Exploit Attempts on Microsoft Exchange Servers Detected by Cyble Honeypot Sensors

On March 2, 2021, the Microsoft Security Response Center released various security updates for the Microsoft Exchange server. These updates are directed at tackling server vulnerabilities targeted by cyberattacks. We have already advised our customers to update the affected systems as soon as possible to prevent future abuse. 

Vulnerabilities that have affected Microsoft Exchange Servers 2013, 2016, and 2019 are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. These are security-related vulnerabilities released and updated on March 2, 2021. 

The Cyble Research team has detected numerous attempts to exploit vulnerable Exchange Servers. Our Honeypot sensors have captured exploit attempts originating from several IPs known to be malicious in nature. The attackers exploit Exchange Server vulnerabilities to gain remote code execution (RCE) on targeted machines. They also attack unpatched Exchange Servers, with similar attempts captured by the Cyble Research team.  

Figure 1: Attacks captured on Honeypot sensor. 

The attackers drop webshells to paths including Microsoft Exchange Server Installation paths such as: 

  • C:\inetpub\wwwroot\aspnet_client\ 
  • C:\inetpub\wwwroot\aspnet_client\system_web\ 
  • %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\ 
  • C:\Exchange\FrontEnd\HttpProxy\owa\auth\ 

The webshells allow attackers to further infect targeted machines and dump credentials, add new user accounts for root access, and steal credentials and user mailboxes. Most of the attacks are originating from known malicious source IPs. Our sensors observed that the attackers communicate through Port 443 to drop webshells like the \owa\auth\logon.aspx” file shown in Fig1. Some of the webshells observed by researchers can be seen below:  

We have discovered that the attacks have been originating from various countries. The distribution of attack sources captured by two of our sensors can be seen below. 

We found 100+ attacks last week, originating from unique IPs targeting vulnerable Exchange Servers. The Exchange Server vulnerability allows attackers to send POST requests to the target machine without any need for authentication to set communication. After obtaining the initial information of IP address and domain names of the Exchange Server, the attacker sends an HTTP POST request to the Exchange server with a Simple Object Access Protocol (SOAP) payload which allows to bypass authentication. After that, the attacker can perform any operation on the target’s mailbox. 

We captured events related to POST requests attempting remote code execution. After finding the /owa/ path using the GET request, the attackers execute a POST request to find email databases using Auto Discover for path: http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a\The screenshot below has been captured from one of the Exchange Server logs. 

The Cyble Research team is continuously monitoring to harvest the threat indicators/TTPs of attacks related to Microsoft Exchange Servers in the wild. 

Our Recommendations: 

  • Block the IPs shared in the IOCs below. 
  • We strongly recommend our customers update on-premises systems immediately and recently released updates for CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 CVE-2021-26858 are available here
  • Please follow mitigation guidance shared by MSRC: Microsoft Exchange Server Vulnerabilities Mitigations – March 2021 
  • We encourage our customers to conduct investigations and implement proactive measures to identify possible prior campaigns and prevent future campaigns that may target their systems. 
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. 
  • People concerned about their exposure in the Dark web can register at AmiBreached.com to ascertain their exposure. 
  • Refrain from opening untrusted links and email attachments without verifying their authenticity. 

Indicators of Compromise (IOCs): 

About Cyble

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com

Scroll to Top