• Home
  • |
  • Blog
  • |
  • Microsoft Exchange 0 Day Cyberattack Explained:
Microsoft Exchange 0 Day cyberattack explained! | CVE 2021 - 26855 CVE 2021 - 26857, CVE 2021 - 26858, and CVE 2021 - 27065

There is another large scale cyber attack of the year after the Linux Sudo vulnerability (CVE-2021-3156). This time it’s Microsoft’s term to face the attack. According to Microsoft, a group of attackers based out of China exploited several Microsoft Exchange 0 Day vulnerabilities (CVE 2021 – 26855, CVE 2021 – 26857, CVE 2021 – 26858, and CVE 2021 – 27065) exist in the Microsoft Exchange code base since 2010. Microsoft Exchange server attack is considered more significant than Linux Sudo vulnerability attack as this is a Remote Code Execution attack, which allows attackers to compromise the Exchange Servers sitting remotely. In this article, we are going to explain What actually happened? Who did it? Why it matters? Why is it important for you? Before diving into the actual topic, we want to share some basic terms used in this field as non-technical people also don’t face difficulties in understanding this article.

What is Microsoft Exchange?

Well, if you don’t know what Microsoft Exchange is. It is Microsoft’s email, calendaring, contact, scheduling, a collaboration platform. It is deployed on Windows Server Operating System by medium or large scale industries to manage internal email and calendar services.

What is Zero-Day Vulnerability?

A Zero-day vulnerability is a publicly disclosed vulnerability in a system or an application for which there are no official patch or security fixes released by the vendor, or owner of the system or application. Zero-day vulnerabilities are often targeted and exploited easily, so they are considered as high severity attack. 

What is Zero-Day Exploit?

An exploit is a piece of code, software, or sequence of commands which takes advantage of a bug or vulnerability on the system or application to gain unauthorised access or compromise for malicious intent. An exploit that attacks on a Zero-day vulnerability is commonly known as a Zero-day exploit. 

If you go back to April 2020. DHS CISA warned Microsoft for not patching 82% of Exchange server vulnerabilities. Microsoft has become a victim because of this? Could be.

Let’s see what actually happened since early March 2021. On 2nd March, Microsoft revealed that a China-based group called Hafnium has been launching Cyber Attacks against various organizations and industries by exploiting four zero-day vulnerabilities in the on-premises version of Exchange software: Exchange 2013, 2016, and 2019. On the other hand, Microsoft confirmed that its cloud-hosted services: Exchange online and Office 365 are completely safe from these cyber attacks. This proved once again that the cloud is a better option than on-premises.

Thanks to
Muhammad Afaq Khan for creating this video.

How the Microsoft Exchange 0 Day cyberattack has been carried out?

As per Microsoft, the Microsoft Exchange 0 Day cyber attack will be carried out in three phases.

  1. Stolen Credentials / Exploit 0 day: At first, attackers will gain access to the server either by stolen credentials or exploiting the zero-day vulnerability.
  2. Web Shell Install / Backdoor: In the second phase, attackers create a backdoor by dropping a web shellcode on the server, which facilitate attackers to access remotely.
  3. Remote Access: At last, attackers keep the web shell allegedly on the server so they can access the server in later times and exfiltrate the data from the server.

What Is The Purpose Of This Microsoft Exchange 0 Day Cyber Attack?

Be clear, The main motive behind this attack is not to cause damage. The attack was launched to steal the data from the Microsoft Exchange Servers.

Who is HAFNIUM?

Hafnium is a cyber espionage group based out of China. It’s believed that this is a Chinas state-sponsored group that is actively involved in many exfiltration attempts. According to Microsoft, “HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.” This group operates from a leased Virtual Private Servers (VPS) from the United States. 

Who Are The Targets Of The Microsoft Exchange 0 Day Cyber Attack?

HAFNIUM targets US-based Law firms, Higher Education institutions, Defence Contractors, Think tanks, Infectious decease research organizations, and NGOs. This attack is considered more devastating than Linux Sudo and Solar Winds attacks because HAFNIUM targeted small and medium-sized organizations which don’t have the advanced capabilities or resources to bear the attack.

Microsoft Exchange 0 Day Cyberattack Explained In Chronological Order From The Beginning.

  1. In January 2021, Devcore and Volexity warned Microsoft about the four zero-day vulnerabilities (CVE 2021 – 26855, CVE 2021 – 26857, CVE 2021 – 26858, and CVE 2021 – 27065) found on Exchange servers.
  2. On 18th February 2021, Microsoft confirms the persistence of vulnerabilities on the Exchange servers and published that it will release the patched on 9th March 2021.
  3. On 26th February 2021, attacks were carried out on a global scale.
  4. As an action, on 2nd March 2021, Microsoft released patches for the vulnerabilities.
  5. However, by 5th March 2021, there were hundreds of thousands of servers backdoored globally. The actual number is unknown. There could be millions in number.

Which Other Cyber Actors Are Involved?

It is also suspect that the attack was not just carried out by HAFNIUM. There are five more names on the list:

  1. HAFNIUM
  2. TICK
  3. LUCKYMOUSE
  4. CALYPSO
  5. WEBSIC
  6. WINNTI

This is all about the Microsoft Exchange 0 Day vulnerabilities (CVE 2021 – 26855, CVE 2021 – 26857, CVE 2021 – 26858, and CVE 2021 – 27065).

Latest News On Proxy Logon Microsoft Exchange Vulnerabilities:

Well, the Proxy Logon Microsoft Exchange vulnerability is again in the news. It’s known that attackers always keep trying new ways to exploit the vulnerabilities. This time attackers have been found using Prometei botnet to compromise Proxy Logon Microsoft Exchange vulnerability (CVE-2021-27065 and CVE-2021-26858) in order to penetrate the network and install Monero crypto-mining malware on the targets. Let’s see how Proxy Logon Microsoft Exchange vulnerability is being exploited by the Prometei botnet?

Please continue reading about the technical details and mitigation steps in the below posts:

  1. Step by step procedure to detect the Microsoft Exchange 0 Day exploit.
  2. Steps to mitigate Microsoft Exchange 0 Day vulnerabilities (CVE 2021 – 26855, CVE 2021 – 26857, CVE 2021 – 26858, and CVE 2021 – 27065)

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.