Email is still an important productivity tool for most organizations and isn’t going anywhere in the near future, even with Microsoft Teams becoming more widely adopted. It means that messaging systems are still a high-value asset for businesses and a high-value target for attackers.

In January 2021, Volexity detected a Server-Side Request Forgery (SSRF) vulnerability on Exchange Server 2016. This vulnerability exploits three more zero-day vulnerabilities and allows a threat actor to get control of an attacked network. On March 2, 2021, Microsoft published a blog post about a state-sponsored threat actor called Hafnium, which has exploited these four zero-day vulnerabilities in Microsoft Exchange on-premises code and launching targeted attacks.

All our clients running Exchange Server 2013, 2016 and 2019 on-premises are vulnerable to these exploits. Conversely, organizations which have fully migrated their mailbox workloads to Office 365 are not affected by this vulnerability.

Attacker behaviour: The kill-chain
Once an attacker exploits the above-mentioned vulnerabilities, they launch attack kill-chain by performing the following steps:

• Install webshells on affected servers
• Move laterally to other systems in the network
• Dump credentials information from LSASS process memory using Procdump
• Download Offline Address Book
• Adding and using Exchange PowerShell snap-ins to export mailbox data
• Add user accounts to Active Directory
• Steal copies of Active Directory database
• Compress stolen mailbox and Active Directory data using 7-Zip for further exfiltration

Act urgently
Microsoft rates these vulnerabilities as critical. To address them Microsoft Exchange On-Premises Mitigation Tool (EOMT) and security updates have been released. EOMT and security updates do not replace each other but should be used together to remediate and protect messaging environments.

We strongly recommend our clients that run Exchange 2013, 2016 and 2019 to start server protection by downloading and executing EOMT soon. This tool automatically mitigates the remote code vulnerability (CVE-2021-26855) on Exchange servers. After this it scans servers against malware using Microsoft Safety Scanner. And, finally, if EOMT finds any changes made by the known threats it will reverse them.

Once the mitigation tool has been executed our clients should immediately install security updates to protect their messaging environments from these zero-day vulnerabilities. This order of remediation execution ensures both eviction of threat actors from the messaging servers and remediation of zero-day vulnerabilities.

Act strategically
The best approach for protection messaging assets is to migrate mailboxes to Microsoft Office 365. We understand that some organizations will maintain some or all their messaging workloads on-premises.

To our clients who maintain Exchange servers on-premises, we recommend protecting their messaging infrastructure by Microsoft Defender for Endpoint. Below are the features of Defender for Endpoint that will help organizations to protect their messaging systems from the above-mentioned and similar attacks:

• Behavior-based blocking and containment engines powered by cloud-based machine learning which helps to distinguish between legitimate and suspicious activities on Exchange servers.
• AI-powered protection and automatic sample submission help to quickly identity and stop new and unknown attacks.
• Tamper protection prevents malicious changes to security settings, like disabling or modifying antimalware scanning, disable automatic updates.
• Attack surface reduction rules to automatically block behaviours like credential theft and suspicious use of PsExec and WMI.
• Investigating the end-to-end attack chain allows to identify vulnerability or misconfiguration.
• Behavior-based Exchange-specific alerts include “Suspicious w3wp.exe activity in Exchange,” which indicates that attackers are running arbitrary commands via the IIS processes in an Exchange server.
• Integration with Azure Sentinel to enable web shell threat hunting.
• Visibility into malicious behaviors associated with Exchange server compromise provided by Endpoint detection and response (EDR) sensors.
• Comprehensive visibility into advanced attacks. This is achieved by integration with Defender for Office 365, Defender for Identity, Microsoft Cloud App Security, and Microsoft Defender for Endpoint.
• Automatic mitigation of remote code vulnerability (CVE-2021-26855) on Exchange servers running Microsoft Defender Antivirus with definition updates released on March, 18, 2021 (build 1.333.747.0 or newer)

Microsoft Defender for Endpoint is available to clients that have purchased one of these licenses: Windows 10 Enterprise E5, Microsoft 365 E5 Security, Microsoft 365 E5.

In addition to deploying Microsoft Defender for Endpoint we recommend our clients follow the below security-related best practices for their Exchange servers:

1. Keeping server operating systems and Exchange Server and antivirus software up-to-date by applying the latest security patches.
2. Placing Exchange servers behind the firewalls.
3. Following least-privilege principle when granting access to Exchange servers. Avoid using domain-wide service account with administrative permissions assigned.
4. Protect administrative accounts by using strong passwords and deploying MFA. Deploy Local Administrator Password Solution (LAPS) to enforce randomized, just-in-time local administrator passwords.
5. Prioritize alerts related ‘MSExchangeOWAAppPool’ or ‘MSExchangeECPAppPool’ application pools and w3wp.exe process.

For the best security setup, get the best Microsoft partner
At Avanade, we’re uniquely positioned to provide advice, implement and manage Microsoft security solutions. We help clients worldwide to enhance their security posture in the most complex and compliance-intensive sectors. If you need any help or to find out more visit avanade.com/security.