info@cirt.gov.bd
+88-02-5500 7183
Facebook Page LinkedIn Page Twitter Page

Zero-day Microsoft exchange vulnerabilities attack IOC

Short Description:

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.

The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service.

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange.

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange.

Indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.

Indicator typeIndicator
    File Hashes097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 d5417c6ea6cfdc8c86f7275b9cea43315c06fead73f2987e2f673a11cde79838
Network Indicators103.77.192.219 104.140.114.110 104.248.49.97 104.250.191.110 108.61.246.56 149.28.14.163 157.230.221.198 165.232.154.116 167.99.168.251 185.250.151.72 192.81.208.169 203.160.69.66 211.56.98.146 5.2.69.14 5.254.43.18 80.92.205.81 91.192.103.43

Reference:

https://unit42.paloaltonetworks.com/atoms/zero-day-microsoft-exchange-vulnerabilities/

General Recommendation:

Successful response should consist of the following steps:

  • Deploy updates to affected Exchange Servers.
  • Investigate for exploitation or indicators of persistence.
  • Remediate any identified exploitation or persistence and investigate your environment for indicators of lateral movement or further compromise.
  • Investigate for exploitation, persistence, or evidence of lateral movement
  • Analyze the Exchange product logs for evidence of exploitation.
[Ref:https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log]
  • Scan for known web shells.
[Ref:https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download]
  • Use the updated IOC feed for newly observed indicators.
  • Leverage other organizational security capabilities

For more information and Recommendation please visit following reference URL’s:

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

On-Premises Exchange Server Vulnerabilities Resource Center – updated March 25, 2021
Microsoft Exchange Server Vulnerabilities Mitigations – updated March 15, 2021

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901

https://us-cert.cisa.gov/ncas/alerts/aa21-062a

Share

Recommended Posts