Microsoft Exchange Server RCE Vulnerabilities
Targeted by HAFNIUM
Firstly, if you are running an un-patched on-premise Microsoft Exchange version, you should upgrade immediately! This is a critical vulnerability that allows an attacker to access a desired user’s mailbox, requiring only the e-mail address of the user they wish to target! These details and more were disclosed by Volexity here. https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ The vulnerabilities affect Exchange Server 2013, 2016 and 2019. Exchange Online is not affected. Learn More »
Common Vulnerabilities and Exposures
Background
In the article above, Volexity disclosed seeing these exploits as early as January 3, 2021. The first CVE discovered was CVE-2021-26855 being used to steal content from mailboxes. On further monitoring of the environments, it was observed the attacker can chain this vulnerability to others (including CVE-2021-27065), enabling remote code execution, and eventually lateral movement. More details are available from Volexity’s post.
Threat Radar Overall Score: 4.0
CVSS Rating | 9.0 | |
FortiRecon Score | 92/100 | |
Known Exploited | Yes | |
Exploit Prediction Score | 97.51% | |
FortiGuard Telemetry | 2 |
Latest Development
Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.
On March 2, 2020, Microsoft released the patches via MSRC:
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
On March 5, Microsoft released additional details and mitigation techniques that can be used by customers unable to upgrade quickly:
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
Microsoft published further information about nation-state attacks, and identified HAFNIUM specifically as the primary threat actor exploiting these vulnerabilities:
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
On March 11, Microsoft announced detection of a new variant of DearCry ransomware was being used on vulnerable Exchange servers:
https://twitter.com/MsftSecIntel/status/1370236539427459076
FortiGuard Cybersecurity Framework
Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.
-
Lure
-
Decoy VM
-
AV
-
AV (Pre-filter)
-
IPS
-
Web App Security
-
Post-execution
-
Outbreak Detection
-
Threat Hunting
-
Assisted Response Services
-
Automated Response
-
NOC/SOC Training
-
End-User Training
-
Attack Surface Hardening
-
Vulnerability Management
Lure
Decoy VM
AV Blocks the hashes identified by Microsoft in the blog post. Does not prevent the exploitation, but will prevent the data being exfiltrated.
AV (Pre-filter) Blocks the hashes identified by Microsoft in the blog post. Does not prevent the exploitation, but will prevent the data being exfiltrated.
IPS Blocks the exploit (deploy NGFW in front of Exchange server)
Web App Security Blocks the exploit (deploy WAF in front of Exchange server)
Post-execution Blocks post-exploitation activity including dumping the LSASS memory, running Nishang and PowerCat tool
Outbreak Detection
Threat Hunting
Assisted Response Services Experts to assist you with analysis, containment and response activities.
Automated Response Services that can automaticlly respond to this outbreak.
NOC/SOC Training Train your network and security professionals and optimize your incident response to stay on top of the cyberattacks.
End-User Training Raise security awareness to your employees that are continuously being targetted by phishing, drive-by download and other forms of cyberattacks.
Attack Surface Hardening Check Security Fabric devices to build actionable configuration recommendations and key indicators.
Vulnerability Management Reduce the attack surface on software vulnerabilities via systematic and automated patching.
Threat Intelligence
Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.
Loading ...
Indicators of compromise
IOC Indicator List
Indicators of compromise
IOC Threat Activity
Last 30 days
Chg
Avg 0
Mitre Matrix
Click here for the ATT&CK Matrix
References
Sources of information in support and relation to this Outbreak and vendor.