Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


Threat Update – Mass Exploitation of On-Prem Exchange Servers

Cybersecurity News, Threat Research

On March 2nd, Microsoft released an urgent software update to patch 4 critical vulnerabilities in Exchange Server 2010, 2013, 2016, and 2019.

Our IR and Forensics teams are actively helping organizations patch, investigate, and remediate. We’ve seen threat actors using these flaws to obtain remote access to Exchange servers and then attempt to exfiltrate sensitive information, including entire mailboxes.

Please be aware that attackers will likely use remote access to highly privileged Exchange servers to pivot to other critical systems, such as Domain Controllers.

Microsoft has reported that HAFNIUM, a state-sponsored APT operating from China, has been exploiting these vulnerabilities. According to Microsoft, Exchange Online is not vulnerable.

If you need ANY help, please contact your Varonis account team or reach out via our incident response page and we’ll do everything we can to ensure you’re safe, even if you aren’t a current customer.

Vulnerability overview

There are four CVEs being exploited in the attack:

  • CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857 is used for a privilege escalation to gain SYSTEM permissions on the server
  • CVE-2021-26858 and CVE-2021-27065 are used to write files to any directory on the server.

Threat groups chain these vulnerabilities together in an attack chain. See the analysis by Veloxity.

Example Attack Flow

  1. Target vulnerable Exchange servers who have open HTTP 443
  2. Exploit the SSRF vulnerability to obtain access and authenticate as the Exchange server
  3. Gain SYSTEM by exploiting CVE-2021-26857, execute malicious code, and dump credentials and hashes (e.g., ProcDump)
  4. Use the Exchange server permissions to directly access the DC to elevate privileges or/and create persistency.
  5. Extract Mailbox information and other sensitive files
  6. Install WebShell, exfiltrate information, and upload to common file-sharing websites

The Microsoft team released some PowerShell scripts to help you search for exploitation artifacts such as manually created .aspx files. Researcher Kevin Beaumont also released a quick-and-dirty nmap script to find potentially vulnerable servers in your environment.

How to Protect Yourself

  • Ensure all your Exchange servers across all domains are fully patched. This means applying the latest Cumulative Update and the latest Security Update from Microsoft.
  • Check your Varonis DatAlert dashboard for:
    • Abnormal activity by Exchange-related service accounts.
    • Malicious external connections via Web and DNS (requires proxy & DNS telemetry via Edge)
    • Atypical data access and device authentication activity originating from external-facing mail servers
    • Atypical external upload activities, especially sensitive data (requires classification)

Varonis threat models identify these and other hallmarks of sophisticated threat actors.

If you notice any suspicious activity in your environment, please reach out to us.

Stay safe, stay alert.

Snir Ben Shimol

Snir Ben Shimol

Director of Cyber Security, Varonis Snir is the Head of Cyber Security at Varonis, a software company specializing in data security and insider threat detection. Snir began his career in the IDF Technology and Intelligence Unit and continued as a Security Researcher in the Israeli Prime Minister’s Office. Since then he has worked in the Advanced Security Center of EY as the Cyber Security Advisory Leader, managing red-team operations and risk assessments. He has advised major international corporations and high-profile individuals to build their security resilience and protect their organization. Prior to his current role, he led Radware’s Cyber Security Research Division, responsible for innovation and security solution capabilities.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.