Threat Alert

by IthacaLabs™

THREAT LEVEL/Critical 19/03/2021

Four New Zero Day Vulnerabilities in Microsoft Exchange Servers exploited in the wild – Update

Threat Level Description

Threat Level: Critical – An attack is expected imminently. Maximum protective security measures to meet specific threats and to minimize vulnerability and risk. Critical may also be used if a terrorist attack is expected seeking to destroy, incapacitate, or exploit critical infrastructures in order to threaten national security, cause mass casualties, weaken the economy, and damage public morale and confidence.

Description

Following our previous Threat Alert regarding the Four New Zero Day Vulnerabilities in Microsoft Exchange Servers, we have observed that the vulnerabilities in Microsoft Exchange servers are actively being exploited.

Even in the case that the patches have been installed or the temporarily mitigation provided by Microsoft may have been applied, the systems may have already been compromised prior to mitigation actions.

Organizations should verify that their MS Exchange servers are not compromised prior to the patching.

Any presence of suspicious entries under the path “/inetpub/wwwroot/aspnet_client” (among others) should not be ignored, even in the case that the endpoint controls such as antivirus detected the malicious web shells.

CVE(s)

CVE-2021-26855

BASE SCORE: 7.5 High

VECTOR: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.

Affected Systems

  • Microsoft Exchange Server 2016 Cumulative Update 19
  • Microsoft Exchange Server 2019 Cumulative Update 8
  • Microsoft Exchange Server 2013 Cumulative Update 23
  • Microsoft Exchange Server 2019 Cumulative Update 7
  • Microsoft Exchange Server 2016 Cumulative Update 18

Recommendation(s)

You should proceed in performing Incident Investigation & Digital Forensics exercises to ensure that your systems are not compromised.

In case that the systems are compromised, patching is not enough. Systems should be formatted and new clean patched version of systems should be deployed.

Microsoft released out-of-band patches for Microsoft Exchange Server on March 2 that address all four vulnerabilities exploited in the wild. You should immediately update to the latest version of Microsoft Exchange Server and apply the relevant security patches.

You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

References

Get the latest Threat Alerts in your inbox.