On March 2nd, 2021, Microsoft released emergency patches for four vulnerabilities for Microsoft Exchange CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. At the time, Microsoft warned these vulnerabilities were actively being exploited. However, as this story developed, we began to understand just how extensive the exploitation would be. According to sources reporting to Brian Krebs, who initially broke the story, at least 30,000 organizations in the US have been hacked.
The threat actors have developed internet scouring scripts to detect and infect Outlook Web Access (OWA) servers automatically. They use the exploits mentioned above to install web shells (think backdoor) into the compromised host and have full administrative rights on the server. This allows them to read email, deploy additional hacking tools, and most likely access areas of your network that are not internet-facing by pivoting from the infected OWA server.
Microsoft has released some specifics of the attack itself. These include Host Indicators of Compromise (IOCs) like web shell hashes, known file paths to web shells, Microsoft Defender AV signature names, and PowerShell commands to watch for, among others. An article in Microsoft Security Response Center addresses recommendations from Microsoft on how to detect, respond, and patch for this issue. Microsoft also released a detection tool that looks through Microsoft Exchange server logs for signs of infection https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse.
We recommend that you patch these systems immediately or take them offline if patching isn't an option. Also, you should utilize the Microsoft detection tool even if you patched these systems. The reason being that the patches were released after the discovery of active exploitation, and you could have been an early victim. If you have already been compromised, patching these systems will not resolve the issue, and you will need to execute your Incident Response (IR) Plan to address this as a security incident.
If you have not patched up to this point and you have externally facing OWA, there is a very good chance you have been compromised and should execute your IR Plan. Also, it's worth noting that although this holds a similar weight to the SolarWinds attack, and every indication is that this began as a nation-state-sponsored attack, there is no indication that the two attacks are related in any way.
If you have been affected by any of these issues and would like further guidance, our team of professionals can provide you with personalized recommendations that fit the needs of your organization. Click the button below to get started:
Written by Zach Turpen
Zach Turpen is a Cybersecurity Expert at TechGuard Security where he conducts penetration tests, vulnerability assessments, social engineering exercises and develops detailed incident response procedures. With experience spanning over 6 years in a Fortune 100 environment he is also CISSP, CEH, GSEC, Security+, Splunk, Rapid 7, ITIL and VMware certified. Zach graduated Summa Cum Laude from McKendree University with a bachelor’s degree in Computer Information Systems. He has worked on the front line of security as an Incident Responder, as a Lead Security Engineer implementing multi-million-dollar projects (SIEM, NGAV, Web Proxies, NGFW) and as a Security Architect migrating business applications to the cloud. In his spare time Zach enjoys spending time with his wife and two kids, gardening and kayak fishing.