Early in March, Microsoft released a set of Exchange Server Security Updates for various versions of Exchange servers. These updates were in response to published Microsoft Common Vulnerabilities and Exposure (CVE), the first of which allows threat groups to authenticate to the Exchange server. Once authenticated, the rest of the vulnerabilities allowed the threat actor to gain complete control and remotely execute commands on the exploited Microsoft Exchange servers anywhere in the world.
Microsoft’s blog1 entitled, “HAFNIUM targeting Exchange Servers with 0-day Exploits” notes that Microsoft had detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server. The threat actor used these vulnerabilities to access on-premises Exchange servers, which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics, and procedures.
Many thousands of organizations within the United States have already been breached by the HAFNIUM threat actor group. HAFNIUM is alleged to work from within China and seems to focus on stealing information on infectious disease research, defense contractors, policy think tanks, and more. It may be the case that the HAFNIUM threat actors and others control many thousands, if not “hundreds of thousands” of Microsoft Exchange Servers worldwide.2 The press has reported different estimates as to the current number of victims. This past Friday, the Wall Street Journal cited a source3 that said the number of victims of the attack could be 250,000 or more.
A RAPIDLY ESCALATING THREAT
Beyond the danger presented by the HAFNIUM threat actor group, it is also believed that at least four other threat actor groups4 are also exploiting the Exchange server vulnerabilities. While HAFNIUM has been using the flaws in the Exchange server to steal email from organizations which they targeted, now that the vulnerabilities are public and well understood, many other threat actor organizations are moving rapidly to exploit them.
In further rapid response, the Cybersecurity & Infrastructure Security Agency (CISA) issued Alert AA21-062A5 on “Mitigate Microsoft Exchange Server Vulnerabilities.” CISA noted within the alert that “the successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network.”
REVIEW OF THE MICROSOFT CVEs
Per Microsoft, these vulnerabilities are part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file. The specific CVE’s to note follow below:
DNS Specific CVEs
In addition to the above CVEs, Microsoft released a set of seven DNS vulnerabilities on March 9th. Five of them were RCE vulnerabilities and two were DoS vulnerabilities. The RCE vulnerabilities had critical CVSS scores of 9.8, allowing a bad actor to compromise a Primary Authoritative DNS server with no authentication or user interaction, and execute code on the target.
RCE:
DoS:
All seven DNS vulnerabilities are within the Dynamic Update DNS transaction feature of Windows DNS software.
Best Practices for Mitigation
Immediate mitigation for these vulnerabilities is obviously patching. In addition to patching, following security best practices such as password rotation, account audits and staying on top of emergency advisories is always a best practice.
While these could be effective, a more proactive approach involves:
- Leveraging dedicated DNS/DHCP/IPAM servers that don’t run other services
- Using threat intelligence on DNS servers to act as a first line of defense for attacks
- Using resilient DNS servers that have in-built protection against DNS Denial of Service attacks.
Role of DNS Specific Threat Intelligence in Protection
DNS is often a common denominator used to set-up and execute attack chains across the majority of cyberattacks. DNS is often used when an infected system communicates surreptitiously with the threat actors through command and control (C&C) servers.
Threat intelligence can provide tremendously useful data that can help your DNS servers detect and block command and control (C&C) communications to known malicious or high-risk destinations. This may include malicious hostnames, domains, IP addresses and more. DNS security also can use advanced techniques such as behavioral analytics and machine learning on real-time DNS queries, to rapidly detect and stop zero-day DNS tunneling, DGA, data exfiltration, Fast Flux, lookalike domains, and much more.
In terms of visibility, DDI data provides valuable information about device activity, type of device, location in the network, who it is assigned to, lease history, and more. This information visibility helps gain detailed insight into ongoing attacks so they can be rapidly shut down.
Taking this a step further, the integration of IPAM data with SIEM and SOAR infrastructure can provide reductions in time for the detection of threats and the automation of incident response. This reduction in time to detect and then remediate can be the essential difference between a disastrous breach and a security event which is resolved on a routine basis.
BloxOne Threat Defense and Advanced DNS Protection for Improving Security Posture
At Infoblox, we realized that just serving up DNS is not enough. This critical infrastructure that everyone already relies on for connectivity should be used to improve an organization’s security posture. BloxOne Threat Defense uses the power of behavior analytics combined with high quality threat intelligence to detect and block phishing, exploits, ransomware, and other malware, and also protect the modern workforce, including remote workers, from accessing objectionable or dangerous content.
In addition, our DNS servers have Advanced DNS Protection installed that provide in-built protection against the widest range of DNS DDoS attack vectors based on regularly updated ruleset.
Learn more about DNS security here:
Learn more about preventing DNS-based data exfiltration – check out this solution note:
Other Resources on HAFNIUM
Other useful resources to better understand the vulnerabilities and the HAFNIUM threat actor activities include:
- Microsoft Advisory: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
- Microsoft Security Blog – Hafnium targeting Exchange Servers: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- Microsoft’s blog on Exchange Server Vulnerabilities Mitigations: https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021
If you want to know more about our products and services, please reach out to us directly via https://info.infoblox.com/contact-form.
Endnotes
1https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
4https://www.technologyreview.com/2021/03/06/1020442/four-new-hacking-groups-microsoft-email-servers/
5https://us-cert.cisa.gov/ncas/alerts/aa21-062a
