• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Business Email Compromise > Microsoft Exchange – CVE-2021-26855+

Microsoft Exchange – CVE-2021-26855+

March 5, 2021 By Luke Emrich

On March 2, 2021, Microsoft released several security updates to address at least seven critical vulnerabilities in supported versions of on-premise Microsoft Exchange Server. These vulnerabilities were observed being used in limited targeted attacks; however, due to the critical nature and publication of these vulnerabilities, Microsoft released guidance that all customers running on-premise versions of Microsoft Exchange Server should immediately apply these security updates to protect against future exploits.

What versions of Exchange are impacted?

All current-supported versions of Microsoft Exchange Server are affected by at least one of the published vulnerabilities.

  • Microsoft Exchange Server 2010 (Note: This version is End of Life, but Microsoft has confirmed at least one version is impacted)
  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

Microsoft reports that, at this time, it is unknown if versions of Exchange Server that are currently at end of life are impacted by these vulnerabilities, as these versions are out of scope, no longer supported and likely impacted by additional vulnerabilities.

Microsoft Exchange Online, also known as Office 365 or Microsoft 365, is not impacted; however, organizations that are running hybrid Exchange environments may still be impacted as a result of running a vulnerable version of Microsoft Exchange Server on-premises.

How is this vulnerability being exploited?

Microsoft and the intelligence community is reporting that these vulnerabilities are being used as part of an attack chain and that the initial attack requires the ability to make untrusted connections to the Exchange server on Port 443. One of the short-term proposed mitigations that Microsoft suggests is restricting untrusted connections to Exchange or requiring users to connect to a VPN and blocking external web traffic from connecting to the Exchange server.

I’m running Exchange on premise, what should I do?

Microsoft, United States Computer Emergency Readiness Team (US-CERT) Cybersecurity & Infrastructure Security Agency (CISA) and the intelligence community have begun releasing comprehensive tactics, techniques and procedures (TTP) and indicators of compromise (IOC) lists that organizations can use to review their Exchange server(s) for evidence or exploit. US-CERT released guidance that organizations who identify evidence of compromise should preserve a forensic image, including a memory capture of the server, and conduct triage to determine if there is evidence of further exploit activity. Should your organization need assistance reviewing your Exchange server(s) for IOCs or performing an in-depth forensics investigation, please do not hesitate to reach out to RSM for assistance at DFIR.team@rsmus.com.

Our organization has no IOCs, how do we patch our Exchange servers?

Microsoft provides support for the two latest cumulative updates (CUs) for each supported Exchange Server version. Exchange servers running a supported update rollup (RU)  or CU are considered up to date.  Any Exchange servers that are not up to date will need a supported RU or CU installed before you can install these new security updates. Exchange administrators should factor in the additional time needed for any out-of-date Exchange servers. Exchange administrators can run a HealthChecker script to determine the status of each Exchange server.

If an organization is running an exploited Exchange server, applying the security updates released by Microsoft will likely not mitigate the organization’s risk. The organization should consider restoring their Exchange server to a state prior to exploit, and updating and patching the server prior to bringing it back online, or rebuilding the Exchange server from scratch and restoring the Exchange mailbox data.

How do I stay up to date on this evolving event?

Microsoft released several resources, which they will continue to update around this event.

MSRC Blog

https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server

Exchange Blog

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901

Microsoft Threat Intelligence Blog (includes TTPs and IOCs)

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Microsoft on the Issues

https://blogs.microsoft.com/on-the-issues/?p=64505

US-Cert CISA Released Alert (AA21-062A)—Mitigate Microsoft Exchange Server Vulnerabilities (Includes TTPs and IOCs)

https://us-cert.cisa.gov/ncas/alerts/aa21-062a

Volexity released a comprehensive blog post on March 2, 2021, detailing the organization’s detection and investigation of these vulnerabilities dating back to January 2021

https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

Otherwise known as ‘ProxyLogon’

https://proxylogon.com/

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Luke Emrich

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.