Exchange zero-day Exploit
Which technical vulnerability has been exploited?
On the evening of Tuesday, March 2, 2021, Microsoft announced four vulnerabilities in the Microsoft Exchange enterprise messaging system: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.
These vulnerabilities allow attackers to gain access to the Exchange server without authentication, through which malicious code can be launched to retrieve information or potentially install a program for the creation of a subsequent access to the server.
How did we implement the patches for our customers?
Microsoft immediately prepared a patch to be installed on the servers affected by the flaw. This update was immediately tested on Wednesday afternoon by our technical teams to anticipate the risks to our customers infrastructures and was then installed on the servers of around ten of our customers affected.
Why is it necessary to investigate potential attacks?
By Wednesday evening, almost all our customers’ servers were protected, but it was still essential to know if they had been targeted by attacks that might have compromised them. To do so, Microsoft released a program to obtain attack and compromise indicators. We carried out this investigation program on all Exchange servers: 7 servers out of 13 were identified as potentially attacked and therefore potentially compromised. The manual investigation that we would conduct starting Thursday evening has confirmed that each of these 7 servers has been attacked.
We observe the lightning speed of the attack by noting that it had already started quite early on Wednesday morning, the day we became aware of the vulnerability through Microsoft’s official communication channels.
A proven compromise is found on two servers and we found evidence of vulnerability exploitation on the other five servers (POST /ecp/y.jc as presented above, whose code “200” validates a successful code execution).
We took the decision to consider servers with these signs as compromised, because it is not possible to prove what was executed by the attacker.
We therefore immediately decided the following: the replacement of the Exchange servers presenting this proof of code execution is necessary, to avoid any security risk related to the potential installation of a backdoor. At the time of this writing, this work has been completed for almost all our customers concerned and is being finalized for the last ones.
What is the impact for you, especially in terms of data leakage?
All the investigations we have carried out to date show three essential information:
Our system consultants and our security auditor team remain on alert, our above position will be re-evaluated in the coming days based on further investigation and information received from Microsoft, this article will be updated as potential discoveries are made.
What do you need to do?
If you haven’t already done so, it is urgent to apply the patch on your Exchange:
If this is impossible (cumulative update too old for instance), it is strongly recommended to close external accesses to the mail server if possible.
During the manual investigations, we also limited the risks by closing the inbound/outbound flows to and from all the attackers’ IP addresses, in order to prevent potential interactions that could occur if a backdoor had been deployed. Even if this measure can be circumvented by attackers, it can have a discouraging effect, saving you time by directing them to other targets.
More information on this subject?
We are at your disposal!