Zero-day Microsoft exchange vulnerabilities attack IOC
Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.
The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service.
CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange.
CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange.
Indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.
|File Hashes||097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 d5417c6ea6cfdc8c86f7275b9cea43315c06fead73f2987e2f673a11cde79838|
|Network Indicators||188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124|
Successful response should consist of the following steps:
- Deploy updates to affected Exchange Servers.
- Investigate for exploitation or indicators of persistence.
- Remediate any identified exploitation or persistence and investigate your environment for indicators of lateral movement or further compromise.
- Investigate for exploitation, persistence, or evidence of lateral movement
- Analyze the Exchange product logs for evidence of exploitation.
- Scan for known web shells.
- Use the updated IOC feed for newly observed indicators.
- Leverage other organizational security capabilities
For more information and Recommendation please visit following reference URL’s: