Vulnerability Details
There are four separate vulnerabilities which malicious actors are utilising to target exposed Microsoft Exchange servers.
- CVE-2021-26855: A server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
- CVE-2021-26857: An insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialised by a program. Exploiting this vulnerability gives an actor the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
- CVE-2021-26858: A post-authentication arbitrary file write vulnerability in Exchange. If an actor could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
- CVE-2021-27065: A post-authentication arbitrary file write vulnerability in Exchange. If an actor could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
Affected Microsoft Exchange versions
For the most accurate information on affected Microsoft Exchange versions please refer to guidance available from Microsoft. At the current time the known vulnerable versions of Microsoft Exchange are:
- Microsoft Exchange 2010 (only vulnerable to CVE-2021-26857)
- Microsoft Exchange 2013
- Microsoft Exchange 2016
- Microsoft Exchange 2019
Exploitation and post-exploitation activities
The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) is aware of malicious actors exploiting CVE-2021-26855 for initial access to the vulnerable Microsoft Exchange servers. This vulnerability does not require authentication, and is trivial to exploit. Once initial exploitation is successful actors are able to retrieve e-mail inventories from all users stored on the server. In addition, malicious actors can exploit one of the other vulnerabilities to achieve arbitrary remote code execution or arbitrary file upload on the targeted server.
Malicious actors have leveraged these vulnerabilities to establish persistence utilising web shells on the compromised Microsoft Exchange servers, enabling further compromise of the Exchange server and associated internal network.
Cybercrime actors are known to have deployed ransomware to overseas organisations through Microsoft Exchange vulnerabilities. Australian organisations who have not patched are at risk of cybercriminals attempting to deploy ransomware on their networks through these vulnerabilities.
Mitigation and detection recommendations
ASD’s ACSC recommended prioritised mitigations
The ASD’s ACSC recommends immediate patching of all vulnerable Microsoft Exchange servers with Exchange servers exposed to the internet prioritised above servers accessible only on internal networks. All vulnerabilities identified in this advisory were patched by security updates released on 3 March 2021.
If patching is not possible immediately the following actions should be taken as soon as possible:
- Implement the interim mitigations advised by Microsoft, or
- Prevent access to vulnerable Microsoft Exchange servers from the internet, or
- Remove vulnerable Microsoft Exchange servers from the network.
These are temporary measures and only recommended where patching is not possible immediately.
Once patching or interim mitigations are applied the ASD’s ACSC strongly recommends investigating all exposed Microsoft Exchange servers for signs of compromise.
ASD’s ACSC recommended investigative actions
Regardless of how quickly patches were applied there remains a significant risk that malicious actors may have exploited and compromised vulnerable Microsoft Exchange servers prior to the application of patches. The following is a prioritised list of recommended investigative actions to check for signs of exploitation and compromise.
This guidance only covers looking for evidence of exploitation of the Microsoft Exchange vulnerabilities and web shell based post-exploitation activity. It is not intended as complete investigative guidance for all stages of an intrusion.
1. Scan all Microsoft Exchange servers utilising the One-Click Microsoft Exchange On-Premises Mitigation Tool
Microsoft have released the One-Click Microsoft Exchange On-Premises Mitigation Tool to help organisations implement interim mitigations as well as to scan and remove malicious files. Microsoft recommends running this tool on unpatched servers as well as servers which have been patched but not investigated for signs of exploitation and compromise. Additionally Microsoft have identified that this tool replaces the previously released Microsoft mitigation script ExchangeMitigations.ps1. Details on the tool and future updates are available from Microsoft.
Microsoft has identified that this tool cannot be guaranteed to identify all malicious activity. The ASD’s ACSC still recommends completing the additional investigative actions below.
2. Review Microsoft Exchange log files for evidence of exploitation and compromise
Microsoft has detailed which artifacts to review and what evidence to look for which can indicate exploitation for all four vulnerabilities. Microsoft have also release a PowerShell script to help organisations perform these checks. Details of the recommended analysis and the PowerShell script are available from Microsoft.
3. Review file systems and HTTP log files for presence of known malicious web shell paths
Web shells with identical filenames across multiple victims have been identified by multiple cyber security organisations. Organisations should review exposed Microsoft Exchange servers for the presence of these indicators and review any files for malicious content. The lack of any of these indicators above is not a guarantee of a lack of exploitation or successful compromise. Indicator sources include:
- Indicators from ASD’s ACSC investigations available in the download document.
- Identified host-based indicators of compromise available from Microsoft.
- Indicators of compromised references in the Cybersecurity and Infrastructure Security Agency’s AA21-062A alert.
4. Review and enact web shell identification and prevention guidance
The Australian Signals Directorate and the National Security Agency collaborated to release some guidance on identifying and preventing web shells. It is recommended that organisations which had exposed Exchange servers review and act on this guidance. This guidance is available on cyber.gov.au.
Incident reporting
Organisations that have been impacted or have indications that your environment has been compromised can report a cyber security incident to the ASD’s ACSC via cyber.gov.au.