Ordr Recognized in Gartner Market Guide for CPS Protection Platform Read more here!

Background 

On March 2, 2021, the Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, and Microsoft 365 Security teams released a blog post that disclosed multiple 0-day exploits that were being used to attack on-premises versions of Microsoft Exchange Server. The MSTIC team attributed the campaign to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology and Tactic, Techniques, and Procedures (TTPs). If not already addressed, we would urge you along with the Microsoft team to update on-premises systems immediately. Currently, there are no reports of Exchange Online being affected.

The vulnerabilities exploited are:

  • CVE-2021-26855
  • CVE-2021-26857
  • CVE-2021-26858
  • CVE-2021-27065

Who is HAFNIUM? 

HAFNIUM primarily targets entities in the United States across a number of industry sectors which have included targets in legal, higher education, government, and even including infectious disease researchers, policy think tanks, and NGOs.

In the past, HAFNIUM compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, a red team framework for mapping the attack surface of .NET. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA, an end-to-end encrypted cloud storage and communication platform.

Impact Thus Far 

It has been reported that nearly 30,000 organizations, and as many as 250,000 individual users have been impacted. And, while Microsoft released a patch last week to shore up flaws in its email software, the remedy still leaves open a back door that can allow access to previously compromised servers and perpetuate further attacks by others. The back channels for remote access are most likely to impact credit unions, town governments and small businesses. Microsoft has two resources for learning more and patching:

The White House is calling this an “Active Threat” and the President is apparently assembling an emergency group of government agencies as part of a “whole of government” approach.

“We can’t stress enough that patching and mitigation is not remediation if the servers have already been compromised, and it is essential that any organization with a vulnerable server take measures to determine if they were already targeted,” the White House official said. 

It is likely time to reconsider on-premise exchange if you have it 

On-premises Exchange is incredibly difficult to manage and maintain from both an IT and security perspective. Exchange is usually tied integrally into a networks authentication sources and typically contains very sensitive data. Exchange has several configuration options that allow for interoperability with devices and services wanting to communicate over email (usually over insecure or basic authentications), however lacks the ability to properly secure these necessary configurations within Exchange itself and instead usually requires other security controls.

From a cybersecurity perspective on-premise Exchange is a nightmare because its complicated, tied integrally into authentication sources like Active Directory, holds very sensitive information, and typically has a large internet facing attack surface, and because of this it has several research teams solely focused on finding vulnerabilities to exploit within Exchange.

One of the best things Microsoft did with Exchange is begin hosting it within O365/Exchange Online and slowly removing support for insecure configurations. This made organizations running Exchange internally to either migrate to Exchange Online and remove the legacy systems and services that are no longer supported because it required insecure configurations, or unfortunately stick with on-premises Exchange and attempt to properly secure it themselves.

To drive the point home Microsoft themselves no longer run on-premises Exchange servers and have migrated the company to Exchange Online.

How Ordr Can Help 

As most organizations have moved to the cloud or at least a hybrid model, we have found there are not many on-premises Exchange servers out there amongst our customers. However, if they are out there, Ordr will be able to detect the devices and will alert the proper workflow based on the associated the CVEs that have been issued.


On Dec-18 Intel reported four more vulnerabilities on Treck TCP/IP stack on top of 19 more vulnerabilities found by JSOF early this year. The four vulnerabilities are:

CVE-2020-25066, Heap-based buffer overflow with a CVSS V3 base score of 9.8

CVE-2020-27337, Out-of-bounds write with a CVSS V3 score of 9.1

CVE-2020-27338, Out-of-bounds read with a CVSS V3 score of 5.9

CVE-2020-27336, Out-of-bounds read with a CVSS V3 score of 3.7

Ordr did extensive work to not only help identify devices impacted by the Ripple20 vulnerabilities but also detect any active exploitations happening. Please refer to the previous document published on how Ordr can help with Ripple20 vulnerabilities – https://ordr.net/security-bulletin/how-ordr-detects-and-mitigates-ripple20

As of now only one manufacturer has published the new vulnerabilities with a list of impacted products and the Treck official page acknowledged these new vulnerabilities. Treck also refers the CERT coordination center advisory which lists the same set of devices that was identified by the previous advisory implying that it’s in the common code base.

Based on the advisories, Ordr extends the capability to cover the new vulnerabilities as well. In summary, Ordr provides detection and protection in three different ways,

  1. Identify devices that are impacted by Ripple20 based on manufacturer advisories.
  2. Ordr does understand that a significant percentage of devices may never be publicly identified as Ripple20 impacted due to various reasons. Ordr developed an in-built scanner which can detect if a device is impacted by these Ripple20 vulnerabilities.
  3. Ordr has an in-built IDS engine. Specific signatures were developed to detect any active exploitation of these vulnerabilities. Alarms will be generated and can be pushed to a SIEM platform for immediate action.

Finally, the best way to protect the organization is behavior based microsegmentation. Ordr provides the industry leading microsegmentation solution with variety of options based on customer needs.

For more information on how Ordr can help you identify and manage vulnerabilities for any connected device, please contact info@ordr.net.