Operation Exchange Marauder: Mass Exploitation of On-Prem Exchange Servers
On March 2, 2021, Microsoft released a series of emergency security patches for Exchange Server 2019, 2016, 2013, and 2010.
The fact that Exchange 2010 is end-of-life, yet Microsoft still released a security patch for it, underscores the severity and urgency of this threat. The security community continues to research, threat hunt, and share knowledge about the exploit and observed attacks in the wild.
How to Remediate this Threat
Step 1 – Patch!
The emergency security patches address vulnerabilities, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Patching all affected systems is critical, but not sufficient, in ensuring that your organization has not been compromised. Based on intelligence sharing in the security community, it is possible that this vulnerability has been actively exploited since September 2020.
Step 2 – Validate!
After the patches have been applied, all Exchange systems must be validated to ensure that the patches have been applied successfully and the systems are no longer vulnerable. The security community has observed instances where a patch appeared to be successful upon installation, but the server was still vulnerable when scanned.
Several third-party scripts have been released to help organizations validate that their Exchange systems are no longer vulnerable. Here is one example of a nmap script to check if Exchange servers are vulnerable. Note: the creator of this script is not affiliated with Avertium.
Step 3 – Hunt!
Part of why this vulnerability is so serious is that it gives attackers the ability to set up persistent web shells on the Exchange servers, which allow them to run arbitrary code on those systems even after the servers have been patched. In other words, just because your Exchange servers have been patched and are no longer vulnerable to this exploit, does not mean that adversaries have not already exploited them in their previous unpatched state and gained a foothold in your environment.
Avertium teams are actively threat hunting in affected environments – searching for known IPs which have exploited this vulnerability in network traffic logs and investigating user agent strings in web activity in our SIEM tools. However, there are indicators of compromise (IOCs) that have been published that are not easily detectable by SIEM or EDR tools, because once the Exchange server vulnerability has been exploited, subsequent activity looks normal for an Exchange server.
The security community has again collaborated to share knowledge and tools to detect these additional IOCs. Microsoft has released PowerShell scripts to check for IOCs.
Exchange server installation directories should be checked for anomalous .aspx files. These are the persistent web shells that would allow an attacker to execute arbitrary code on the system even after patching. If any anomalous .aspx files are found, it is an indication that the Exchange vulnerability was exploited in your environment and further DFIR engagement is required.
Avertium teams are standing by to assist both with the deeper threat hunting on Exchange servers and with DFIR (should IOCs be found.)
We recognize the graveness of this latest attack and are here to help. If you are a current Avertium customer and believe your organization has been exposed, please contact your representative. If you aren’t yet an Avertium customer, please call us on our 24-hour hotline at 877-707-7997 or contact us here.