On March 2, 2021, Microsoft released an urgent update to address 4 critical vulnerabilities in Exchange Server 2010, 2013, 2016, and 2019.
Our Incident and Forensics team is actively involved in investigating incidents resulting from these new threats. We have observed that these vulnerabilities are maliciously used to gain remote access to Exchange servers and then unload sensitive data, including entire mailboxes.
Please keep in mind that attackers are most likely using remote access to Exchange in order to then switch to even more critical systems, such as domain controllers.
Microsoft has reported a Chinese allegedly sponsored HAFNIUM group exploiting these vulnerabilities. According to Microsoft , Exchange Online is not affected by the same vulnerabilities.
Description of vulnerabilities
In total, four CVEs are exploited during the attack:
- CVE-2021-26855 is an Exchange server-side request forgery (SSRF) vulnerability that allows attackers to send arbitrary HTTP requests and authenticate themselves on behalf of a specific Exchange server
- CVE-2021-26857 - used to escalate privileges - privilege escalation, in order to get the privileges of the system account on the server: SYSTEM
- CVE-2021-26858 and CVE-2021-27065 are used to write files to an arbitrary (any) folder on the server.
Teams of attackers tie exploitation of these vulnerabilities together in order to carry out effective attacks. You can additionally view the analysis of these operations from Veloxity .
How does the attack take place
- Attackers find vulnerable Exchange servers with open HTTP port 443
- Exploits an SSRF vulnerability (the first of those described above) to gain the necessary access and authentication on behalf of this Exchange server
- (SYSTEM), , , (, ProcDump)
- Exchange / ,
- , , «»
- WebShell, .
- , Exchange, , . , Microsoft : Cumulative Update Security Update.
- Microsoft PowerShell , , ASPX(.aspx)
- (Kevin Beaumont) Β« Β» nmap
- - Varonis DatAlert :
- , Exchange;
- Web, , , DNS ( SWG [web-proxy] DNS Edge);
- , «» Exchange;
- , , ( , β Data Classification Engine).
PS If you need ANY help, please contact the Russian Varonis team or contact the Incident Investigation Department directly through a dedicated page on our website and we will do our best and we can to make sure that you are safe, even if your company is not a customer of Varonis.