Microsoft Exchange Server Exploits
Recently, Microsoft teams scrambled together to push out patches for multiple zero-day vulnerabilities on Microsoft Exchange Server exploits. Attackers were able to exploit these vulnerabilities to gain remote control over the servers to steal email accounts, install malware or exfiltrate data.
To be able to exploit the vulnerabilities, there must be an open 443 port for the Microsoft exchange servers. From there, the attacker or group can exploit four different vulnerabilities which include:
- CVE-2021-26855: Server Side Request Forgery vulnerability that permits attackers to send HTTP requests and authenticate themselves as the Microsoft Exchange Server
- CVE-2021-26857: Deserialization vulnerability that allows attackers to run code as “SYSTEM” on the Microsoft Exchange Server
- CVE-2021-26858: Post-authentication arbitrary file vulnerability that allows attacker to write files anywhere on the Microsoft Exchange Server
- CVE-2021-27065: Another Post-authentication arbitrary file vulnerability allowing attackers to write files to any file path on the server
Once gained access, the attackers now control those Microsoft Exchange Servers. There is no apparent direct goal; however, they can steal data, steal email accounts, and install additional malware. Additionally, researchers are discovering web shells on some of the breached servers. Web shells can act as a backdoor for the attacker even after Microsoft resolves these four vulnerabilities in addition to the ability to exfiltrate data, download data, execute programs, and access directories.
These types of attacks against Exchange Servers seem to be executed by attacker groups and Advanced Persistent Threat (APT) groups. Attack groups include APT27, Bronze Butler, Calypso, Hafnium, and other unidentified groups. According to researchers at Volexity, these attacks have been happening as early as January 6th of this year. Additionally, they believe the attacker groups will use the Exchange Server exploits as a gateway into more severe attacks such as ransomware or create a bot-net.
In order to protect a Microsoft Exchange Server, Microsoft strongly advises users to install their latest security patch to secure those four vulnerabilities. Additionally, attackers can not exploit these vulnerabilities if the network’s port 443 is locked down.
Finally, Microsoft released a post explaining the attacks in full detail and how to know if your server was breached here.