Number: AL21-003 UPDATE 4
Date: 2 March 2021
Updated: 14 April 2021
This Alert is intended for IT professionals and managers of notified organizations.
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
On 2 March 2021, Microsoft published several security updates for Microsoft Exchange Server to address vulnerabilities that have reportedly been used in limited targeted compromises. Security researcher Volexity has reported that the activity appears to have started as early as January 6, 2021.
The Cyber Centre is providing additional information within the DETAILS section of this report on new vulnerabilities affecting Microsoft Exchange Server. On releasing updates Microsoft noted that no exploitation of the new vulnerabilities had been detected. However, there is now a renewed risk of similar exploitation to that observed earlier in March 2021, for any systems that have not received the April 2021 updates.
On 11 March 2021, Microsoft Security Intelligence issued a Tweet stating that a new family of ransomware, known as DearCry, is being leveraged by actors exploiting the recently disclosed Exchange vulnerabilities. In addition to DearCry, multiple proofs of concepts leveraging the Exchange vulnerabilities resulting in remote code execution have been made publicly available. These vulnerabilities are being leveraged to gain a foothold within an organization’s network for malicious activity which includes but is not limited to ransomware and the exfiltration of data.
The Cyber Centre has received reporting that continue to show unpatched systems internationally, including within Canada. Some of these systems within Canada have been further compromised with malware. All organizations are encouraged to refer to the updated Indicators of Compromise and Mitigation sections of this Alert for additional detection, mitigation and post-compromise guidance.
On 5 March 2021, the Microsoft Security Response Center published an update to their blog, which outlines alternative mitigation techniques to help organizations that require additional time to complete patching.  Within the blog Microsoft has reinforced that these mitigation techniques are only a temporary solution and not a replacement to patching. The Cyber Centre continues to strongly encourage organizations follow the original guidance to block access to these services until completely patched with the required updates.
Microsoft has stated that the interim mitigations, if patching Exchange Server 2013, 2016, and 2019 are not immediately possible, is to implement an IIS re-write rule and disable Unified Messaging (UM), Exchange Control Panel (ECP) VDir, and Offline Address Book (OAB) VDir services. Microsoft cautions these mitigations have some known impact to functionality and would be effective against the malicious activity Microsoft has observed, but they do not guarantee complete mitigation for all possible methods of exploitation.
The Cyber Centre cautions that neither interim nor recommended patching solutions fully protect systems, which have been previously compromised. As this activity was originally reported prior to official patches being available, organizations are encouraged to conduct a thorough analysis of any systems that may be affected by these vulnerabilities using resources provided by Microsoft. 
The Cyber Centre has learned that malicious actors are actively scanning using automated tools to identify unpatched servers.  The Cyber Centre strongly recommends organizations with unpatched external facing servers perform the following:
- Immediately disconnect the server from external interfaces
- Follow Microsoft guidance to determine compromise 
- If no compromise has been identified follow the below patching recommendations
Microsoft has stated the following versions and cumulative updates (CU) to Exchange must be installed prior to the security update.
- Exchange Server 2010 (update requires SP 3 or any SP 3 RU – this is a Defense in Depth update)
- Exchange Server 2013 (update requires CU 23)
- Exchange Server 2016 (update requires CU 19 or CU 18)
- Exchange Server 2019 (update requires CU 8 or CU 7)
Note: All updates (CU and the security update) must be run as administrator and Microsoft has noted that multiple reboots may be required. Additional information on patching is available through Microsoft's tech community blog. 
Organizations are encouraged to confirm that no signs of malicious activity have been detected and that both the CU and security update are successful prior to returning the server to service.
Microsoft has published out-of-band Security Updates to address critical vulnerabilities in multiple Exchange products :
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Volexity has also published a blog detailing observed activity of actors remotely exploiting a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855) . This method of exploitation does not require authentication and can be accomplished through remote access to a vulnerable external facing Exchange server over HTTPS.
Microsoft has reported the following vulnerabilities were used by actors to gain access to victim systems :
- CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the actor to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave actors the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
- CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If actors could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
- CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If an actor could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
After exploiting these vulnerabilities to gain initial access, malicious actors deployed web shells on the compromised server. Web shells potentially allow actors to steal data and perform additional malicious actions that lead to further compromise.
