Proof-of-Concept Exploit Code Released for Critical Exchange Vulnerabilities

THE THREAT

As of, March 10th, 2021, publicly available Proof-of-Concept (PoC) exploit code and in-depth technical details for two of the recent Microsoft Exchange zero-day vulnerabilities (known as ProxyLogon) has been confirmed. The PoC code will allow less skilled threat actors to exploit CVE-2021–26855 and CVE-2021–27065 and cause Remote Code Execution on vulnerable on-premise Exchange servers.

Widespread exploitation of these vulnerabilities is now imminent. Organizations that have not already applied the Microsoft security patches need to do so immediately.

What we’re doing about it

• eSentire teams have deployed detection content across our services in response to these attacks
  • esENDPOINT identifies suspicious Exchange processes and post-exploitation activity associated with known attacks
  • eSentire's BlueSteel engine identifies malicious PowerShell activity associated with this threat
  • esLOG identifies exploitation of CVE-2021-26857 and CVE-2021-27065
    • Contact your Customer Success Manager if you would like to enable or confirm proper Exchange logging.
  • esNETWORK identifies exploitation of CVE-2021-26857 and CVE-2021-26855
• In parallel to detection activity mentioned above, we are actively reviewing customer environments for Indicators of Compromise (IoCs)
• MVS has local plugins available to identify all related vulnerabilities
  • MVS customers seeking assistance with their review or scans, please contact your MVS consultant or the eSentire Security Operations Center (SOC)
• eSentire security teams continue to track this topic and additional detection measures are currently under review

What you should do about it

• All affected versions of Microsoft Exchange should be prioritized for immediate patching
  • Specific guidance on updating these systems can be found here
• If security patches cannot be deployed, organizations should enforce the mitigation steps provided by Microsoft until patching becomes possible
  • Mitigation actions will impact some Exchange functions
• Organizations are strongly encouraged to use the MSERT tool to identify and remediate malicious actions
  • This action is recommended even if organizations have already run the Microsoft PowerShell script for identifying known Indicators of Compromise (IoCs)
• esENDPOINT customers are advised to deploy endpoint agents to on-premise Exchange servers for ongoing monitoring

Additional information

The eSentire Threat Intelligence team has observed several markers towards mass exploitation of ProxyLogon vulnerabilities in the last 24 hours. Security firm Praetorian released technical details of the vulnerabilities on March 9th, but omitted publishing key details for exploitation. During the afternoon of March 10th, several reports of working Proof-of-Concept code emerged online. While we have not independently verified the PoC, several prominent security researchers have attested to their validity.

Given the increasing scope of widespread attacks over the past week and emergence of vulnerability details and working exploits, organizations must take immediate action to mitigate the vulnerabilities through security updates, workarounds or by restricting access to their on-prem Exchange servers.