How the Microsoft Exchange Hack became the largest in over a decade

In January 2021, a Chinese-associated hacker group known as Hafnium exploited zero-day vulnerabilities in Microsoft Exchange’s software. There were four main vulnerabilities that had remained undiscovered by Microsoft up to this point, essentially meaning they were given no time to even try to fix these bugs in their software.  

With access to the system, the hackers inserted web shells. This is a piece of computer code which acts as a backdoor to a system, allowing the malicious actors the ability to return effortless any time. It is often fundamental in hijacking systems and executing remote commands. 

What were the exploits? 

Together these four vulnerabilities have been dubbed the ‘ProxyLogon’. With the exclusion of Exchange Online, which remains unaffected, it impacts Microsoft Exchange Servers 2013, 2016, and 2019.  

The first vulnerability is called CVE-2021-26855: CVSS 9.1. It’s a Server Side Request Forgery (SSRF) exploit, meaning unauthenticated actors can send fraudulent HTTP. If you haven’t restricted untrustworthy connections in your settings or are using a VPN that blocks external access, the bug will be triggered as the Servers accepts these untrusted connections over its port 443. 

However, this first line of defence against this bug can be bypassed if an administrator is tricked into running malware on their system or the hackers have access through other means. 

After getting into the system, the next stage of the cyberattacks is to leverage the CVE-2021-26857: CVSS 7.8 vulnerability. This allows the attackers to deploy arbitrary code under SYSTEM by using an insecure deserialization vulnerability, where unknown, incoming data is built into an object on a system and executes, on the Exchange Unified Messaging Service. Although, this vulnerability is dependent on being combined with another of its type or by using stolen credentials. 

The third and fourth vulnerability are CVE-2021-26858: CVSS 7.8 and CVE-2021-27065: CVSS 7.8. These are post-authentication arbitrary file write vulnerabilities. The hackers were able to authenticate with the Exchange server, using these exploits in order to write a file to any path on the server. They could either authenticate their illegal activity by compromising the true admin’s legitimate credentials or using the CVE-2021-26855 SSRF exploit.

These vulnerabilities affected organisations using software released after 2012.  

Leveraging these exploits to their advantage, hackers were able to take complete control of corporate servers. They exfiltrated emails, calendars, and many other assets, breaching confidentially and the integrity of corporate systems, to preform intellectual theft and mayhem. 

What’s the extent of the Attack Surface? 

By March 2021, thousands of organisations world-wide found that their confidentially had been breached, with private discussions on their internal servers exfiltrated. The attack targeted Microsoft Exchange servers, leaving over 250,000 companies exposed and at least 30,000 organisations in 115 different countries compromised.   

While originally seemingly espionage-focused on breaching confidentiality, it escalated into malicious attacks of infrastructure, including the integrity of systems and the availability of services. Critical sectors were targeted, including organisations dealing in technological research, data storage, communications, financial services, pharmaceuticals, defences, transportation, and water and sewerage. 

These industries have faced increasing cyberattacks in recent years. 

However, it also included less critical businesses such as a kitchen-appliance manufacture, a number of senior-citizen communities, and even an ice-cream, among others of this type, showing that these type of cyberattacks don’t just only hit big corporations and even medium-to-small organisations need to mind their cybersecurity.

As multiple, different hacking groups were found to be engaging in these cyberattacks, it’s been speculated since they’ve been using the same zero-days exploits that Hafnium may have passed the information and means to other Chinese state-backed groups 

China has denied allegations of hacking and has, in turn, recently accused the CIA of conducting cyberwarfare and theft against its own industries for over an eleven-year period. 

What does this mean for organisations world-wide? 

The organisations most targeted by this cyberattack were the on-premise software of mature organisations, one’s who often neglected legacy software updates and were still using older platforms as opposed to moving onto the more highly secure, Microsoft Exchange Online. These were corporations whose staffing were also often a little behind the times, having IT generalists as opposed to special admins trained to deal with this type of attack in charge of running their Exchange. 

There were a number who hadn’t even realised their intellectual property had been stolen until informed by a third-party. 

Now, more than ever, in order to survive both in and out of cyberspace, which have rapidly become increasingly intertwined in the past few decades, you need to evolve with the times, whether your business is an international conglomerate or a family-run hotel.