Skip to main content

Massive Zero-Day attack on Microsoft-Exchange users

On 2 March 2021, Microsoft advised of multiple zero-day vulnerabilities identified within Microsoft Exchange Server. This affects all recent versions of on-premise Exchange Server, however, the Office 365 platform is not vulnerable. 

The scale of the attack is astonishing. 

Cyber security experts believe that initially, the hacking campaign zeroed in on specific high-value victims. However, over time—and as Microsoft caught wind of the vulnerability—the hack exploded, affecting mainly small-to-midsized companies who notoriously lack a holistic cyber security framework. 

Multiple threat actors have been using these vulnerabilities to exfiltrate mailbox contents and deploy web shells, providing access to the Exchange Server and other systems on victim networks. 

Patching or disabling Exchange Servers does not mitigate the incident if threat actors could have exploited these vulnerabilities and compromised Exchange Servers and wider networks before remediation steps were taken. 

This is an active incident, and due to the potential latent nature of threat actor access inside compromised networks, the full extent of their malicious activities may not be known for weeks or months from now. 

Some critical facts about the attack. 

Description  Facts 
Date   March 4th, 2021  
Version   1.1 (Updated on March 9, 2021)  
Affected software   Microsoft Exchange Server 2013, 2016 and 2019 
Microsoft Exchange Server 2010 is no longer supported but will be updated for Defence-in-Depth purposes  
Type   Zero-day, vulnerability chain that leads to remote code execution  
CVE/CVSS   CVE-2021-26855 
CVE-2021-26857 
CVE-2021-26858 
CVE-2021-27065 
Unrelated to known attacks, yet dangerous enough to patch: 
CVE-2021-26412 
CVE-2021-26854 
CVE-2021-27078 

 

What you can do? 

While the patch prevents new breaches, it does nothing to clean up the damage left behind if a system has already been breached. In this scenario, it is strongly suggested that those who fit the victim criteria assume they’ve been compromised and act accordingly. This includes: 

  • Patching immediately, assuming this hasn’t been done already. 
  • Searching (or hiring a team) to search for malicious activity. 
  • If neither of these options is viable, disconnect your email infrastructure and rebuild it. 
  • Move to the cloud. 

What we can do for you? 

We can offer our customers in responding to these incidents in a variety of ways, including

  1. Perform a security assessment of your infrastructure. 
  2. Scanning networks for vulnerable Exchange systems. 
  3. Triage analysis of Exchange servers for signs of compromise. 
  4. Forensic analysis of compromised servers to reconstruct the details of intrusions. 
  5. Validation of remediation steps already taken 
  6. Proactive threat hunting and endpoint monitoring more widely across networks. 

If you may have been impacted, we would be pleased to arrange a confidential discussion with our experts about these incidents and the threat actors behind them, plus our recommendations on how to respond. 

Cybersecurity is what we do

Rabbon is Cybersecurity services and solution provider, we lead a team of expert cybersecurity consultants and engineers to help your organisation achieve their cybersecurity goals.

Leave a Reply