Exchange zero-day Exploit – 3rd March 2021

Whether you are a Kyos customer or not, considering the criticality of this flaw, we offer you a free primary investigation of your Exchange server, to determine if it is still vulnerable, as well as to identify if any potential attacks have taken place, which we know is very likely. Even though Kyos Exchange Servers have not been affected, 50% of our customers with on-premise Exchange Servers have been impacted, despite the application of the patch that we performed the same day.

 

Which technical vulnerability has been exploited?

On the evening of Tuesday, March 2, 2021, Microsoft announced four vulnerabilities in the Microsoft Exchange enterprise messaging system: CVE-2021-26855CVE-2021-26857CVE-2021-26858 and CVE-2021-27065.

These vulnerabilities allow attackers to gain access to the Exchange server without authentication, through which malicious code can be launched to retrieve information or potentially install a program for the creation of a subsequent access to the server.

How did we implement the patches for our customers?

Microsoft immediately prepared a patch to be installed on the servers affected by the flaw. This update was immediately tested on Wednesday afternoon by our technical teams to anticipate the risks to our customers infrastructures and was then installed on the servers of around ten of our customers affected.

Why is it necessary to investigate potential attacks?

By Wednesday evening, almost all our customers’ servers were protected, but it was still essential to know if they had been targeted by attacks that might have compromised them. To do so, Microsoft released a program to obtain attack and compromise indicators. We carried out this investigation program on all Exchange servers: 7 servers out of 13 were identified as potentially attacked and therefore potentially compromised. The manual investigation that we would conduct starting Thursday evening has confirmed that each of these 7 servers has been attacked.

We observe the lightning speed of the attack by noting that it had already started quite early on Wednesday morning, the day we became aware of the vulnerability through Microsoft’s official communication channels.

A proven compromise is found on two servers and we found evidence of vulnerability exploitation on the other five servers (POST /ecp/y.jc as presented above, whose code “200” validates a successful code execution).

We took the decision to consider servers with these signs as compromised, because it is not possible to prove what was executed by the attacker.

We therefore immediately decided the following: the replacement of the Exchange servers presenting this proof of code execution is necessary, to avoid any security risk related to the potential installation of a backdoor. At the time of this writing, this work has been completed for almost all our customers concerned and is being finalized for the last ones.

What is the impact for you, especially in terms of data leakage?

All the investigations we have carried out to date show three essential information:

  • A primary search for data leaks was carried out on servers with a known compromise, and no evidence of information leaks was found during the investigations. A more advanced additional investigation is recommended to validate the data leakage on your server.
  • Our investigations of the Kyos server shown that our email system has not been attacked or compromised, allowing us to state that no data leakage has taken place on our server.
  • All the attack scenarios we have investigated so far indicate that the compromise is local to the Exchange server and exclude for the moment the scenario of a larger compromise (e.g. on other servers performing other roles within the organization).

Our system consultants and our security auditor team remain on alert, our above position will be re-evaluated in the coming days based on further investigation and information received from Microsoft, this article will be updated as potential discoveries are made.

What do you need to do?

If you haven’t already done so, it is urgent to apply the patch on your Exchange:
https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b

If this is impossible (cumulative update too old for instance), it is strongly recommended to close external accesses to the mail server if possible.

During the manual investigations, we also limited the risks by closing the inbound/outbound flows to and from all the attackers’ IP addresses, in order to prevent potential interactions that could occur if a backdoor had been deployed. Even if this measure can be circumvented by attackers, it can have a discouraging effect, saving you time by directing them to other targets.

 

Contact us at helpdesk@kyos.ch or 022 734 78 88 for any investigation request or if you would like more information about these vulnerabilities.