BR +55 11 3069 3925 | USA +1 469 620 7643

Understanding Microsoft Exchange Server vulnerabilities

by | Apr 13, 2021 | BLOG

Anyone who works with technology has certainly heard of or uses Microsoft Exchange, Microsoft’s server solution for email and calendar. Exchange is used worldwide by companies of all sizes, being preferred for its versatility and ease of use, and billions of electronic messages pass through it daily. However, even with all these advantages, Exchange is not free of flaws.

At the beginning of March this year, the giant creator of Windows released emergency patches for zero-day vulnerabilities that were discovered and were being exploited by malicious attackers to install malicious software through Exchange. Also called ProxyLogon, these vulnerabilities allowed improper access to e-mail accounts and data extraction, in addition to lateral movement in the infrastructure, affecting other critical devices.

The four Exchange Server vulnerabilities discovered were as follows:

  • CVE-2021-26855: CVSS 9.1: it is an SSRF (Server-side Request Spoofing) vulnerability, which results in HTTP requests being created by unauthenticated attackers. For this flaw to be exploited, servers must be able to accept untrusted connections over port 443.
  • CVE-2021-26857: CVSS 7.8: a failure in the Exchange’s Unified Messaging Service, allowing arbitrary codes to be implemented in the server’s SYSTEM. Nevertheless, this vulnerability must be combined with others or the attacker must have stolen credentials.
  • CVE-2021-26858: CVSS 7.8 and CVE-2021-27065: CVSS 7.8: Post-authentication arbitrary file write vulnerabilities in file paths.

These vulnerabilities are being exploited by a group called HAFNIUM, which operated in China and was supported by the Beijing government, and is primarily targeting organizations located in the United States. However, it is estimated that at least 10 other hacking groups are exploiting these same Exchange’s vulnerabilities in the form of ransomware or cryptoware. It is not yet known how the groups discovered the vulnerability and how the information reached the other hacker groups.

Also, automated attack scripts used in proof-of-concept have been found, which makes it possible for unknowing attackers to exploit vulnerabilities and further compromise servers around the world.

The malware developed by these groups allows the creation of a pre-authentication Remote Code Execution (RCE), which allows attackers to take full control of the servers without access to any Exchange credentials. One of the main malware created to exploit these flaws is the DoejoCrypt or DearCry ransomware.

DearCry uses a combination of AES-256 and RSA-2048 encryptions, renaming files with the .CRYPT extension, and includes a readme.txt file with instructions on how the victim can recover their original files.

If the victim has a backup of the files, one action would be to ignore the ransom requests and recover the environment. There are already records of ransom requests accounting for tens of thousands of dollars. However, even if there is no ransom payment and the files are recovered, there is a possibility that copies of the infected files are made by the ransomware, which can result in data leaks by malicious attackers.

At least 30,000 organizations of all types and sizes in the United States alone are believed to have fallen victim to campaigns orchestrated by HAFNIUM and other hacker groups based on flaws discovered by Microsoft. The total number of companies affected can reach hundreds of thousands worldwide though, as many of them are unaware that they may have been impacted by the vulnerabilities.

To try to protect Exchange users, Microsoft has launched an automated vulnerability remediation tool in March. The tool, developed mainly for customers who do not have specific security teams, allowed for a reduction in the risks associated with the exploitation of vulnerabilities while the patches were not properly applied. Microsoft has estimated that 92% of organizations applied security fixes related to the ProxyLogon vulnerabilities by the end of March/2021.

This type of attack further reinforces the need for companies to invest in specific cybersecurity teams, such as red teams, to test security controls, look for flaws and vulnerabilities, and correct them accordingly, causing the least possible impact. By structuring these teams, it is possible to ensure the proper management of assets, including e-mail servers, in addition to their respective owners. Thus, it is possible to guarantee that updates and fixes are installed as soon as they are released by the providers. The result is a reduction in the attack surface and a lower risk of cyberattacks, which can avoid millionaire sanctions provided for by data protection laws, such as LGPD and GDPR, in addition to permanent data loss, which can affect business continuity directly.

If your security team has not installed security patches yet, they must do so as soon as possible. Remember that installing updates may not ensure that your Exchange servers will not be affected by the exploitation of other zero-day vulnerabilities. Therefore, a scan of the infrastructure is recommended to find out if the environment has been affected by the exploitation of other flaws not yet discovered by the manufacturers; and if discovered, security teams should use efforts to identify and respond to any detected security incidents. This can make the difference between a minimum correction effort without major losses and loss of revenue and trust of customers, partners, and employees.

SaaS, PaaS and IaaS: Learn about theCloud Computing Options

Understand these solutions to choose the best alternative for your business. For many years, we have been using cloud computing to access files that are not stored on a computer, but on email servers, social network websites, or internet pages, without the need of...

What does a Chief Information Security Officer (CISO) do?

A Chief Information Security Officer (CISO) is a high-level professional responsible for the digital security of a company. If you aspire to obtain this position, read our text until the end. In it, we explain more about the profession. With the advancement of...

An overview of essential certifications for CISOs

In the world of cybersecurity, the role of a CISO is crucial in protecting data and sensitive information. To excel in this career, it is necessary to have certain certifications, including Certified Information Systems Security Professional (CISSP), Certified Ethical...

What is the role of a CISO during a cyber attack?

The CISO plays a crucial role in incident management during cyber attacks as they are responsible for implementing containment and eradication measures. However, it is also their role to detect and prevent threats. Learn more in this article about the responsibilities...

Security Training Best Practices for Privileged Users

It is essential to train privileged users to avoid cyber threats, as they are the primary victims of hackers. Read our article and learn how to do it. Privileged user credentials are among the main targets of cybercriminals since they allow them to access data and...