Microsoft Exchange Server zero-day attacks | Enea Romania | 0LOVES1


We're not saying it's gonna be easy.
But we promise it's not gonna be boring.

We pride in providing new challenges all the time for our creative, rebellious engineers. This is the kind of place where we want to change the world with the right lines of code. Insane passion, curiosity and thirst for breaking barriers and rules feel like home here at Enea.

Would you feel like home?

Microsoft Exchange Server zero-day attacks


The term ‘Zero-day attack’ refers to an attack situation in which a vulnerability is both exploited in the wild and unknown to the target software, and the target therefore has “Zero days” to remedy the problem.  

Microsoft disclosed that four critical vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that affect Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 have been identified and are being actively exploited by cybercriminals to get web shells and ransomware on the compromised servers:

  • CVE-2021-26855 is a Server-side request forgery (SSRF) that allows an attacker without authorization to query the server with specially crafted requests that will allow them to not only steal the full contents of several user mailboxes, but also to obtain remote code execution
  • CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service
  • CVE-2021-26858 allows an authorized Exchange user to overwrite any existing file inside the system.
  • CVE-2021-27065 allows an authorized attacker to overwrite any system file on the Exchange server.

The most targeted industries: the government, military, manufacturing, financial and health services

A large number of attackers are trying to exploit Exchange Server vulnerabilities, hence all the organisations should apply the critical security patches as soon as possible. Since the vulnerabilities have been disclosed, a number of state-sponsored and cyber criminal hacking groups have also tried to target Microsoft Exchange servers in order to gain access before patches are applied. Moreover, a new form of ransomware, dubbed DearCry, specifically made to target the vulnerable Exchange servers has been distributed.

Microsoft revealed that a China-based group called Hafnium has been launching cyberattacks against organizations by exploiting the aforementioned vulnerabilities in on-premises versions of its Exchange Server software. The main objective of Hafnium is to exfiltrate information from organizations in different industries.

Microsoft’s team has published a script on GitHub that can check if systems are vulnerable to recently-disclosed zero-day bugs. The script includes indicators of compromise (IOCs) linked to four zero-day vulnerabilities found in Microsoft Exchange Server. The one-click Exchange On-premises Mitigation Tool (EOMT) tool allows business owners to mitigate the recently disclosed ProxyLogon vulnerabilities.

When executed, the EOMT.ps1 will perform the following:

  • Check if the server is vulnerable to the aforementioned vulnerabilities.
  • Mitigates CVE-2021-26855
  • Downloads and runs the Microsoft Safety Scanner to remove known web shells and other malicious scripts installed via these vulnerabilities.

After running EOMT, admins are advised to run the Test-ProxyLogon.ps1 script to also check for indicators of compromise in other various log files.

Microsoft has released several security updates for Exchange Server to mitigate the zero-day vulnerabilities.

We strongly encourage all Exchange Server customers to apply these updates immediately” Microsoft said in a blog post. “Exchange Server is primarily used by business customers, and we have no evidence that Hafnium’s activities targeted individual consumers or that these exploits impact other Microsoft products. Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack.”

Stay safe!


Leave a Reply

Your email address will not be published. Required fields are marked *