In early March 2021, Microsoft published a list of critical vulnerabilities for its Exchange on-premises servers. These included four zero-day flaws. Following the publication, Microsoft is still reporting 82,000 vulnerable servers and a large number of recorded exploits whose purpose is to distribute cryptomalware.
These vulnerabilities are referenced with the following CVEs:
- CVE-2021-26855,
- CVE-2021-26857,
- CVE-2021-26858,
- CVE-2021-27065.
Attackers exploiting them are able to access email accounts and install programs (malware, rootkits) on the server.
Initial attack vector
The first vulnerability exploited in the attack is CVE-2021-26855, which describes a “Server Side Request Forgery” (SSRF) vulnerability and enables the attacker to send a forged HTTP request to authenticate themselves as an administrator on the Exchange server. Once the 26855 exploit has been used, the CVE-2021-26858 and CVE-2021-27065 vulnerabilities can be used to create an arbitrary file on the Exchange server. This file could be any sort of tool of use to an attacker, or – for example – a cryptomalware-type viral load. Once the files are on the server, CVE-2021-26857 is exploited via the “Unified Messaging” service. A data deserialization attack can be used to send commands to the program, and consequently (for example) execute the files created by the attacker. The exploitation of these four combined vulnerabilities thus enables an attacker to gain control of the vulnerable Exchange server.
The affected Exchange versions are:
- Exchange 2013, 2016, 2019
- Exchange 2010 uniquement pour la CVE-2021-26857
Previous versions do not appear to be affected, and neither is Exchange Online.
Means of protection provided by Stormshield
Stormshield offers enhanced infrastructure protection via its Stormshield Network Security (SNS) and Stormshield Endpoint Security (SES) solutions. The first solution (SNS) can act on the network flow between the attacker and the server, while the second (SES) acts directly on the server on which it is installed.
Stormshield Network Security (SNS)
Segmentation
A front-end protection firewall on the Exchange server, with port filtering, can be used to make the vulnerability harder to exploit. By way of a reminder, the ports requiring authorisation are: 443, 993, 587. In addition, the Exchange server must be isolated from the LAN by means of filtering rules, thus limiting the possible spread of an attack across the whole network.
Protection signature
Stormshield has developed the specific http:client:header:cookie.31 signature to detect the exploitation of the CVE-2021-26855 vulnerability and thus block the initial attack vector.
Stormshield Endpoint Security (SES)
Behavioural analysis
SES solution gives you an in-depth ability to monitor the behaviour of an OS. In this case, it lets you monitor unusual operations in Web and Exchange server components. In particular, it can detect when files are written from IIS and Exchange, adapting the response level according to the file type.
If the first barrier is breached, SES can also detect and block command execution from a webshell previously installed by an attacker.
SES products’ application rules also help to prevent malware from being written or executed from Web and Exchange server components. This makes it possible to block offensive tools such as procdump and mimikatz.
Other recommendations
It is of course vitally important to update Exchange servers with patches supplied by Microsoft: techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
In addition, it is necessary to search for all traces of compromise on the Exchange servers. Microsoft provides IoCs for this purpose, and also a specific tool: msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
