Home News State-sponsored Attackers Exploit Zero-day Microsoft Exchange Vulnerabilities

State-sponsored Attackers Exploit Zero-day Microsoft Exchange Vulnerabilities

Volexity revealed active exploitation of multiple Microsoft Exchange Server vulnerabilities to pilfer users’ e-mail and compromise servers.

Brand Phishing Attacks

Security experts from Volexity discovered state-sponsored hacking groups exploiting just patched critical Microsoft Exchange bugs from January 6, 2021. The technology giant recently addressed four Zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) and three other vulnerabilities (CVE-2021-27078, CVE-2021-26854, and CVE-2021-26412) in its Patch Tuesday security update.

Volexity claimed that threat actors were exploiting the CVE-2021-26855 Microsoft Exchange Server vulnerability in their ongoing attacks to obtain remote code execution on vulnerable Exchange servers. Volexity identified a massive amount of information being transferred from the Exchange servers to unknown IP addresses legitimate users.

“The logs showed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access (OWA). It was initially suspected the servers might be backdoored and that webshells were being executed through a malicious HTTP module or ISAPI filter. This investigation revealed that the servers were not backdoored and uncovered a zero-day exploit being used in the wild,” Volexity said.

Volexity’s researchers found that the attackers were exploiting a zero-day server-side request forgery (SSRF) to steal the entire contents of several user mailboxes. As the CVE-2021-26855 vulnerability is remotely exploitable, an attacker does not require any kind of authentication or access to a target environment.

Indicators of Compromise

/owa/auth/Current/themes/resources/logon.css
/owa/auth/Current/themes/resources/owafont_ja.css
/owa/auth/Current/themes/resources/lgnbotl.gif
/owa/auth/Current/themes/resources/owafont_ko.css
/owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot
/owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf
/owa/auth/Current/themes/resources/lgnbotl.gif

Volexity urged organizations and users to apply the available security patches or temporarily disable external access to Microsoft Exchange as early as possible.

“Highly skilled attackers continue to innovate to bypass defenses and gain access to their targets, all in support of their mission and goals. These vulnerabilities in Microsoft Exchange are no exception. These attackers are conducting novel attacks to bypass authentication, including two-factor authentication, allowing them to access e-mail accounts of interest within targeted organizations and remotely execute code on vulnerable Microsoft Exchange servers,” Volexity added.