"CISA is aware of widespread domestic and international exploitation of Microsoft Exchange Server vulnerabilities and urges scanning Exchange Server logs with Microsoft's IoC detection tool to help determine compromise," the agency tweeted on March 6. Join our insightful webinar! Save My Seat! After chaining these bugs into a workable pre-authentication RCE exploit, the company said it reported the issue to Microsoft on January 5, 2021, suggesting that Microsoft had almost two months to release a fix.ĭefend with Deception: Advancing Zero Trust Securityĭiscover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Taiwanese cybersecurity firm Devcore, which began an internal audit of Exchange Server security in October last year, noted in a timeline that it discovered both CVE-2021-26855 and CVE-2021-27065 within a 10-day period between December 10-20, 2020.
This is followed by the exploitation of CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 post-authentication, allowing the malicious party to gain remote access. With multiple threat actors leveraging these zero-day vulnerabilities, the post-exploitation activities are expected to differ from one group to the other based on their motives.Ĭhief among the vulnerabilities is CVE-2021-26855, also called "ProxyLogon" (no connection to ZeroLogon), which permits an attacker to bypass the authentication of an on-premises Microsoft Exchange Server that's able to receive untrusted connections from an external source on port 443.
Unpatched Exchange Servers at Risk of ExploitationĪ successful exploitation of the flaws allows the adversaries to break into Microsoft Exchange Servers in target environments and subsequently allow the installation of unauthorized web-based backdoors to facilitate long-term access. But as it was with the SolarWinds hack, the attackers are likely to have only gone after high-value targets based on an initial reconnaissance of the victim machines. The colossal scale of the ongoing offensive against Microsoft's email servers also eclipses the SolarWinds hacking spree that came to light last December, which is said to have targeted as many as 18,000 customers of the IT management tools provider.
The Norwegian National Security Authority said it has implemented a vulnerability scan of IP addresses in the country to identify vulnerable Exchange servers and "continuously notify these companies." Victims are also being reported from outside the U.S., with email systems belonging to businesses in Norway, the Czech Republic and the Netherlands impacted in a series of hacking incidents abusing the vulnerabilities.
0 kommentar(er)
