On the evening of 2 March 2021, Microsoft released information regarding targeted attacks against Microsoft Exchange Servers . In this message, we inform you about the threat and the possible mitigations.
Microsoft released details about 4 zero day exploits being used to attack on-premises Exchange Server. The targeted vulnerabilities are registered by the following IDs and their relative CVSS-3.0 score:
- CVE-2021-26855 (9.1)
- CVE-2021-26857 (7.8)
- CVE-2021-26858 (7.8)
- CVE-2021-27065 (7.8)
The following versions are affected:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
At the moment of writing, Microsoft Exchange Online is reported to be not affected.
The vulnerability registered as CVE-2021-26855 can be exploited remotely, if the Exchange Server is internet-facing. The other vulnerabilities require existing access to the environment, but can act as subsequent attack vectors after initial access is obtained through CVE-2021-26855.
After the attackers gain access to the Exchange Server, they can otbtain full control over the attacked host. From there on, they may proceed with other known techniques to acquire credentials, setting up a connection to Command-and-Control servers or exfiltrate data.
Therefore, Northwave classifies the impact of the vulnerabilities as high.
Although currently no known public exploit exists, the information provided now can be used to craft new exploits. Therefore, Northwave expects a public exploit to be available soon. This will likely result in more attacks being carried out. Northwave estimates the risk of an attack to be high.
Microsoft has released out-of-band updates in order to address the vulnerabilities. We urge to update affected servers as soon as possible. Please follow the information provided by Microsoft to perform these updates . If updating is not possible immediately, please make sure your Exchange servers are no longer externally reachable on port 443. This includes webmail.