New Microsoft Exchange Vulnerability Disclosed

Several new CVEs targeting MS Exchange servers have been discovered and shared by Microsoft. Attacks using these CVEs include manipulation of domain admin accounts, deployment of a web shell and exfiltration of data.

Cato Networks security team has already developed and deployed the proper defenses for this new threat.

Earlier this week Microsoft disclosed a set of new 0-day CVEs (CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065) which were (and still are) used by the HALFIUM group to target Microsoft Exchange servers. These vulnerabilities were used by the attackers to create files and web shells using privileged users accounts which gave the attackers persistent access to the vulnerable servers as well as RCE (Remote Code Execution) capabilities and data exfiltration. According to available forensics and security investigations the affected entities were mainly US government entities and retailers.

As part of our research on new and emerging threats, Cato Networks researchers have found evidence of attackers (not necessarily the HALFIUM group) running a script to scan for vulnerable servers.

A code snippet from the scanning script

A code snippet from the scanning script

 

Additional Reading:
Microsoft official release: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

CNN: https://www.cnn.com/2021/03/03/tech/microsoft-exchange-server-hafnium-china-intl-hnk/index.html