Security experts from Volexity discovered state-sponsored hacking groups exploiting just patched critical Microsoft Exchange bugs from January 6, 2021. The technology giant recently addressed four Zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) and three other vulnerabilities (CVE-2021-27078, CVE-2021-26854, and CVE-2021-26412) in its Patch Tuesday security update.
Volexity claimed that threat actors were exploiting the CVE-2021-26855 Microsoft Exchange Server vulnerability in their ongoing attacks to obtain remote code execution on vulnerable Exchange servers. Volexity identified a massive amount of information being transferred from the Exchange servers to unknown IP addresses legitimate users.
Volexity’s researchers found that the attackers were exploiting a zero-day server-side request forgery (SSRF) to steal the entire contents of several user mailboxes. As the CVE-2021-26855 vulnerability is remotely exploitable, an attacker does not require any kind of authentication or access to a target environment.
Indicators of Compromise
Volexity urged organizations and users to apply the available security patches or temporarily disable external access to Microsoft Exchange as early as possible.
“Highly skilled attackers continue to innovate to bypass defenses and gain access to their targets, all in support of their mission and goals. These vulnerabilities in Microsoft Exchange are no exception. These attackers are conducting novel attacks to bypass authentication, including two-factor authentication, allowing them to access e-mail accounts of interest within targeted organizations and remotely execute code on vulnerable Microsoft Exchange servers,” Volexity added.