Last week, Microsoft released an advisory surrounding four vulnerabilities being actively exploited within on-premises Microsoft Exchange servers. These vulnerabilities, tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 could permit a remote, unauthenticated attacker to execute code.
If your organization or institution has an Internet-accessible Microsoft Exchange server (on-premise only), it is recommended to:
Update Microsoft Exchange to the latest version as of March 2, 2021.
Identify Indicators of Compromise (IOC) provided by Microsoft as an efficient method to detect whether exploitation occured.
Remove web shells which may be accessible from the Internet.
Monitor and validate the security and confidentiality of Microsoft Exchange.
Cymonix has responded to numerous security incident involving this specific exploit, and in most cases, did not identify significant impacts. Specifically, most organizations and institutions, unless specifically targeted by actors, are typically observed having indicators such as web shells present, but no manual interaction with the impacted asset.
For more information surrounding this vulnerability, including scripts which can be executed, Indicators of Compromise (IOC), and context, see the following resources:
Microsoft’s Advisory and Security Blog Post
Microsoft’s Patch Release
(CISA) Cybersecurity & Infrastructure Security Agency – Alert AA21-062A
If you believe you have experienced a security incident, call our incident response hotline immediately: 860-785-0614
Cymonix line of solutions can proactively address threats to your environment as your trusted long-term cybersecurity partner. A risk assessment can proactively identify and respond to a security incident such as this and can determine if threats are present.