Microsoft Exchange 0-day Vulnerability Analysis
What is the issue?
In January 2021, Volexity uncovered a Server Side Request Forgery (SSRF) Zero-Day in Microsoft Exchange Server (CVE-2021-26855) when it was exploited on one of their servers. The pre-authentication vulnerability is severe, allowing attackers to dump mailbox content, and later investigation found that attackers were further chaining the SSRF vulnerability with an additional RCE exploit (CVE-2021-27065) to remotely execute code on Exchange Servers. This vulnerability was observed being exploited in the wild as early as January 3, 2021.
On March 2, 2021, Microsoft released several security updates that patched these critical vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) in Microsoft Exchange Server 2013, 2016, and 2019; they recently released additional updates for Exchange 2010 as well. Affected versions include:
- 2013 CU 23
- 2016 CU 19
- 2016 CU 18
- 2019 CU 8
- 2019 CU 7
As of March 9, 2021, Censys observed 251,211 Microsoft Exchange Servers (2013, 2016, or 2019 versions) across the Internet. Exchange Server includes version information in the Outlook Web Access (OWA) page, which allowed us to determine whether servers are running an affected version of Exchange. More than 50% of the 2013, 2016, and 2019 Exchange Servers are one of those 5 versions, though we note that reported version data does not include the server patch level, which prevents us from detecting whether a hotpatch that fixes these specific vulnerabilities has been applied.
More than 50% of the 2013, 2016, and 2019 Exchange Servers are one of those 5 specific affected versions.
Top countries where Exchange Servers were observed include the United States, Germany, United Kingdom, Netherlands, and Russia.
In addition to identifying Microsoft Exchange Servers around the globe, Censys also mapped where these servers are running by Cloud Provider.
Why does it matter?
Affected servers are globally widespread, cutting across industries. We took a random sampling of IPs in the United States and mapped them to industries. We found approximately 20% of the U.S. Exchange Servers are associated with education institutions like universities. However, the spread across industries is noticeable, and impacts everyone from retail to telecommunications to software companies.
There have been growing concerns of different groups’ ongoing and active exploitation reported by Microsoft which have severe consequences for organizations. Concerns include:
- Web Shells: Observed web shells being dropped on systems allowing for future backdoor use.
- Lateral Movement: Attempts to move laterally and compromise the organization further.
- Malware / Ransomware: Installation of additional malware or ransomware.
- Credential dumps: Stealing credentials from systems for future use or further attempts to exploit the organization.
Additional reporting by Volexity also found active exfiltration of data such as full email inboxes.
What do I do about it?
Leverage Microsoft’s open source tooling to identify if your Microsoft Exchange Servers are vulnerable as quickly as possible. Microsoft released a set of nmap and powershell scripts that can be used to identify whether you’re vulnerable, and have been endorsed by CISA.
If you find vulnerable Exchange Servers in your environment, immediately deploy the latest security patches from Microsoft and ensure your organization’s data is backed up.
- Microsoft Security Exchange Updates (frequently updated): https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
- Microsoft Overview of Hafnium Exploitation: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers
- Volexity Analysis: https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities
- CISA on Exchange IOC Detection Tool: https://us-cert.cisa.gov/ncas/current-activity/2021/03/06/microsoft-ioc-detection-tool-exchange-server-vulnerabilities