Exchange Servers with 0-day exploitation

Blogs > MITS Advisory > Exchange Servers with 0-day exploitation

Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of the Microsoft Exchange Servers. According to Microsoft reports, observations of attacks leveraging critical vulnerabilities on the Exchange Servers are increasing very rapidly. Hackers are exploiting these vulnerabilities to steal critical data including users information and install ransomware. 

Microsoft has issued emergency out-of-band patches to address the security flaws. It is critical that organisations take appropriate action to quickly detect and effectively respond to these exploit attempts.

What’s the Impact?

Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. After successful exploitation activities, attackers can gain access to email accounts and install additional malware/ scanning tools to remain persistent on the network.

Who is doing this and how?

Advanced Persistent Threat (APT) group, HAFNIUM used four zero-day vulnerabilities that require the exposed Exchange server to be able to receive untrusted connections on port 443.

The vulnerability, CVE-2021-26855, named ProxyLogon, allowed the attackers to establish an authenticated connection with the Exchange server and steal the content of mailboxes stored on it. This specific vulnerability does not require any user interaction, prior privileges, or previously acquired credentials, but only an Exchange server that is willing to accept untrusted connections on port 443.

Since then, at least 10 other APTs have followed suit in targeting servers around the world. These vulnerabilities, also called Common Vulnerabilities and Exposures (CVE) are:

What should you do?

In the long run, instil comprehensive 24/7 security monitoring, threat detection and response capabilities.

Below are some of the results after MITS ran the Security scripts on hacked Exchange Servers.