Over the last month, Microsoft Exchange servers have been targeted by the HAFNIUM threat group. It led Microsoft to issue out-of-band patches and issue urgent warnings to patch now. For Microsoft customers hoping this was now all over, sadly, that is not the case. Warnings from the National Security Agency (NSA) have led Microsoft to patch four new vulnerabilities in its Exchange Server product.
Microsoft disclosed the NSA action last night when it pushed its monthly Patch Tuesday bunch of fixes. It was a bumper crop of patches with over 100 addressing CVEs. 19 of those are rated critical, taking the number of CVEs already fixed by Microsoft in 2021 to 329.
Satnam Narang, Staff Research Engineer at Tenable, said: “Following last month’s out-of-band update addressing four critical zero-days in Microsoft Exchange Server that were exploited in the wild, including ProxyLogon, Microsoft patched four more critical Exchange Server vulnerabilities this month: CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483.
“All four are credited to the National Security Agency, with two also being discovered by Microsoft internally. These vulnerabilities have been rated “Exploitation More Likely” using Microsoft’s Exploitability Index. Two of the four vulnerabilities (CVE-2021-28480, CVE-2021-28481) are pre-authentication, meaning an attacker does not need to authenticate to the vulnerable Exchange server to exploit the flaw. With the intense interest in Exchange Server since last month, it is crucial that organizations apply these Exchange Server patches immediately.”
FBI gets a warrant to patch Exchange Servers
It is not just the NSA finding and telling Microsoft about problems with Exchange. The FBI is also concerned with the number of unpatched Exchange servers. In a rare move, the FBI sought and was granted a warrant to patch any unfixed exchange servers it found remotely. This action is not connected to the vulnerabilities identified by the NSA and patched by Microsoft last night.
The FBI actions are detailed in documents it filed with the court. The Exchange servers it was targeting were all infected with web shells installed by the HAFNIUM threat group. The FBI wanted permission to act because it said the owners of these servers were unable to remove the web shells independently.
The warrant states: “The Justice Department today announced a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States running on-premises versions of Microsoft Exchange Server software used to provide enterprise-level e-mail service.”
It also stated that those web servers: “constitute “protected computers” within the meaning of Rule 41(b)(6)(B) and § 1030(e)(2)(B) because they are used in or affecting interstate or foreign commerce or communication, based on their connection to the Internet. The servers have been “damaged” within the meaning of Rule 41(b)(6)(B) and § 1030(e)(8) because the installation of unauthorized web shells has impaired the integrity and availability of data, programs, systems, and information on the servers.”
All the computers were located in the: “Southern District of Texas, District of Massachusetts, Northern District of Illinois, Southern District of Ohio, District of Idaho, Western District of Louisiana, Northern District of Iowa and Northern District of Georgia.”
FBI action not about patching
In the Department of Justice announcement it said: “Although today’s operation was successful in copying and removing those web shells, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells. The Department strongly encourages network defenders to review Microsoft’s remediation guidance and the March 10, 2021 Joint Advisory for further guidance on detection and patching.”
What this means is that this is a holding action only. All those servers are still at risk of re-infection and not just by the HAFNIUM threat group. The four new Exchange CVEs disclosed to Microsoft by the NSA widen the risk for those servers.
Public disclosure of the warrant and its actions were held for 30 days while the FBI did the clean-up. It is now making sure all the Exchange server owners have been told of its action. It will hope that people will respond to the notification by patching their Exchange servers. What it can’t do is make those people apply patches.
So how do you get those servers fixed? That’s a good question. The hope seems to be that a letter from the FBI will make some act. It seems a little like tilting at windmills. If they haven’t acted after so many high profile warnings, they are unlikely to act now.
Enterprise Times: What does this mean?
The idea that US Government agencies would be disclosing vulnerabilities and removing malicious code will shock many people. Like other intelligence agencies worldwide, the NSA has often been accused of harvesting vulnerabilities for use in its intelligence-gathering operations. For it to disclose what it has found is a welcome change. Importantly, that change may well be down to the wider implications of allowing those vulnerabilities to stay in the wild rather than a change of approach.
At the same time, the action by the FBI is also extraordinary. It also shows just how damaging the ongoing breach of Exchange servers is. However, just removing the code without patching or having any powers to force people to patch limits this action’s effectiveness.
Will this action act as a wake-up call to the wider software industry to do a better job of code quality? It’s unlikely. The industry has become used to allowing other people to do this work for them. Fixing the problems internally would mean hiring more people, slowing down product launches and impacting revenue. That is something the industry is not going to allow.