Microsoft Exchange Server Hack
Last week, four zero-day vulnerabilities in Microsoft Exchange Server were exploited. Microsoft Exchange Server is an email inbox, calendar, and collaboration solution. Microsoft did release patches to tackle these vulnerabilities. At the time of patch release, Microsoft said that the bugs were being actively exploited in “limited, targeted attacks.” The scope of the potential Exchange Server compromise depends on the speed and uptake of patches, and meanwhile the number of victims continues to grow.
On-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 were impacted by these vulnerabilities. Exchange Online is not affected. The critical vulnerabilities are:
- CVE-2021-26855: CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
- CVE-2021-26857: CVSS 7.8: an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. However, this vulnerability needs to be combined with another or stolen credentials must be used.
- CVE-2021-26858: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
- CVE-2021-27065: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
These vulnerabilities can lead to Remote Code Execution (RCE), server hijacking, backdoors, data theft, and potentially further malware deployment.
“These vulnerabilities are used as part of an attack chain,” Microsoft says. “The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.”
Your organization needs to ensure you apply these security fixes immediately. Your servers may have already been backdoored or otherwise compromised. If you need help or are concerned that you have been exposed to an attack, give us a call today. 2W Tech is a technology service provider and Microsoft Gold Partner. Let us help ensure your organization is protected from cybercrime.