Microsoft Exchange on-premise vulnerabilities – March 2021

CVE ID

CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-1730, CVE-2021-27078, CVE-2021-27078

Effects

The vulnerability allows for remote code execution on the Microsoft Exchange Server. It enables hackers to gain persistent system access and control of an enterprise network.

China-based hackers were exploiting bugs in Exchange server to steal sensitive data from companies around the world.

Note: These CVEs are not known to affect Microsoft 365 and Azure Cloud deployments.

Mitigate impact

– Applying the latest Microsoft Exchange patches will alleviate the chance of the exploit being utilized.

* Microsoft Exchange 2010 updates

* Microsoft Exchange 2013 updates

* Microsoft Exchange 2016 updates

* Microsoft Exchange 2019 updates

– If the Exchange server is infected then use endpoint security to repair and remove the malware.

– Microsoft has an Exchange tool to help mitigate. It can be downloaded in the link

Steps to investigate

Per Microsoft :

1. Scan Exchange logs – Here is an article to follow for script to show IOC
2. Scan for known webshells – Microsoft defender has been updated to catch these vulnerabilities, but here is the scanner you can download.
3. Use other security tools – Antivirus from other companies like Crowdstrike that do more than just scan but also do behavioral tracking.

Found this article interesting? Follow LXL on Facebook, Instagram and LinkedIn to read more exclusive content we post.