Skip to main content

Microsoft Exchange Zero-Day Exploits

netwerk apparatuur

This blog contains information about the Microsoft Exchange vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog.

Update April 14, 2021

10:00 | Microsoft announced security patches for newly found critical vulnerabilities this Patch Tuesday, following the critical vulnerabilities disclosed last month in Microsoft Exchange (Hafnium). Microsoft Exchange Server 2013, 2016, and 2019 are impacted by these new vulnerabilities, Exchange Online customers are already protected. Via Remote Code Execution an attacker can run malicious code on the system.

Currently there are no signs of any active exploits in the wild. As Tesorion we advise you to patch Exchange as soon as possible.

More information is available via Microsoft.

Update March 12, 2021

10:00 | A new threat to the Microsoft Exchange vulnerability has emerged. Unfortunately, our fears became reality last night, cyber criminals really use the ProxyLogon vulnerability. Cyber criminals are now installing a new ransomware variant called ‘DearCry’. That means that you will no longer have access to your data and have to pay a ransom. In short, patch your Exchange Server and do the DIY scan to check if your Exchange Server has been hacked.

Update March 11, 2021

19:00 | We advise you to look closely at backups and store them separately (in a separate backup network). If you have any doubts about the state of your backup don’t hesitate and contact the Tesorion CERT.

08:00 | It is important that you patch your Exchange Server today. Also assume that you’ve been hacked. We strongly advise you to check this with the free DIY scan. The first signals about a proof of concept for the ProxyLogon vulnerability have appeared on various sources. We now have to wait for the first attacks by other malicious actors. In short, be ahead of this, patch your Exchange Server today.

Update March 6, 2021

15:00 | Have you patched your Exchange Server yet? Scan your Exchange server to see if you have been affected by the HAFNIUM vulnerability. Together with our partner Nextron, we offer you a free DIY scan. Can’t figure it out? Tesorion is happy to help you.

Update March 4, 2021

17:00 | Microsoft recommends patching Exchange servers as soon as possible. Updates were released for all four vulnerabilities on March 2, 2021. Furthermore, indicators of compromise have been made available by, among others, Microsoft. These indicators can be used to determine whether it is plausible that a server has been successfully exploited by means of the respective vulnerabilities.

16:00 | Updates are still being prepared for Exchange 2010.

15:00 | Below is an overview of indicators of compromise known so far. Tesorion advises to check the relevant locations for the presence of abnormal files. Web shells[3] or other anomalous files in the folders C:\inetpub\wwwroot\aspnet_client\ and C:\inetpub\wwwroot\aspnet_client\ system_web.

Also check Microsoft Exchange Server installation paths such as

  • %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
  • C:\Exchange\FrontEnd\HttpProxy\owa\auth\

Possibly the file names web.aspx, help.aspx, document.aspx, errorEE.aspx, errorEEE.aspx, errorEW.aspx, errorFF.aspx, healthcheck.aspx, aspnet_www.aspx, aspnet_client.aspx, xx.aspx, shell. aspx, aspnet_iisstart.aspx and one.aspx.

Also look for LSASS dumps[4] in the folders C:\windows\temp\ and C:\root\.

Update March 3, 2021

23:00 | Microsoft has published a number of critical vulnerabilities in Microsoft Exchange. Microsoft Exchange Server 2013, 2016, and 2019 are affected, Exchange Online is not. Using Zero-Day exploits[1], an attacker could perform Remote Code Execution [2] and potentially gain access to the server and / or email (accounts).

Microsoft has already released patches to mitigate these vulnerabilities. However, it is possible that vulnerable systems were abused at an earlier stage.

Reason and background of this blog

This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.

Potential risk

By exploiting these vulnerabilities, an attacker can obtain full access to an Exchange server. The attacker is then able to gain persistence and install further malware, through which further attacks can later be launched.

Are my systems vulnerable?

The following versions of Exchange are vulnerable if they have not been updated since March 2nd:

  • Microsoft Exchange 2013
  • Microsoft Exchange 2016
  • Microsoft Exchange 2019

Exchange Online is not vulnerable.

Detail info

The following vulnerabilities, present in Exchange Server 2013, 2016, and 2019, have been published by Microsoft:

  • CVE-2021-26855 – Server-Side Request Forgery (SSRF) allows an attacker to send HTTP requests and authenticate as the Exchange Server. This vulnerability can be exploited remotely.
  • CVE-2021-26857 – This Insecure Deserialization vulnerability allows for arbitrary code to be run as the SYSTEM user on an Exchange server. To exploit this vulnerability, admin rights or another vulnerability is required.
  • CVE-2021-26858 – After successful authentication (for example, with the two previously named vulnerabilities), this vulnerability can be used to place files in any location on the system. CVE-2021-26855 can be used to authenticate, or legitimate admin credentials can be used.
  • CVE-2021-27065 – Is also a vulnerability allowing for arbitrary file writes on a vulnerable system, requiring the same authentication as in CVE-2021-26858.

For more detailed information, Tesorion advises to use the information directly from Microsoft.

Background

  1. Zero-day exploits: Exploits waarvoor er nog geen patch is beschikbaar.
  2. Remote Code Execution: Een exploit waarbij willekeurige code op afstand door gebruik van een kwetsbaarheid kan worden uitgevoerd.
  3. Web shells: Een web interface waardoor een kwaadwillende een overgenomen systeem kan besturen.
  4. LSASS dumps: LSASS zorgt voor security policy enforcement op Windows systemen. Een dump hiervan bevat gevoelige informatie, zoals credentials.

Subscribe