• Language chooser
    • USA (English)
    • France (Français)

virus logo Outbreak Alert

Microsoft Exchange Server RCE Vulnerabilities

Released: Mar 12, 2021

Download PDF »

Microsoft Exchange

Critical Severity

Microsoft Windows Platform

Microsoft Vendor

Vulnerability Type

Targeted by HAFNIUM

Firstly, if you are running an un-patched on-premise Microsoft Exchange version, you should upgrade immediately! This is a critical vulnerability that allows an attacker to access a desired user’s mailbox, requiring only the e-mail address of the user they wish to target! These details and more were disclosed by Volexity here. https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ The vulnerabilities affect Exchange Server 2013, 2016 and 2019. Exchange Online is not affected. Learn More »

Common Vulnerabilities and Exposures

CVE-2021-26855
CVE-2021-27065

Background

In the article above, Volexity disclosed seeing these exploits as early as January 3, 2021. The first CVE discovered was CVE-2021-26855 being used to steal content from mailboxes. On further monitoring of the environments, it was observed the attacker can chain this vulnerability to others (including CVE-2021-27065), enabling remote code execution, and eventually lateral movement. More details are available from Volexity’s post.

Threat Radar Overall Score:
CVSS Rating 9.0
FortiRecon Score 92/100
Known Exploited Yes
Exploit Prediction Score 97.51%
FortiGuard Telemetry 2

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.



On March 2, 2020, Microsoft released the patches via MSRC:
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/


On March 5, Microsoft released additional details and mitigation techniques that can be used by customers unable to upgrade quickly:
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

Microsoft published further information about nation-state attacks, and identified HAFNIUM specifically as the primary threat actor exploiting these vulnerabilities:
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

On March 11, Microsoft announced detection of a new variant of DearCry ransomware was being used on vulnerable Exchange servers:
https://twitter.com/MsftSecIntel/status/1370236539427459076

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • Lure

  • Decoy VM

  • AV

  • AV (Pre-filter)

  • IPS

  • Web App Security

  • Post-execution

DETECT

  • Outbreak Detection

  • Threat Hunting

RESPOND

  • Assisted Response Services

  • Automated Response

RECOVER

  • NOC/SOC Training

  • End-User Training

IDENTIFY

  • Attack Surface Hardening

  • Vulnerability Management

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
aztecoo.com domain Active
rawfuns.com domain Active
sultris.com domain Active
rosyfund.com domain Active
yolkish.com domain Active
cdn.chatcdn.net domain Active
p.estonine.com domain Active
owa.conf1g.com domain Active
box.conf1g.com domain Active
103.30.17.44 ip Active
conf1g.com domain Active
161.35.76.1 ip Active
103.135.248.70 ip Active
5.189.162.164 ip Active
b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5... file Active
097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c... file Active
2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e4... file Active
65149e036fff06026d80ac9ad4d156332822dc93142cf1a... file Active
511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394e... file Active
4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a... file Active
811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb67... file Active
1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e... file Active
103.77.192.219 ip Active
104.140.114.110 ip Active
104.250.191.110 ip Active
108.61.246.56 ip Active
149.28.14.163 ip Active
167.99.168.251 ip Active
185.250.151.72 ip Active
203.160.69.66 ip Active
5.254.43.18 ip Active
80.92.205.81 ip Active
157.230.221.198 ip Active
192.81.208.169 ip Active
211.56.98.146 ip Active
5.2.69.14 ip Active
91.192.103.43 ip Active
165.232.154.116 ip Active
104.248.49.97 ip Active
893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e04... file Active
406b680edc9a1bb0e2c7c451c56904857848b5f15570401... file Active
2fa06333188795110bba14a482020699a96f76fb1ceb80c... file Active
167.99.239.29 ip Active
161.35.1.207 ip Active
161.35.1.225 ip Active
0fd9bffa49c76ee12e51e3b8ae0609ac file Active
4b3039cf227c611c45d2242d1228a121 file Active
79eb217578bed4c250803bd573b10151 file Active
182.18.152.105 ip Active
86.105.18.116 ip Active
89.34.111.11 ip Active
112.66.255.71 ip Active
139.59.56.239 ip Active
77.61.36.169 ip Active
88.166.162.201 ip Active
chatcdn.net domain Active
estonine.com domain Active
http://cdn.chatcdn.net/p url Active
http://p.estonine.com/low url Active
http://p.estonine.com/p url Active
188.166.162.201 ip Active
45.77.252.175 ip Active
161.35.45.41 ip Active
194.87.69.35 ip Active
172.105.18.72 ip Active
77.83.159.15 ip Active
lab.symantecsafe.org domain Active
symantecsafe.org domain Active
161.129.64.124 ip Active
back.rooter.tk domain Active
mm.portomnail.com domain Active
portomnail.com domain Active
rooter.tk domain Active
30dd3076ec9abb13c15053234c436406b88fb2b9 file Active
4f0ea31a363cfe0d2bbb4a0b4c5d558a87d8683e file Active
139.162.123.108 ip Active
fd3f42bbdc6da346bc58a05da4bdd33c file Active
4d3453f05a6706de277b9eebf9ac52c9 file Active
0de873ac66258278d0a8fff9d989b693 file Active
f435127cad1aa504c78387d8fa1c77eb file Active
4c72d7c7507d3b8bf2a33c60c19de1a3 file Active
8692275404fea72817d34e7037797201 file Active
2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247... file Active
e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b1... file Active
feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c... file Active
fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab... file Active
10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245c... file Active
0ba9a76f55aaa495670d74d21850d0155ff5d6a5 file Active
6834d9f4a9e1888d82c70b72f30ced8aa68c009b55d03ef... file Active
http://p.estonine.com/low?ipc url Active
http://p.estonine.com/p?e url Active
http://p.estonine.com/p?smb url Active
www.averyspace.net domain Active
www.komdsecko.net domain Active
0b15c14d0f7c3986744e83c208429a78769587b5 file Active
0aa3cda37ab80bbe30fa73a803c984b334d73894 file Active
bcb42014b8dd9d9068f23c573887bf1d5c2fc00e file Active
5.2.69.13 ip Active
185.65.134.165 ip Active
1.36.203.86 ip Active

References

Sources of information in support and relation to this Outbreak and vendor.


Microsoft

Learn More »
Volexity

Learn More »
About FortiGuard Outbreak Alerts

Learn More »