Microsoft Exchange Server Attacks: What You Need To Know

At least since early March 2021, on-premises Microsoft Exchange Server systems in the US and worldwide have been under attack by malicious actors. Attackers are exploiting several vulnerabilities that allow them to exfiltrate emails, execute system commands, and potentially compromise the entire network. Here’s what you need to know about the attack.

Microsoft Exchange Server Attacks: What You Need To Know

Invicti does not use Microsoft Exchange Server software and is not in any way affected by the incident.

What Happened?

Thousands of web-accessible on-premises Microsoft Exchange Server systems have been compromised by aggressive, large-scale attacks associated with a Chinese cyberespionage group dubbed Hafnium. The attacks combine several zero-day vulnerabilities that allow attackers to access emails and execute remote commands on the server. Web shells are installed in compromised systems to provide persistent access. The CISA has issued emergency directive 21-02 related to the attacks.

Timeline of the Attacks

It is believed that US-based organizations have been actively targeted since January 2021, with initial estimates suggesting at least 30,000 compromised systems across government, industry, and academic institutions. On March 2nd, Microsoft released an official advisory and emergency security updates for the relevant vulnerabilities. Since that date, the attackers have become more aggressive, indiscriminately targeting systems worldwide, with at least 60,000 confirmed attacks globally so far.

Who Is Affected?

All on-premises installations from Microsoft Exchange Server 2013 onwards are directly vulnerable to attack. As long as port 443 is open, an unauthenticated attacker can execute arbitrary commands on the server. Note that only on-premises servers are affected.

What Should You Do?

If you are running Microsoft Exchange Server, you should immediately install the emergency updates provided by Microsoft. However, even after you’ve patched, your system may already be compromised and have a web shell installed, so use the information provided in the emergency CISA directive and mitigation alert to check for signs of compromise. If found, isolate from the Internet and clean out all known malicious artifacts or (if possible) rebuild the system from a known good image.

The Vulnerabilities Behind the Attacks

The entry point for the attackers is a server-side request forgery (SSRF) flaw assigned CVE-2021-26855 and dubbed ProxyLogon. It allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate with the Exchange Server control panel to gain access to mailboxes and read sensitive information.

Once authenticated, the attackers are exploiting three other zero-day vulnerabilities to get file system access and remote code execution:

  • CVE-2021-26857: An insecure deserialization vulnerability that allows attackers to execute arbitrary code as the SYSTEM user. This opens the way to full system compromise.
  • CVE-2021-27065 and CVE-2021-26858: Post-authentication arbitrary write file vulnerabilities. These allow attackers to install web shells to maintain persistent access.

All these vulnerabilities are being actively exploited, so if you have an Exchange server, make sure you patch up and check your systems.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.