Threat Update
In March 2021, Microsoft disclosed vulnerabilities existing within Microsoft Exchange versions 2010, 2013, 2016 and 2019. They are tracked as five different CVEs, which are listed below. Although these vulnerabilities were disclosed back in March, our Security Operations Center has seen a noticeable spike in threat actors exploiting them. Barracuda MSP recommends following the recommendations below in order to ensure your environments are protected from these vulnerabilities.
Technical Detail & Additional Information
WHAT IS THE THREAT?
- CVE-2021-24085: Could allow privilege escalation on Exchange Server using Cross Site Request Forge.
- CVE-2021-26855: Could allow threat actors to send arbitrary HTTP requests via exploitation of the Exchange Control Panel (ECP).
- CVE-2021-26857, CVE-2021-26858, CVE 2021-27065: All three of these could allow for remote code execution.
WHY IS IT NOTEWORTHY?
Microsoft Exchange is utilized worldwide by businesses, universities, and individuals. Like many other Microsoft products, Exchange is integrated into everyday businesses worldwide. Because Microsoft products are so widely used, attackers are always looking to target Microsoft devices and services. Due to the large number of Microsoft devices in any given organization, the scope for potential targets is wide. The vulnerabilities detailed here are a great example of how persistent attackers can be in targeting impacted users. Although they were disclosed months ago, threat actors are still exploiting these vulnerabilities. Thus, it is important to take any recommendations released by Microsoft seriously and keep these devices/services updated regularly.
WHAT IS THE EXPOSURE OR RISK?
These Exchange vulnerabilities come with the same types of risks involved with any vulnerabilities on Microsoft devices or services. While there is cause for concern, it is much easier than most people realize for an attacker to find a target that is vulnerable to these exploits. Simple searches on Shodan and similar services can reveal a few hundred thousand vulnerable servers. These specific vulnerabilities could potentially allow attackers to escalate privileges, and execute remote code/requests. This could lead to several possible compromises, such as denial of service attacks, the deletion or creation of files and even complete system compromises. Many companies rely on sensitive data stored on their Exchange Servers remaining private and being able to use this service to conduct everyday business. These vulnerabilities put these expectations at potential risk if it is exploited by attackers.
WHAT ARE THE RECOMMENDATIONS?
Barracuda recommends ensuring the newest updates are applied to anything and everything running Microsoft Barracuda MSP recommends ensuring the newest updates are applied to any and all devices running Microsoft Exchange versions 2010, 2013, 2016 and 2019. Threat actors are actively targeting users that have not applied these updates nine months after they were first made public, and these updates will help you mitigate your risk.
REFERENCES
For more in-depth information about the recommendations, please visit the following links:
- https://bluehexagon.ai/threat-advisory-microsoft-exchange-server/
- https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24085
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26857
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27065
If you have any questions, please contact our Security Operations Center.
