virus logo Outbreak Alert

Microsoft Exchange Server RCE Vulnerabilities

Released: Mar 12, 2021

Download PDF »

Microsoft Exchange Vulnerability Tags

Critical Severity

Microsoft Windows Platform

Microsoft Vendor

Subscribe

Targeted by HAFNIUM

Firstly, if you are running an un-patched on-premise Microsoft Exchange version, you should upgrade immediately! This is a critical vulnerability that allows an attacker to access a desired user’s mailbox, requiring only the e-mail address of the user they wish to target! These details and more were disclosed by Volexity here. https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ The vulnerabilities affect Exchange Server 2013, 2016 and 2019. Exchange Online is not affected. Learn More »

Common Vulnerabilities and Exposures



Background

In the article above, Volexity disclosed seeing these exploits as early as January 3, 2021. The first CVE discovered was CVE-2021-26855 being used to steal content from mailboxes. On further monitoring of the environments, it was observed the attacker can chain this vulnerability to others (including CVE-2021-27065), enabling remote code execution, and eventually lateral movement. More details are available from Volexity’s post.

Click here to analyze the

Real-Time Threat Map

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.



On March 2, 2020, Microsoft released the patches via MSRC:
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/


On March 5, Microsoft released additional details and mitigation techniques that can be used by customers unable to upgrade quickly:
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

Microsoft published further information about nation-state attacks, and identified HAFNIUM specifically as the primary threat actor exploiting these vulnerabilities:
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

On March 11, Microsoft announced detection of a new variant of DearCry ransomware was being used on vulnerable Exchange servers:
https://twitter.com/MsftSecIntel/status/1370236539427459076

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • Lure

  • Decoy VM

  • AV

  • AV (Pre-filter)

  • IPS

  • Web App Security

  • Post-execution

DETECT

  • Outbreak Detection

  • Threat Hunting

RESPOND

  • Assisted Response Services

  • Automated Response

RECOVER

  • NOC/SOC Training

  • End-User Training

IDENTIFY

  • Attack Surface Hardening

  • Vulnerability Management

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


References

Sources of information in support and relation to this Outbreak and vendor.


Microsoft

Learn More »
Volexity

Learn More »
About FortiGuard Outbreak Alerts

Learn More »