while these measures may effectively defend against previously observed attacks, the mitigation may be ineffective for all possible exploitation scenarios. 

The guidance includes details on the steps needed for administrators to apply these mitigation processes. But these steps won’t evict an attacker who’s already compromised the server flaws. The mitigation should only be used as a temporary solution until a full patch can be applied.

The concern is that previous research shows entities are often slow to apply software updates, which is a particular challenge for healthcare entities. For example, failure to patch known flaws amplified the impact of the WannaCry and NotPetya global cyberattacks in 2017.

Most recently, a Rapid7 report found that months after a the discovery of a previous round of Exchange server flaws, the majority of entities had yet to apply the software update. As hackers are continuously scanning for weak endpoints and targeting the healthcare sector, all entities must heed these alerts or risk greater compromise.

Next Steps

Dig Deeper on Cybersecurity strategies