{"id":28972,"date":"2021-03-10T00:27:45","date_gmt":"2021-03-09T13:27:45","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/exchange-vulnerabilities\/28972\/"},"modified":"2021-03-10T00:27:45","modified_gmt":"2021-03-09T13:27:45","slug":"exchange-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/exchange-vulnerabilities\/28972\/","title":{"rendered":"Massively exploited vulnerabilities in MS Exchange Server"},"content":{"rendered":"<p>Microsoft has issued out-of-band patches for several Exchange Server vulnerabilities. Four of these vulnerabilities, according to the company, are already being used in targeted attacks, so it would be wise to <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/released-march-2021-exchange-server-security-updates\/ba-p\/2175901\" target=\"_blank\" rel=\"nofollow noopener\">install the patches ASAP<\/a>.<\/p>\n<h2>What\u2019s the risk?<\/h2>\n<p>The four most dangerous vulnerabilities already being exploited allow attackers to pull off a three-stage attack. First they access an Exchange server, then they create a Web shell for remote server access, and lastly they use that access to steal data from the victim\u2019s network. The vulnerabilities are:<\/p>\n<ul>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-26855\" target=\"_blank\" rel=\"nofollow noopener\">CVE-2021-26855<\/a> \u2014 can be used for <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/server-side-request-forgery-ssrf\/\" target=\"_blank\" rel=\"noopener\">server-side request forgery<\/a>, leading to remote code execution;<\/li>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-26857\" target=\"_blank\" rel=\"nofollow noopener\">CVE-2021-26857<\/a> \u2014 can be used to execute arbitrary code on behalf of the system (although that requires either administrator rights or exploitation of the previous vulnerability);<\/li>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-26858\" target=\"_blank\" rel=\"nofollow noopener\">CVE-2021-26858<\/a> and <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-27065\" target=\"_blank\" rel=\"nofollow noopener\">CVE-2021-27065<\/a> \u2014 can be used by an attacker to overwrite files on the server.<\/li>\n<\/ul>\n<p>Cybercriminals use the four vulnerabilities in conjunction with one another; however, according to Microsoft, instead of an initial attack they sometimes use stolen credentials and authenticate themselves on the server without using the CVE-2021-26855 vulnerability.<br>\nIn addition, the same patch fixes a few other minor vulnerabilities in Exchange that are not (as far as we know) directly related to active targeted attacks.<\/p>\n<h2>Who\u2019s at risk?<\/h2>\n<p>The cloud version of Exchange is not affected by these vulnerabilities; they pose a threat only to servers deployed within the infrastructure. Initially Microsoft has released <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/released-march-2021-exchange-server-security-updates\/ba-p\/2175901\" target=\"_blank\" rel=\"nofollow noopener\">updates<\/a> for Microsoft Exchange Server 2013, Microsoft Exchange Server 2016 and Microsoft Exchange Server 2019, and an additional \u201cDefense in Depth\u201d update for Microsoft Exchange Server 2010. However due to the severity of the exploitation, they <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/march-2021-exchange-server-security-updates-for-older-cumulative\/ba-p\/2192020\" target=\"_blank\" rel=\"nofollow noopener\">later added fixes for outdated<\/a> Exchange Servers as well.<\/p>\n<p>According to <a href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2021\/03\/02\/new-nation-state-cyberattacks\/\" target=\"_blank\" rel=\"nofollow noopener\">researchers<\/a> at Microsoft, it was the hackers from the Hafnium group who have exploited the vulnerabilities to steal confidential information. Their targets include US industrial companies, infectious disease researchers, law firms, nonprofit organizations, and political analysts. The exact number of victims is unknown, but <a href=\"https:\/\/krebsonsecurity.com\/2021\/03\/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software\/\" target=\"_blank\" rel=\"nofollow noopener\">according to KrebsOnSecurity sources<\/a> at least 30\u00a0000 organizations in US, including small businesses, town and city administrations, and local governments were hacked using those vulnerabilities. Our experts found that not only American organizations are in danger \u2014 cybercriminals all over the world are using these vulnerabilities. You\u2019ll find more information about the attack geography in <a href=\"https:\/\/securelist.com\/zero-day-vulnerabilities-in-microsoft-exchange-server\/101096\/\" target=\"_blank\" rel=\"nofollow noopener\">Securelist\u2019s post<\/a>.<\/p>\n<h2>How to stay safe from attacks on MS Exchange<\/h2>\n<ul>\n<li>First of all, <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/released-march-2021-exchange-server-security-updates\/ba-p\/2175901\" target=\"_blank\" rel=\"nofollow noopener\">patch<\/a> your installation of Microsoft Exchange Server. If your company cannot install updates, Microsoft recommends a number of <a href=\"https:\/\/msrc-blog.microsoft.com\/2021\/03\/05\/microsoft-exchange-server-vulnerabilities-mitigations-march-2021\/\" target=\"_blank\" rel=\"nofollow noopener\">workarounds<\/a>.<\/li>\n<li>According to Microsoft, denying untrusted access to the Exchange server on port 443, or generally limiting connections from outside the corporate network, can stop the initial phase of the attack. But that will not help if attackers are already inside the infrastructure, or if they get a user with administrator rights to run a malicious file.<\/li>\n<li>An <a href=\"https:\/\/www.kaspersky.com.au\/enterprise-security\/threat-management-defense-solution?icid=au_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____tmd___\" target=\"_blank\" rel=\"noopener\">Endpoint Detection and Response<\/a> class solution (if you have internal experts) or external Managed Detection and Response service specialists can detect such malicious behavior.<\/li>\n<li>Always keep in mind that every computer connected to the Internet, be it server or workstation, needs a <a href=\"https:\/\/www.kaspersky.com.au\/small-to-medium-business-security?icid=au_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">reliable endpoint security solution<\/a> to prevent exploits and proactively detect malicious behavior.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial\">\n","protected":false},"excerpt":{"rendered":"<p>Attackers exploit four dangerous vulnerabilities in Microsoft Exchange to get a foothold in the corporate network.<\/p>\n","protected":false},"author":2581,"featured_media":28973,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,2993],"tags":[3412,38,398,268],"class_list":{"0":"post-28972","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-exchange","10":"tag-microsoft","11":"tag-patches","12":"tag-vulnerabilities"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/exchange-vulnerabilities\/28972\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/exchange-vulnerabilities\/22592\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/exchange-vulnerabilities\/18085\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/exchange-vulnerabilities\/24317\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/exchange-vulnerabilities\/22385\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/exchange-vulnerabilities\/21250\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/exchange-vulnerabilities\/24847\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/exchange-vulnerabilities\/24085\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/exchange-vulnerabilities\/30228\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/exchange-vulnerabilities\/9406\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/exchange-vulnerabilities\/38964\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/exchange-vulnerabilities\/16505\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/exchange-vulnerabilities\/17104\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/exchange-vulnerabilities\/14553\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/exchange-vulnerabilities\/26321\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/exchange-vulnerabilities\/30177\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/exchange-vulnerabilities\/26768\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/exchange-vulnerabilities\/23631\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/exchange-vulnerabilities\/28781\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/vulnerabilities\/","name":"vulnerabilities"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/28972","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/2581"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=28972"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/28972\/revisions"}],"predecessor-version":[{"id":28999,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/28972\/revisions\/28999"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/28973"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=28972"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=28972"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=28972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}