I'm under

attack

Microsoft Exchange Zero-Day Attacks: What they are and how to prevent them

Updated: Apr 2


Early last week, multiple so-called "zero-day" attacks, or attacks whose vulnerabilities are unknown to users, administrators and even vendors, impacted Microsoft Exchange servers. While unconnected at this point to the Orion SolarWinds supply-chain attack, the market penetration of Exchange makes it so that these zero-day vulnerabilities have the potential to be catastrophic for enterprise owners. Coupled with reported nation-state actor activity, the sophistication of these groups increases the threat faced by impacted enterprise owners.


Why is it so critical to identify and patch zero-day vulnerabilities?


When left unpatched, the attacker is able to use the vulnerabilities in a "perfect storm" scenario. The threat actor (TA) can remotely execute code that could compromise the integrity of the servers, giving the attackers the opportunity to create backdoors leading to sustained on-net access, which can lead to data exfiltration, data held for ransom and/or additional operations and malware deployed to the enterprise.


The known vulnerabilities in the scenario impacting the on-premise Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 were:

  • CVE-2021-26855: Side Request Forgery (SSRF) vulnerability allowing for tailored HTTP requests to be sent via unauthenticated/uncredentialed TAs.

  • CVE-2021-26857: Vulnerability that allows for arbitrary code deployment under SYSTEM. This step is contingent on other vulnerabilities where unauthenticated access is needed to deploy that arbitrary code (highlighted by the previous CVE).

  • CVE-2021-26858 and CVE-2021-27065: Vulnerabilities that are used as a post-authentication means to hijack data, as the TA can leverage them to write to specific paths.

The attack on Microsoft Exchange servers specifically highlights the need to have redundancy in availability – notice that the online servers are unaffected while the attack and vulnerabilities are centered on on-premises infrastructure. It is also advisable to implement network enumeration, which must constantly occur to account for all inventory, which will inform on which information systems require which patches relative to their operating system(s) and versions.


When it comes to zero-day vulnerabilities, patch immediately, frequently and be sure to tailor your approach to your specific systems. To validate the security of your enterprise, you can employ additional offensive security tactics like threat hunting for known indicators of compromise (IOCs) and markers of persistence, and stress-testing the environment by conducting a network penetration test. For more information on approaches to proactive security measures, read more about Redpoint Labs and reach out to our team.