Published March 2021
Microsoft discloses four zero-day vulnerabilities being used to remotely compromise Exchange Server.
Threatscape recommends that clients urgently patch Microsoft Exchange Server to address vulnerabilities being used in targeted attacks by a China-linked group. These vulnerabilities allow attackers to remotely compromise Exchange servers and steal the full contents of mailboxes without requiring any server authentication.
The security response team at Threatscape have commented as follows about this issue:
Adair said while the exploits used by the group may have taken great skills to develop, they require little technical know-how to use and can give an attacker easy access to all of an organization’s email if their vulnerable Exchange Servers are directly exposed to the Internet.
“These flaws are very easy to exploit,” Adair said. “You don’t need any special knowledge with these exploits. You just show up and say ‘I would like to break in and read all their email.’ That’s all there is to it.”
Because we are aware of active exploits of related vulnerabilities in the wild (limited targeted attacks), our recommendation is to install these updates immediately to protect against these attacks. The vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected. For more information, please see the Microsoft Security Response Center (MSRC) blog. For technical details of these exploits and how to help with detection, please see HAFNIUM Targeting Exchange Servers.
Volexity determined attackers were exploiting a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855). The attacker was using the vulnerability to steal the full contents of several user mailboxes.
This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail.