Zero-day Microsoft exchange vulnerabilities attack IOC
Short Description:
Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.
The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service.
CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange.
CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange.
Indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.
Indicator type | Indicator |
File Hashes | 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 d5417c6ea6cfdc8c86f7275b9cea43315c06fead73f2987e2f673a11cde79838 |
Network Indicators | 103.77.192.219 104.140.114.110 104.248.49.97 104.250.191.110 108.61.246.56 149.28.14.163 157.230.221.198 165.232.154.116 167.99.168.251 185.250.151.72 192.81.208.169 203.160.69.66 211.56.98.146 5.2.69.14 5.254.43.18 80.92.205.81 91.192.103.43 |
Reference:
https://unit42.paloaltonetworks.com/atoms/zero-day-microsoft-exchange-vulnerabilities/
General Recommendation:
Successful response should consist of the following steps:
- Deploy updates to affected Exchange Servers.
- Investigate for exploitation or indicators of persistence.
- Remediate any identified exploitation or persistence and investigate your environment for indicators of lateral movement or further compromise.
- Investigate for exploitation, persistence, or evidence of lateral movement
- Analyze the Exchange product logs for evidence of exploitation.
- Scan for known web shells.
- Use the updated IOC feed for newly observed indicators.
- Leverage other organizational security capabilities
For more information and Recommendation please visit following reference URL’s:
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://us-cert.cisa.gov/ncas/alerts/aa21-062a
Recommended Posts
Press release April 2023: Situational Security Alerts from CIRT
21 Apr 2023 - Articles, English articles, News, Notice, Security Advisories & Alerts

Security Best Practices
29 Mar 2023 - Security Advisories & Alerts