The MS Exchange - World-Wide Exploitation

Posted by Anthony Tam on 17 Mar 2021.

For organizations running on-premise Microsoft Exchange servers, we want to make you aware of four severe zero-day vulnerabilities announced on March 2nd, 2021. Attackers are using these vulnerabilities to obtain SYSTEM level access, execute arbitrary code, gain Domain level access, steal information, and install ransomware. The announced CVEs impact most versions of Exchange server but do not impact organizations utilizing Exchange Online or Microsoft 365 (M365). If your organization uses Microsoft Exchange 2010, 2013, 2016, or 2019, Microsoft strongly urges that you apply security patches immediately to reduce the threat of compromise [1].

Microsoft first observed the exploit on January 6th, 2021 which then evolved into dozens of Exchange servers exploited by February 28th, 2021.[2]. Reportedly over 250,000 Exchange servers globally have been exploited by multiple threat actors to date, these numbers are expected to continue to grw. [3]. Microsoft continues to provide updated mitigation strategies for their customers on their security blog [1].

CVE(s): CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 [5,6,7,8].

Affected: Microsoft Exchange server 2010, 2013, 2016 and 2019.

Not Affected: Microsoft Exchange Online or Microsoft 365.

Have I been compromised?

If your organization utilizes a vulnerable version of exchange, actions should be immediately taken to ensure the environment has not been compromised. Microsoft has provided open-source tools to assist organizations in identifying if an environment has been potentially compromised [9]. These tools perform tests to determine if your environment is vulnerable or compromised while also taking preventative actions to mitigate the vulnerability and remediate existing malicious files.

If the above Microsoft toolkits have detected potential signs of compromise, it is critical an investigation is performed to determine the validity and the impact of the compromise. In many organizations, email system exfiltration may result in the disclosure of protected data elements including Personally Identifiable Information (PII), Personal Financial Information, Personal Health Information (PHI), or Cardholder Data (CHD).

Compliance Implications

In addition to the risk of compromise, entities should be mindful of PCI compliance requirements if they have an Exchange server within their PCI scope. Zero-day vulnerabilities, such as this exchange vulnerability, are easily detected by auditors who are required to cross-check vulnerabilities, patching, and change management.

A High-Level Technical Breakdown

CVE-2021-26855 is an unauthenticated server-side request forgery vulnerability that allows an attacker to send HTTP requests to an exchange server and perform unauthorized authentication to the system.

CVE-2021-26857 is an unauthenticated deserialization vulnerability providing attackers the ability to perform arbitrary code execution as the SYSTEM user.

CVE-2021-26858 and CVE-2021-27065 are both post authentication arbitrary file write vulnerabilities allowing an attacker to write files to any path on the server. Utilizing the first vulnerability, the attacker could be authenticated to leverage the file write vulnerabilities.

In Microsoft observed exploits, the attackers chained these vulnerabilities to authenticate to the exchange server and write a web shell to the ISS web directly. Utilizing the web shell, the attacker will run commands to exfiltrate LSASS memory, export Exchange mailboxes, and exfiltrate the data via a reverse shell. In addition, new ransomware variants have been identified designed to encrypt Exchange mailboxes and spread to other systems in the environment [10].

Learn More