Microsoft Exchange hack – what’s happening?
The first quarter of 2021 is another shock in the area of cybersecurity after the SolarWinds attack, for organizations around the world. 4 “zero-day” vulnerabilities are currently exploited – they started with the Chinese group Hafnium and extended to Tick, Calypso, Winnti Group (These groups used the vulnerability before Microsoft released the patch – March 2, 2021.) .
In early January, Microsoft alerted renowned cybersecurity expert Brian Krebs about four reported zero-day vulnerabilities. On January 5, they were reported by one “Orange Tsai”, a researcher at DEVCORE.
“Just report a pre-auth RCE chain to the vendor. This might be the most serious RCE I have ever reported.”Orange Tsai
And why is that a problem?
Critical vulnerabilities affect locally hosted (on-prem) Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. What’s important – the vulnerabilities do not apply to cloud-based Exchange Online.
Here is a list of currently reported vulnerabilities:
- CVE-2021-26855: CVSS 9.1: Server-side request forgery (SSRF) vulnerability that leads to the sending of crafted HTTP requests by unauthenticated attackers. Servers must be able to accept untrusted connections on port 443 for this error to be triggered.
- CVE-2021-26857: CVSS 7.8: Exchange Unified Messaging Service unsecured deserialization vulnerability that could allow arbitrary code to be deployed to the system. However, this vulnerability should be combined with other or stolen credentials.
- CVE-2021-26858: CVSS 7.8: Writing vulnerability to any file after authentication for writing to paths. Importantly, this vulnerability can be linked to the CVE-2021-26855 SSRF vulnerability to allow an unauthenticated attack.
- CVE-2021-27065: CVSS 7.8: Writing vulnerability to any file after authentication for writing to paths. Importantly, this vulnerability can be linked to the CVE-2021-26855 SSRF vulnerability to allow an unauthenticated attack.
If used in a coordinated campaign, all of these vulnerabilities could lead to Remote Code Execution (RCE), server hijacking, backdoor launch, data theft and potentially further spread of malware.
What to do if I am using on-premises Exchange Server 2013, Exchange Server 2016 or Exchange Server 2019?
- Check if you are vulnerable with the following scripts released by Microsoft
- Install the security updates released in March by Microsoft
- If possible – update your IT security tools with infection rates – IOC – Indicators of Compromise – related to the exploitation of these vulnerabilities
Microsoft urged IT administrators and customers to apply security patches immediately. However, just because the fixes are now applied, it doesn’t mean that the servers have not already been rolled back or otherwise affected.