Microsoft said Exchange Server 20 are not vulnerable. Microsoft released out-of-band patches for Exchange Server 2013, 2016, and 2019, as well as a defense-in-depth update for Exchange Server 2010 because that version is only vulnerable to CVE-2021-26857.
Additionally, CVE-2021-26857 and CVE-2021-26858 have been used in Exchange server attacks. There are four zero-day vulnerabilities that must be patched: CVE-2021-26855, also known as “ProxyLogon,” is a server-side request forgery flaw that can be chained together with CVE-2021-27065, a post-authentication arbitrary file write bug, for an attacker to achieve remote code execution. While the web shells placed on victim devices could be the source of any further attacks that occur, the first step is still to ensure all Exchange Servers are patched against the original zero-day vulnerabilities. It might initially have been a nation-state adversary, but it’s not anymore.”Īlthough MTR customers have not seen attacks progress to the level of ransomware or cryptominers, Microsoft has reported a new ransomware threat – DearCry – targeting vulnerable Exchange servers and the web shells left behind after successful Exchange attacks. It doesn’t just have to be the original attacker who put it there. “Even more concerning is that anybody can come along and use them. “These web shells are dangerous because they can be activated at any time after they’ve been installed, even on a subsequently patched system,” said Mat Gangwer senior director of Sophos Managed Threat Response (MTR).
However, as the news of the zero-days spread, opportunistic malicious actors have begun scanning for those web shells because finding one can be a shortcut to deploying ransomware or cryptominers, or launching other attacks, all without needing to go through the trouble of finding a way into a network. The common form of ProxyLogon attacks seen so far includes vulnerable Exchange Servers being exploited and web shells dropped on those servers. The exploitations seen in the wild were first attributed to a nation state actor dubbed Hafnium, but the vulnerabilities and attacks have colloquially become known as “ProxyLogon” in reference to the main vulnerability of the zero-days involved.
The recently reported collection of Microsoft Exchange Server zero-day vulnerabilities has rocked the infosec world, impacting tens of thousands of organizations around the world, with some estimates exceeding 100,000 and growing by the day.
0 kommentar(er)
