Security Week 10: Massive Attack on Microsoft Exchange Servers

The main news of the past week was the disclosure of information about four critical vulnerabilities in the Microsoft Exchange mail server, which at the time of discovery were actively used for cyberattacks. The peculiarities of the vulnerabilities (the ability to completely bypass the authorization mechanism, escalate privileges, write arbitrary files on a compromised server) created the prerequisites for a "perfect storm" in the field of cybersecurity. According to some reports, tens of thousands of organizations in the United States alone have already become victims of the attack.







Attacks on vulnerable servers have only intensified since the release of updates to close the vulnerabilities. Microsoft attributes the original attack to the Hafnium group of Chinese origin, and (as of March 2) there are no examples of exploitation of vulnerabilities by anyone else. Most likely, unpatched servers will be attacked by everyone for a long time. A separate problem is the installation of a backdoor after hacking servers: patches can close the initial entry point, but they will not help already attacked organizations. Things are so bad that Microsoft Exchange server operators are advised to assume that they have already been compromised.



Sources of information:



  • Microsoft, , , .


  • .
  • Volexity, .
  • ยซ ยป, .




According to Volexity, the first attacks on Microsoft Exchange mail servers were discovered in early January this year. Further investigation found four vulnerabilities, one of which ( CVE-2021-26855 ) is already sufficient to cause serious damage. The vulnerability belongs to the Server-Side Request Forgery class and could bypass the authorization system on the server. With its help, the attackers successfully unloaded the contents of mailboxes. Vulnerabilities affect versions of Microsoft Exchange Server 2013, 2016 and 2019, that is, all supported by the vendor.



Three more vulnerabilities allow you to gain a foothold in the system in different ways. In particular, the vulnerability CVE-2021-27065allows an authorized user to overwrite any file on the server. In combination with a bypass authorization, this vulnerability was used to open a web shell for subsequent control of the compromised server. The exploitation of two vulnerabilities is shown in this video from the DEVCORE team (see their website for more information ):





Disclosure of vulnerabilities and active attacks was only the beginning of the story: it seems that we will be discussing it all this year. The attack dramatically increases the cost of securing on-premises services and is likely to force even more organizations to switch to the cloud, where the vendor is responsible for security. We are talking not only about the timely installation of patches (although even with this there are problems), but also about closing the already installed backdoors.



Obviously, you need to use advanced protections. The first attacks were detected only due to the detection of unusually large traffic in a non-standard direction, and from the point of view of the mail server, nothing unusual happened... Detection of the launch of suspicious code by a trusted process, protection against file modification, including when trying to encrypt them - all this is required in the event of an attack on vulnerable software. If the preliminary estimates of the number of organizations attacked are correct, the situation can be compared to the discovery of a hole in user routers, when there are tens and hundreds of thousands of potential victims. Only the potential damage in this case is much higher.



What else happened



A new attack through side channels, based on SPECTRE: in practice , a method of stealing secrets is shown , this time with the exploitation of a bus connecting separate processor cores (Intel processors are affected, AMD has a different technology). Meanwhile, the exploit for the SPECTRE vulnerability appears to have fallen into the hands of cybercriminals.



BleepingComputer describes a non-standard example of encrypted ransomware, where it suggests using the Discord chat server to communicate with the attacker.



Discovereddata leakage from the servers of SITA Passenger Services - a contractor of many airlines around the world. The frequent flyer data of the Star Alliance and OneWorld alliances is likely affected.





An interesting example of an attack on image recognition systems using machine learning. To confuse the system, just put a sign in front of the object with the name of another item. See also the discussion on Habrรฉ .



Released the Google Chrome 89 browser: in the next release, the zero-day vulnerability is closed (the vendor did not disclose details).



Interesting descriptionvulnerabilities in the Microsoft authorization system. When you try to change the password, an authorization code is sent to your device, which must be entered on the site. The researcher did not find any trivial problems in this mechanism that allow brute-force brute-force attacks, but found a nontrivial one: sending multiple authorization codes simultaneously within a very short period of time.



A recent Formula E crash was blamed on a software bug. If the front brakes fail, the system must apply the brakes on the rear wheels. In the case of the pilot Edoardo Mortara, this did not happen: the electric car did not fit into the turn and drove into the protective fence.



An article by Brian Krebs exploresblack market for browser extensions. They are purchased to enable users to join a botnet, which is then used as an illegal VPN service.



All Articles