Top Microsoft Exchange Server vulnerabilities exploited in 2021

In 2021, criminals launched a flood of attacks on Microsoft Exchange servers using exploiting what were then zer0-day vulnerabilities. Beginning in January 2021, the attackers went undetected until March 2021 when Microsoft finally became aware and issued the necessary security patches.

During that period, an estimated 60,000 organizations were compromised with the number continuing to grow exponentially, with cyber attacks targeting these vulnerabilities increasing following the security updates from Microsoft. Attackers are aware the window of opportunity for exploit is closing and are looking to breach as many targets as possible before they vulnerabilities are patched.

The affected servers impacted by the exploits, requiring immediate update are listed below.

- Microsoft Exchange Server 2013

- Microsoft Exchange Server 2016

- Microsoft Exchange Server 2019

The Microsoft Exchange Server Exploits

These are the four main Common Vulnerability Exposures (CVEs) that were exploited in 2021 during cyber-attacks. The vulnerabilities are listed below along with their CVSS (Common Vulnerability Scoring System) scores. CVSS is an open industry standard for assessing the severity of computer system security vulnerabilities, allowing responders to prioritize responses and resources accordingly. The system ranks severity on a scale of 0–10 with 0 classified as ‘low’ and ‘10’ classified as ‘Critical.’

1. CVE-2021–26855 (CVSS: 9.1 — Critical)

This vulnerability is part of an attack chain and is the entry point for exploiting the other vulnerabilities which will be covered below. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This is would be classified as a server-side-request-forgery (SSRF) vulnerability, where the attacker is able to get the server-side application to make HTTP requests to an arbitrary domain of their choosing.

Because this vulnerability serves as the entry point for exploitation, all remediation efforts should be focused on this vulnerability first. This could potentially protect the other secondary threats from exploitation.

2. CVE-2021–26857 (CVSS: 7.8 — High)

This is an insecure de-serialization vulnerability. Once exploited, an attacker would be granted arbitrary code execution privileges as SYSTEM. (By default, the SYSTEM account is granted Full Control permissions to all files on an NTFS volume. Here the SYSTEM account has the same functional rights and permissions as the Administrator account).

This authentication level would then permit the injection of SOAP payload.

3. CVE-2021–26858 (CVSS: 7.8 — High)

Once privileged access is authenticated, vulnerabilities CVE-2021–26858 and CVE-2021–27065 (recorded below) can be exploited. These essential prerequisites mean that these vulnerabilities are exploited in the final stages of the chain attack.

4. CVE-2021–27065 (CVSS: 7.8 — High)

This vulnerability presents a similar compromise capability as the CVE-2021–26858 vulnerability listed above.

How does it work?

Observing the activities of the group that was ‘credited’ with discovering these vulnerabilities and first exploiting them, HAFNIUM, provides insight into their tactics and procedures.

The most critical vulnerability on the list, CVE-2021–26855, is first exploited to achieve access authentication.

Once, the server has been successfully compromised, the attacker can leverage the CVE-2021–26857 vulnerability, and will be allowed to inject malicious code into any path on the targeted Microsoft Exchange Server.

Attackers are then able to deploy web shells, which establish backdoor connections and give them remote access to the system. This makes injecting malicious commands, stealing user credentials, and the deployment of ransomware attacks possible.

Indicators of Compromise (IOC)

All organizations operating any of the above listed servers and whose systems are unpatched remain vulnerable.

To see if your organization has already been exploited, you can check using the Microsoft IOC detection tool, made available on GitHub.

Microsoft is always updating its feed of detected malware hashes and malicious file paths associated with the latest Exchange Server exploits.

The most up-to-date information on IOCs from Microsoft can he found here.

Mitigation and Remediation

These vulnerabilities can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange Server from external access. However, it should be noted that using this mitigation, will only protect against the initial portion of the attack. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file.

That said, if you discover that you’re exposed by CVE-2021–26855, you must install the necessary patches immediately.

I recommend prioritizing installing updates on Exchange Servers that are externally facing.

The latest Exchange patch releases, and detailed download and installation instructions can be found here.

Also, CISA, the United States Government Cybersecurity and Infrastructure Security Agency, has created a victim response guide specifically for the CVE-2021–26855 vulnerability. The guide is known as CISA Alert AA21–062A and explains how to conduct a forensic analysis and steer your remediation efforts.