These web shells allow them to steal data, upload files, and execute almost any command on the compromised system. Once compromised, attackers from the HAFNIUM group (a Chinese state-sponsored group) have been observed uploading web shells to exchange servers to maintain access. This attack chains together four separate previously non-disclosed exploits (( CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) into an attack chain capable of compromising an exchange server that has been patched up to the end of February, 2021. Microsoft’s in-house implementation used on their hosted exchange services is not affected in this attack, but all locally hosted versions of exchange are. All outlook clients will continue working normally. Blocking access to port 443 will not stop email from sending or receiving, but only disallow access to exchange over a web interface. Until servers can be patched it is recommended that all port forwarding to exchange web services be stopped. This exploit requires attackers to have access to an exchange server with port 443 exposed to the internet. Microsoft has released an emergency out-of-band security update for all exchange server versions targeted in the attack going back to Windows Server 2013 and above. It has been observed that many vessels serviced by VBH are running Microsoft Exchange Servers locally and it is imperative that they be patched as soon as possible. On March 2 nd, Microsoft disclosed that four zero-day vulnerabilities were being used in attacks against Microsoft Exchange servers with the OWA components exposed to the internet. More comprehensive details follow in the writeup below: This is a high-priority alert and should be taken seriously. There is an active exploitation campaign being spearheaded by a Chinese APT group that is chaining together several zero-day exploits to compromise every exchange server they come across. If you are running an on-premises Microsoft Exchange Server you need to immediately patch it and remove web access to it until you can do so. The information below is a recap of a security bulletin distributed to all Atlas Clients and is also included in this report due to its extreme importance. Thursday, March 11th, 2021 | Cyber Threats, News, News & Media SPOTLIGHT ON SECURITY – EXCHANGE SERVER ATTACKS
0 Comments
Leave a Reply. |