Attackers exploit four dangerous vulnerabilities in Microsoft Exchange to get a foothold in the corporate network.
Microsoft has issued out-of-band patches for several Exchange Server vulnerabilities. Four of these vulnerabilities, according to the company, are already being used in targeted attacks, so it would be wise to install the patches ASAP.
What’s the risk?
The four most dangerous vulnerabilities already being exploited allow attackers to pull off a three-stage attack. First they access an Exchange server, then they create a Web shell for remote server access, and lastly they use that access to steal data from the victim’s network. The vulnerabilities are:
- CVE-2021-26855 — can be used for server-side request forgery, leading to remote code execution;
- CVE-2021-26857 — can be used to execute arbitrary code on behalf of the system (although that requires either administrator rights or exploitation of the previous vulnerability);
- CVE-2021-26858 and CVE-2021-27065 — can be used by an attacker to overwrite files on the server.
Cybercriminals use the four vulnerabilities in conjunction with one another; however, according to Microsoft, instead of an initial attack they sometimes use stolen credentials and authenticate themselves on the server without using the CVE-2021-26855 vulnerability.
In addition, the same patch fixes a few other minor vulnerabilities in Exchange that are not (as far as we know) directly related to active targeted attacks.
Who’s at risk?
The cloud version of Exchange is not affected by these vulnerabilities; they pose a threat only to servers deployed within the infrastructure. Initially Microsoft has released updates for Microsoft Exchange Server 2013, Microsoft Exchange Server 2016 and Microsoft Exchange Server 2019, and an additional “Defense in Depth” update for Microsoft Exchange Server 2010. However due to the severity of the exploitation, they later added fixes for outdated Exchange Servers as well.
According to researchers at Microsoft, it was the hackers from the Hafnium group who have exploited the vulnerabilities to steal confidential information. Their targets include US industrial companies, infectious disease researchers, law firms, nonprofit organizations, and political analysts. The exact number of victims is unknown, but according to KrebsOnSecurity sources at least 30 000 organizations in US, including small businesses, town and city administrations, and local governments were hacked using those vulnerabilities. Our experts found that not only American organizations are in danger — cybercriminals all over the world are using these vulnerabilities. You’ll find more information about the attack geography in Securelist’s post.
How to stay safe from attacks on MS Exchange
- First of all, patch your installation of Microsoft Exchange Server. If your company cannot install updates, Microsoft recommends a number of workarounds.
- According to Microsoft, denying untrusted access to the Exchange server on port 443, or generally limiting connections from outside the corporate network, can stop the initial phase of the attack. But that will not help if attackers are already inside the infrastructure, or if they get a user with administrator rights to run a malicious file.
- An Endpoint Detection and Response class solution (if you have internal experts) or external Managed Detection and Response service specialists can detect such malicious behavior.
- Always keep in mind that every computer connected to the Internet, be it server or workstation, needs a reliable endpoint security solution to prevent exploits and proactively detect malicious behavior.