This notice is sent as an update to the recent Microsoft Exchange cyber security issues. Microsoft has issued several security patches to address the cyber security issues. Information on business systems shows that unpatched systems internationally continue to exist including within Canada. Some of these systems within Canada have been further compromised with malware. Malicious actors are actively scanning using automated tools to identify unpatched servers

On 11 March 2021, Microsoft Security Intelligence issued a Tweet stating that a new family of ransomware, known as DearCry, is being leveraged by actors exploiting the recently disclosed Exchange vulnerabilities. In addition to DearCry, multiple proofs of concepts leveraging the Exchange vulnerabilities resulting in remote code execution have been made publicly available. These vulnerabilities are being leveraged to gain a foothold within an organization’s network for malicious activity which includes but is not limited to ransomware and the exfiltration of data.

It is strongly recommended that organizations with unpatched external facing servers perform the following:

  1. Immediately disconnect the server from external interfaces
  2. Follow Microsoft guidance to determine compromise
  3. If no compromise has been identified follow the below patching recommendations:
    • Exchange Server 2010 (update requires SP 3 or any SP 3 RU – this is a Defense in Depth update)
    • Exchange Server 2013 (update requires CU 23)
    • Exchange Server 2016 (update requires CU 19 or CU 18)
    • Exchange Server 2019 (update requires CU 8 or CU 7)

Note: All updates (CU and the security update) must be run as administrator and Microsoft has noted that multiple reboots may be required. Additional information on patching is available through Microsoft’s tech community blog.

Organizations are encouraged to confirm that no signs of malicious activity have been detected and that both the CU and security update are successful prior to returning the server to service.

Microsoft has published out-of-band Security Updates to address critical vulnerabilities in multiple Exchange products:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

Volexity has also published a blog detailing observed activity of actors remotely exploiting a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855)[2]. This method of exploitation does not require authentication and can be accomplished through remote access to a vulnerable external facing Exchange server over HTTPS.

Microsoft has reported the following vulnerabilities were used by actors to gain access to victim systems:

  • CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the actor to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave actors the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If actors could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
  • CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If an actor could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

After exploiting these vulnerabilities to gain initial access, malicious actors deploy web shells on the compromised server. Web shells potentially allow actors to steal data and perform additional malicious actions that lead to further compromise.

Reminder: For your protection, please ensure you follow Microsoft’s instructions on recent Microsoft Security Updates

Please reach out to us with your concerns or for more information on how to protect yourself and your business.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *