Zero-day Microsoft exchange vulnerabilities attack IOC

Short Description:

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.

The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service.

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange.

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange.

Indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.

Indicator typeIndicator
    File Hashes097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 d5417c6ea6cfdc8c86f7275b9cea43315c06fead73f2987e2f673a11cde79838
Network Indicators103.77.192.219


General Recommendation:

Successful response should consist of the following steps:

  • Deploy updates to affected Exchange Servers.
  • Investigate for exploitation or indicators of persistence.
  • Remediate any identified exploitation or persistence and investigate your environment for indicators of lateral movement or further compromise.
  • Investigate for exploitation, persistence, or evidence of lateral movement
  • Analyze the Exchange product logs for evidence of exploitation.
  • Scan for known web shells.
  • Use the updated IOC feed for newly observed indicators.
  • Leverage other organizational security capabilities

For more information and Recommendation please visit following reference URL’s: