What happened?

On March 2, 2021 several companies released reports about in-the-wild exploitation of zero-day vulnerabilities inside Microsoft Exchange Server. The following vulnerabilities allow an attacker to compromise a vulnerable Microsoft Exchange Server. As a ensue, an attacker will gain access to all registered email reports, or be able to execute arbitrary code( remote code execution or RCE) within the Exchange Server context. In the latter example, the attacker will likewise be able to achieve perseverance on the infected server.

A total of four vulnerabilities were uncovered 😛 TAGEND

CVE-2 021 -2 6855. Server-side request forgery( SSRF) lets an attacker without authorization to query the server with a specially erected petition that will cause remote code execution. The exploited server will then forward the query to another destination. CVE-2 021 -2 6857 caused by unsafe data deserialization inside the Unified Messaging service. Potentially allows an attacker to execute arbitrary code( RCE ). As a result of insufficient control over user files, an attacker is able to forge a torso of data query, and trick the high-privilege service into executing the code. CVE-2 021 -2 6858. This vulnerability lets an authorized Exchange user to overwrite any existing file inside the system with their own data. To do so, the attacker has to compromise administrative credentials or exploit another vulnerability such as SSRF CVE-2 021 -2 6855. CVE-2 021 -2 7065 is similar to CVE-2 021 -2 6858 and allows an approved attacker to overwrite any system file on the Exchange server.

Kaspersky Threat Intelligence shows that these vulnerabilities are already used by cybercriminals around the world.

Geography of strikes with mentioned MS Exchange vulnerabilities( based on KSN statistics)

We predict with a high degree of confidence that this is just the beginning, and we anticipate numerous exploitation attempts with the purpose of gaining access to resources inside corporate perimeters. Furthermore, we should note that there is typically a high risk of ransomware infection and/ or data theft linked to these attacks.

How to safeguard against this menace?

Our products protect against this menace with Behavior Detection and Exploit Prevention components and detect exploitation with the following verdict: PDM: Exploit.Win3 2. Generic We detect the relevant exploits with the following detection names 😛 TAGEND

Exploit.Win3 2. CVE-2 021 -2 6857. gen HEUR:Exploit.Win32.CVE-2021-26857.a

We also see and block the warheads( backdoors) being used in the exploitation of these vulnerabilities, according to our Threat Intelligence. Possible detection names are( but not limited to ):

HEUR: Trojan.ASP.Webshell.gen HEUR:Backdoor.ASP.WebShell.gen UDS 😀 angerousObject.Multi.Generic

We are actively monitoring the situation and additional detecting logic will be released with updatable databases when required. Our Managed Detection and Response service is also able to identify and stop this attack by utilizing threat hunting regulations to spot the exploitation itself, as well as possible payload activity.

And the thorough research of the attack will soon be available within APT Intelligence Reporting service, please contact intelreports @kaspersky. com for details.

Recommendations As Microsoft has already released an update to fix all these vulnerabilities, we strongly recommend updating Exchange Server as soon as possible. Focus your defense strategy on discover lateral motions and data exfiltration to the internet. Pay special attention to outgoing traffic to see cybercriminal connects. Back up data regularly. Make sure you can quickly access it in an emergency. Use answers like Kaspersky Endpoint Detection and Response and the Kaspersky Managed Detection and Response service which help to identify and stop the attack in the early stages, before the attackers achieve their goals. Utilize a reliable endpoint security solution such as Kaspersky Endpoint Security for Business that is powered by exploit prevention, behavior detection and a remediation engine that is able to roll back malicious activities. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.

Read more: securelist.com