(Updated 14 April) On 13 April 2021, Microsoft published Security Updates to address vulnerabilities in multiple products.  Included were patches for critical vulnerabilities impacting Microsoft Exchange Server. Microsoft has indicated that the vulnerabilities addressed in the April 2021 security updates affecting Microsoft Exchange products are:
- Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-28480)
- Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-28481)
- Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-28482)
- Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-28483)
The above vulnerabilities are different from those disclosed in March 2021. Organizations that have recently patched in response to the earlier activity need to do so again with the April 2021 security updates. While Microsoft has reported that active exploitation of these vulnerabilities has not been observed, the Cyber Centre recommends organizations patch as soon as possible. Malicious actors will frequently devise methods of exploitation for recently disclosed vulnerabilities such as these, and it is important that systems be at the most recent versions to prevent future compromise.
INDICATORS OF COMPROMISE
Both Microsoft and Volexity have provided a technical analysis of the activity as well as indicators of compromise for defenders to determine impact.
Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
HAFNIUM targeting Exchange Servers with 0-day exploits
(Updated 15 March) On 8 March 2021, Microsoft released a feed of observed indicators of compromise, namely, malware hashes and known malicious file paths observed in campaigns leveraging these vulnerabilities. 
(Updated 15 March) The Cybersecurity and Infrastructure Security (CISA) has recently updated their Alert (AA21-062A) on guidance for the Microsoft Exchange Server vulnerabilities. Furthermore, they have provided malware analysis reports and additional information into the tactics, techniques and procedures of malicious actors. 
The Cyber Centre recommends that organizations continue to review these organizations for updates and recommendations to best defend their networks, host-based systems, and potential response options to compromise.
The Cyber Centre recommends that organizations prioritize external facing Exchange servers and immediately apply necessary updates. All affected external servers should have remote access temporarily disabled until patches can be applied. All additional affected Exchange servers should be patched following the completion of higher priority external servers.
To limit an initial compromise from occurring future hardening of systems can be accomplished through the restriction of untrusted connections by isolating Exchange servers from external facing connections or using a Virtual Private Network (VPN). Microsoft reports that using these mitigations will only protect against the initial portion of the compromise; other portions of the chain can be triggered if an actor already has access or can convince an administrator to run a malicious file.
(Updated 15 March) Microsoft has released multiple scripts to aid in the efforts of determining system compromise: 
- Test-ProxyLogon.ps1: checks Exchange log files for IOCs associated with the leveraging the 4 vulnerabilities.
- Exchange On-premises Mitigation Tool (EOMT): Microsoft has reported this is the most effective way to help quickly protect and mitigate organizations’ Exchange servers prior to patching.
- http-vuln-cve2021-26855.nse: NMAP script used to determine if the specified URL is vulnerable to CVE-2021-26855.
(Updated 15 March) While Microsoft has stated that there has been no observed impact to Exchange server functionality using these, administrators are encouraged to review all advice and guidance prior to running any of the referenced tools.
(Updated 15 March) The Cyber Centre recommends organizations review the joint advisory of collaborative research effort by the cybersecurity authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States. It highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices. The purpose of this report is to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.
(Updated 15 March) https://cyber.gc.ca/en/guidance/joint-cybersecurity-advisory
Should activity matching the content of this Alert be discovered, recipients are encouraged to contact the Cyber Centre by email (firstname.lastname@example.org) or by telephone (1-833-CYBER-88 or 1-833-292-3788).
 Released: March 2021 Exchange Server Security Updates
 Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
 HAFNIUM targeting Exchange Servers with 0-day exploits
 Multiple Security Updates Released for Exchange Server
 Update to Alert on Mitigating Microsoft Exchange Server Vulnerabilities
 Microsoft Exchange Server Vulnerabilities Mitigations – March 2021
 Microsoft CSS-Exchange Security Github
 Microsoft Indicators of Compromise Feed
 Alert (AA21-062A) Mitigate Microsoft Exchange Server Vulnerabilities
 Microsoft Security Advisory – April 2021 Monthly Rollup
NOTE TO READERS
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.