Security On-Demand sent out a flash alert on March 2, 2021 regarding the disclosure of critical vulnerabilities in Microsoft’s Exchange servers, known as the exchange zero-day exploits. Since then, our sources have determined that the number of organizations compromised is much higher than originally projected. These vulnerabilities are being actively exploited by numerous threat actors targeting multiple public and private sectors all over the globe. These vulnerabilities affect on-premises Microsoft Exchange server 2013, 2016 and 2019 with Outlook Web Access (OWA).
The vulnerabilities allow the threat actors access to email accounts and to install additional malicious entities to maintain persistence within a target’s environment in order to facilitate data exfiltration, surveillance, and control of the network.
As of March 10, 2021, several sources have discovered and provided details on multiple known threat actors that have exploited these vulnerabilities in the wild. As of now, at least 30,000+ exchange servers are assumed to have been compromised. Exploitation of these vulnerabilities has been reported as far back as at least February 26, 2021, before Microsoft provided the patches.
The initial attack vector is to target Exchange servers with OWA via port TCP/443 and 80 (HTTP/S). After the initial compromise, the attackers are installing backdoors and enabling various web shells to maintain persistence and further pivoting within the network.
Microsoft has released tools to confirm if the ProxyLogon vulnerability has been exploited and to discover any web shells that may have been installed. See “Sources” for links to these tools.
The ongoing events are actively being investigated by Microsoft, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) and information is being discovered daily.
The four vulnerabilities are as follows with links to Microsoft’s vulnerability scoring assessment for each:
Microsoft has provided patches for other versions of Exchange servers and they recommend patching all products at this time.
It is highly recommended that you contact Security On-Demand if you have an on-premises Exchange server. If you do not have an on-premises Exchange server, there is no need to contact our support team at this time. We are actively searching for any indicators of this threat on your systems, and we will let you know immediately if we see any sign of the attack indicators.
If you have not applied the recommended patches, we recommend that you apply the out-of-band patches immediately in order to address these vulnerabilities. See the “Sources” section for more information, including the linked Microsoft vulnerability information and Threat Flash Alert blogs. If available, update all non-affected versions of your Microsoft Exchange server. We also recommend that you confirm a compromise has not occurred in your Exchange environment by using these instructions.
We are actively searching for any indicators of this threat on your systems, and we will let you know immediately if we see any sign of the attack indicators. If you have not heard from our team, then we do not currently see any sign of this attack taking place in your environment.
Currently, we are running a new list of IOCs on your environment. Based on the advice from CISA, we are investigating all the time since January 1, 2021 in order to discover any historical events directly related to the exploitation of the zero-day vulnerabilities.
We have created additional alert logic to monitor and notify of future events that may occur as well.
For additional information, please refer to the sources below and our original Threat Flash Alert. Our customers are welcome to contact our support team. For those interested in our Managed Threat Detection and Response, contact us here.
Microsoft supplied Git Hub tools:
https://github.com/microsoft/CSS-Exchange/tree/main/Security – proxy logon
https://github.com/cert-lv/exchange_webshell_detection – web shell detection