On March 2, 2021, Microsoft urgently released an update for Exchange Server 2010, 2013, 2016, and 2019 to address four critical vulnerabilities.
In the published article, Microsoft says that these vulnerabilities can be used against large companies worldwide. Attackers gain remote access to Exchange servers, and from there they can download critical data, including the entire mailbox.
At the same time, Microsoft claims that only services deployed inside the infrastructure are threatened. Exchange Online is not at risk.
Let’s figure out what these vulnerabilities are and how to defend against attacks.
Microsoft Exchange Server vulnerabilities
- CVE-2021-26855. Allows attackers to forge server-side requests (Server-Side Request Forgery or SSRF), making it possible to bypass authorization. An attacker sends bogus requests and can use them to remotely run any code on the server.
- CVE-2021-26857. Allows attackers to execute any code on behalf of the system. It’s used to get system account (SYSTEM) privileges on a server.
- CVE-2021-26858. Allows attackers to overwrite any file in a system or replace data on a server with any other data.
- CVE-2021-27065. Used in the same way as the previous vulnerability.
Attackers often use a combination of the mentioned CVEs. The result is a complex attack that allows attackers to steal important data and seriously harm company operations.
How attackers operate
- An attack goes to Exchange servers with an open HTTP port 443.
- With the help of the first vulnerability (CVE-2021-26855), the malefactors gain access and act on behalf of the hijacked server.
- Then, through the second vulnerability (CVE-2021-26857), they get SYSTEM privileges and run malicious code on the server.
- At the same time, account data and password hashes are collected.
- Using the rights already obtained, the attackers can gain direct access to domain controllers. This will give them the opportunity to expand privileges in the domain and entrench themselves there permanently.
- The malefactors are looking for data of interest to them and, using the last two vulnerabilities (CVE-2021-26858 and CVE-2021-27065), they steal it.
How Gcore protects its customers against Microsoft Exchange Server vulnerabilities
We offer comprehensive protection for web applications, sites, and servers. We’ll protect your system even against complex attacks that exploit Microsoft Exchange Server vulnerabilities.
Our protection is based on our own traffic filtering centers. All requests to your servers, including requests to MS Exchange services, pass through our platform and are analyzed.
If the system detects anomalies or incorrect data, the request is immediately blocked. This prevents attackers from entering the system, running malicious code, or downloading data.
What else can you do to protect yourself?
1. Update all MS Exchange servers across all domains. If you can’t urgently install the patch in your company, try using the workarounds that Microsoft offers.
2. Deny unauthorized access to Exchange servers through port 443. Since cybercriminals penetrate servers through this specific port, such a measure will help stop an attack at its first stage. You can also prohibit all connections from outside the corporate network.
But this method will only help against new attacks and will be useless if malefactors have already infiltrated your servers.
3. Use the PowerShell script that Microsoft released specifically to look for signs that your servers have been attacked through these vulnerabilities.
To test whether attackers have infiltrated your servers, you need to manually run commands in the Exchange HTTP Proxy logs, Exchange log files, and Windows application event logs.
If you want to check all MS Exchange servers, to use this command:
Get-ExchangeServer | .Test-ProxyLogon.ps1
You can check the local server using the following command:
.Test-ProxyLogon.ps1
If you want to save the results of the check, add the following command to the ones listed above:
-OutPath $homedesktoplogs
If you are checking all Exchange servers and want to save the results, the command would look like this:
Get-ExchangeServer | .Test-ProxyLogon.ps1 -OutPath $homedesktoplogs
4. Use the nmap script. Computer security expert Kevin Beaumont created it to find vulnerable servers inside your perimeter. The script has been written in haste and isn’t perfect, but it can be a suitable solution in emergency situations.
However, if you already have our protection enabled, you don’t have to worry about new Microsoft Exchange vulnerabilities. If you haven’t yet, it’s time to try it.
Our protection will not only protect your servers from intrusions. Your infrastructure, websites, and applications will be reliably protected against bots and DDoS attacks of any complexity at all levels.
Try our protection for free or start with a free consultation.