Executive Summary
CVE-2021-27065 is a critical vulnerability affecting Microsoft Exchange Servers, allowing for remote code execution (RCE). This vulnerability is part of the ProxyLogon series and is a post-authentication arbitrary file write issue. The Advanced Persistent Threat (APT) group HAFNIUM, operating out of China, has been actively exploiting this vulnerability, targeting sectors such as infectious disease research, law firms, higher education, defense contractors, policy think tanks, and NGOs in the United States. Immediate action is required to patch affected systems and implement robust monitoring and incident response strategies to mitigate the risk of exploitation.
Technical Information
CVE-2021-27065 is a high-severity vulnerability with a CVSS v3.1 base score of 7.8. It affects Microsoft Exchange Server versions 2013, 2016, and 2019. The vulnerability allows an authenticated attacker to write a file to any path on the server, leading to remote code execution. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - 'Path Traversal').
The vulnerability is part of a series of flaws collectively known as ProxyLogon. An attacker who can authenticate with the Exchange server can exploit this flaw to write a file to any path on the server. This can be leveraged to execute arbitrary code with SYSTEM privileges, leading to a complete compromise of the affected server.
The attack vector for CVE-2021-27065 is local, with a low attack complexity and no required privileges. The vulnerability impacts the confidentiality, integrity, and availability of the affected systems, making it a critical issue that needs immediate attention.
Exploitation in the Wild
CVE-2021-27065 has been actively exploited in the wild, primarily by the APT group HAFNIUM. This state-sponsored group operates out of China and has been targeting entities in the United States across various sectors. The exploitation involves the use of web shells, which are malicious scripts uploaded to the compromised server, allowing the attacker to execute arbitrary commands and maintain persistence.
Indicators of Compromise (IOCs) include unusual file writes in Exchange server directories, suspicious authentication attempts from external IP addresses, and the presence of web shells or other malicious scripts on the server. Organizations should monitor for these IOCs to detect potential exploitation of this vulnerability.
APT Groups using this vulnerability
The APT group HAFNIUM has been identified as the primary actor exploiting CVE-2021-27065. HAFNIUM is a state-sponsored group operating out of China, known for targeting entities in the United States. Their targets include infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. The group's tactics, techniques, and procedures (TTPs) include exploiting public-facing applications, command and scripting interpreter execution, boot or logon autostart execution, exploitation for privilege escalation, indicator removal on host, credential dumping, file and directory discovery, software deployment tools for lateral movement, email collection, and exfiltration over command and control (C2) channels.
Affected Product Versions
The following Microsoft Exchange Server versions are affected by CVE-2021-27065:
Microsoft Exchange Server 2013 (Cumulative Update 21, 22, 23, SP1) Microsoft Exchange Server 2016 (Cumulative Update 10, 11, 12, 13, 18, 19) Microsoft Exchange Server 2019 (Cumulative Update 7, 8)
Organizations using these versions should prioritize patching and implementing mitigation strategies to protect their systems from exploitation.
Workaround and Mitigation
To mitigate the risk of exploitation, organizations should take the following steps:
Apply Patches: Microsoft has released patches to address this vulnerability. It is crucial to apply these patches immediately to mitigate the risk of exploitation. The Microsoft Security Advisory for CVE-2021-27065 can be found at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065.
Network Segmentation: Isolate Exchange servers from the rest of the network to limit the potential impact of a compromised server.
Monitor and Detect: Implement monitoring solutions to detect unusual activities, such as unexpected file writes or changes in the Exchange server directories.
Incident Response: Prepare an incident response plan that includes steps to take if an Exchange server is compromised.
References
NVD - CVE-2021-27065: https://nvd.nist.gov/vuln/detail/CVE-2021-27065 Microsoft Blog on HAFNIUM Targeting Exchange Servers: https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ Rapid7 Analysis of CVE-2021-27065: https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-27065/ Tenable Blog on Microsoft Exchange Server Zero-Day Vulnerabilities: https://www.tenable.com/blog/cve-2021-26855-cve-2021-26857-cve-2021-26858-cve-2021-27065-four-microsoft-exchange-server-zero-day-vulnerabilities FortiGuard Encyclopedia on CVE-2021-27065: https://www.fortiguard.com/encyclopedia/ips/49952 Recorded Future Vulnerability Database: https://www.recordedfuture.com/vulnerability-database/CVE-2021-27065 Packet Storm Security Exploit Details: http://packetstormsecurity.com/files/161938/Microsoft-Exchange-ProxyLogon-Remote-Code-Execution.html
Rescana is here for you
At Rescana, we understand the critical importance of protecting your organization from cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform helps you identify, assess, and mitigate vulnerabilities in your systems. We are committed to providing you with the tools and expertise needed to stay ahead of emerging threats. If you have any questions about this report or any other issue, please contact us at ops@rescana.com.
Comments