Exchange: Hafnium hackers fails at Office 365

[German]After the mass hack of on-premises Exchange Server at the end of February and in March 2021, the question is how to prevent such a thing. I have some information from Barracuda Networks that I would like to post here on the blog for you to read – even though they are singing the praises of the cloud.


Since the beginning of March 2021, the group of Exchange email server operators has been shaken up badly. Microsoft had to announce in early March 2021 that there were four vulnerabilities in One Premises Exchange server systems. The vulnerabilities were closed by an update as of March 2, 2021. But a cybercrime group known as Hafnium had already launched its attack campaign in February 2021. The attacks exploited vulnerabilities around Microsoft Exchange's Outlook Web Access (OWA) interface. Hundreds of thousands of Exchange systems worldwide became the focus of cybercriminals. But what exactly is behind the attack method? And more importantly, what can organizations do about it?

Takeover of vulnerable Exchange systems

The vulnerabilities that were exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 (see Exchange server 0-day exploits are actively exploited). CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allows an attacker to send arbitrary HTTP requests and authenticate as an Exchange server. CVE-2021-26855 is preferred to identify vulnerable systems.

The remaining vulnerabilities appear to be chained to this vulnerability to execute other exploits, including so-called webshells. A webshell is a malicious web-based interface that allows remote access and control to a web server by executing arbitrary commands

Exchange Attacks
(Source: Barracuda)

Since the beginning of March, Barracuda's security analysts have noticed an initially moderate and later significant increase in probe attempts for CVE-2021-26855 (see chart above). A significant number of these were against systems that were not running Exchange on the backend. The most common URLs probed by the attackers were:



Probed URLs
(Source: Barracuda)

Barracuda writes: Apparently, most of these probes used the cookies X-AnonResource-Backend and X-BEResource. Both ended with the parameter "?~3". The Microsoft script describes this for vulnerability scanning. The UserAgents used by these scanners were mainly ExchangeServicesClient, python-requests and nmap. However, standard browser headers were also used. It can be assumed that attackers will continue to look for and exploit these vulnerabilities for a few more weeks before the attacks settle down to a lower level.

Top 3 User Agents
(Source: Barracuda)

Attacks on Office 365 email environments failes

One important finding from the security analyses, according to Barracuda, is that the hackers were unsuccessful in their attacks against companies using Office 365. It looks like the cloud – as repeatedly emphasized by many security experts – is more secure than outdated, on-premises solutions. Accordingly, Hafnium has shown that the cloud is not yet an option for many organizations and businesses. Why is this?

  • Lack of information – Either the benefits of migrating to the cloud are not fully understood or people are afraid to take the first step towards migration. So for the time being, everything prefers to stay the same, i.e. with the existing local approach.
  • Fear of losing control – There is often a feeling of having less control over resources and workloads in the cloud than with on-premises servers, even though they take more time to manage and are not as secure.
  • Existing regulations – In certain highly regulated industries, companies must comply with a variety of data storage and retention requirements, which can make it difficult to move to the cloud.

Using a cloud-hosted email provider allows for faster deployment of system updates and security patches to protect against zero-day attacks like the recent one from Hafnium. Since Microsoft is one of the most targeted platforms for cyberattacks, it is generally recommended to supplement existing Microsoft security with a third-party provider.

OWA without firewall protection is risky

Generally speaking, putting Outlook Web Access (OWA) on the Internet without further firewall protection has always been a risky move. However, the incident can serve as a wake-up call that operating such infrastructure services independently is an anachronism in the age of the public cloud.

The modern counterpart is Microsoft 365 with Azure Active Directory. The service is maintained and secured by Microsoft, so vulnerabilities are fixed immediately. It is now high time for all those affected to think about switching and, in the meantime, get to grips with patch management and additional Outlook Web App protection. Unfortunately, the path is not so easily open to everyone, as in some areas regulations restrict the use of services in the public cloud. This is something that should be seriously considered in light of the massive data loss that has just occurred here at many organizations.

Similar articles
Exchange server 0-day exploits are actively exploited
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Hack News – Test tools from Microsoft and others
Microsoft MSERT helps to scan Exchange Servers
Cyber attack on Exchange server of the European Banking Authority
Exchange hack: new patches and new findings
Exchange Server: Remote Code Execution Vulnerability CVE-2020-16875
Exchange hack: new victims, new patches, new attacks
Update on ProxyLogon hafnium exchange issue (March 12, 2021)
Was there a leak at Microsoft in the Exchange mass hack?
ProxyLogon hack: Administrator's Repository for affected Exchange systems
Microsoft Exchange (On-Premises) one-click Mitigation Tool (EOMT) released
Security update for Exchange Server 2013 SP1; CUs for Exchange 2019 and 2016 (03/16/2021)
Exchange ProxyLogon News: Patch status, new PoC and new findings (03/18/2021)
Microsoft Defender automatically mitigates CVE-2021-26855 on Exchange Server

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *