Multiple zero-day exploits have been discovered that are being used to attack on-premises versions of Microsoft Exchange Server, according to Microsoft. According to reports, the number of attacks exploiting critical vulnerabilities is rapidly increasing. Over 30,000 organizations, including small businesses and municipalities, have been hacked in the United States in just a few days.
Microsoft has released emergency, out-of-band patches to address the security flaws since then. In the meantime, it’s critical that businesses take the necessary steps to detect and respond to exploit attempts quickly and effectively.
Cyber criminals are actively exploiting these flaws, and the consequences of failing to address them can be devastating, including the leakage or loss of emails, lateral network movement, or the execution of ransomware. Use this guide to learn more about the exploit and the 10 steps you should take to protect your network.
What’s the Impact?
Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. After successful exploitation activities, attackers can gain access to email accounts and install additional malware/ scanning tools to remain persistent on the network.
Note: this impacts on-premises versions of Microsoft Exchange Server and does not impact Exchange Online.
What Happened?
Advanced Persistent Threat (APT) group, HAFNIUM, leveraged a chain of four zero-day vulnerabilities, together dubbed ProxyLogon. Since then, at least 10 other APTs have followed suit in targeting servers around the world. These vulnerabilities, also called Common Vulnerabilities and Exposures (CVE) are:
- CVE-2021-26855 allows unauthenticated attacker to send arbitrary HTTP requests.
- CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 allow for remote code execution
What Should You Do Now?
CYB3R-X Security Operations Center (SOC) actively monitors customer networks for Indicators of Compromise (IOCs) such as ProxyLogon. If you are not protected by a managed security service provider already taking action on this threat, our SOC recommends the following immediate course of action:
- First and foremost, update impacted on-premises Exchange Servers immediately.
- Validate whether any unknown tasks and services are existing on the Exchange Server and disable the unknown tasks, then run a complete anti-malware scan with the updated signature.
- Perform a Password Reset operation on all Exchange Server accounts.
- Validate and remove unknown .aspx, .bat, and unknown executable files from the following paths and restore the files from an uninfected backup file:
- C:\Exchange\FrontEnd\HttpProxy\owa\auth\
- C:\inetpub\wwwroot\aspnet_client\
- C:\inetpub\wwwroot\aspnet_client\system_web\
- Ensure that a strong password policy is in place.
- Ensure that Multi-Factor Authentication (MFA) is enabled for Exchange account logins.
- Remove unwanted applications from the server.
- Upgrade operating systems to the latest version.
- Run vulnerability scans on the host and patch all critical vulnerabilities.
- Ensure that the regular backup operation and proper network segmentation is in place for public-facing servers.
What Should You Do Long-term?
You may find more detailed information from Cybersecurity & Infrastructure Security Agency’s (CISA) Alert AA21-062A.
Lastly, our recommendation is to instill comprehensive 24/7 security monitoring, threat detection and response capabilities with a managed security service provider (MSSP) to plug gaps in expertise and availability of your on-staff resources.
CYB3R-X partners are kept updated in this Security Advisory in regard to actions taken within our Managed Threat Protection service.