Microsoft issued out-of-band patches yesterday for four zero-day vulnerabilities in Exchange Server — CVE-2021-26855 (server-side request forgery, the principal initial-access vector), CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 (post-authentication code execution and file-write primitives that the chain uses for backdoor installation) (Microsoft Security Response Center post by Tom Burt, March 2). Microsoft has attributed the exploitation to a state-actor cluster they are tracking as Hafnium, with high-confidence attribution to Chinese state intelligence. The exploitation, on Microsoft's analysis and the parallel reporting from Volexity (volexity.com on the OWA exploitation chain), has been ongoing since at least early January.
The mass-exploitation question is the part that has me reorganising the customer-portfolio response work this morning. The disclosure of the patches has, predictably, accelerated exploitation activity from multiple non-Hafnium actors who have been able to derive working exploit chains from the public patch-diff analysis and from the proof-of-concept code that has appeared on the security-research community channels in the past 24 hours. Internet-scanning data from the security-research community is showing tens of thousands of Exchange Server instances with web-shell deployments characteristic of post-exploitation activity, the bulk of which were planted before patches were available and which therefore persist on patched systems. The customer-organisation cleanup posture has to assume any internet-exposed Exchange Server is potentially compromised even if patched, and that the patch is necessary but not sufficient.
For the customer-portfolio response, the action this week is the standard post-disclosure cycle plus the assumed-compromise hunt activity. Patch every Exchange Server (on-premises Exchange specifically — Exchange Online is not affected by these specific issues). Scan for the documented indicators-of-compromise (web-shell file artefacts, specific Exchange log patterns, network-traffic patterns to known C2 infrastructure). For Exchange Servers that have been internet-exposed during the exploitation window (early January to disclosure), assume compromise and run the post-incident hunt activity comprehensively. The customer estates: Browne Jacobson migrated off on-premises Exchange to Exchange Online in 2019; clean. Towry uses Exchange Online; clean. Northcott has on-premises Exchange and has been running it through the exposure window; the patching was complete on Wednesday, the indicators-of-compromise scan completed yesterday with one finding that is in active investigation. The manufacturer has on-premises Exchange in three of its global sites; patching complete, IoC scans in progress, no findings yet but the audit cycle continues. The financial-services firm is on Exchange Online; clean. The retailer is on Exchange Online; clean.
The wider supply-chain-and-state-actor strategic point. ProxyLogon (the name converging in the security-research community for this chain) is the second major state-actor-attributed campaign of 2021 against widely-deployed enterprise infrastructure, two months after SolarWinds. The pattern — Russian-state attribution to SolarWinds in December, Chinese-state attribution to ProxyLogon in March — is producing a customer-organisation conversation about state-actor threat-modelling that is more substantive than at any previous point. The defensive disciplines (segmentation, detection-engineering on identity-and-access patterns, comprehensive logging and retention to support post-incident hunt activity, integration of threat-intelligence at the operational level rather than just the strategic level) are the substantive answer, and the customer-organisation programme work for 2021 is going to invest in these disciplines at substantially higher pace than 2020's planning envisaged.
The CISA emergency directive issued yesterday (CISA Emergency Directive 21-02 on Exchange) requires US federal agencies to identify and patch affected Exchange Servers on an immediate timeline. The UK NCSC has issued parallel guidance for UK organisations. The aggregate operational response across the Western government and enterprise estate will be substantial and will continue for months.
I will return to this as the cleanup work develops. The case will produce learning that the customer-organisation programmes will need to absorb for several quarters.