Update 3/13/2021:
New Alert from CISA including more Malware Analysis
[ Ссылка ]

Update 3/10/2021
FBI-CISA Joint Advisory on Compromise of Microsoft Exchange Server
[ Ссылка ]

Updates:
Possibly over 30,0000 companies using Exchange Server affected.
[ Ссылка ]

[ Ссылка ]

Possible Ransomware on some Exchange Servers affected by these exploits called DoejoCrypt
[ Ссылка ]

Possibly up to 10 criminal hacking groups attacking these unpatched Exchange Servers
[ Ссылка ]

Microsoft Urges anyone with an Exchange Server to patch immediately.
Microsoft explains the CVEs in their blog post
“CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability.” An attacker can send specially crafted HTTP requests to the server and get authenticated as the exchange server itself.
“CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service.” An attacker can use this vulnerability to run any code as SYSTEM and would require administrative privileges to perform this exploit.
“CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange.” Any attacker that has been able to authenticate to the server will be allowed to write a file anywhere on the server.
“CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange.” This is another vulnerability like above and allows an authenticated user to write a file anywhere on the server. Both CVE-2021-26858 and CVE-2021-27065 could use the first exploit, CVE-2021-26855, to serve as the authenticated session to use either of these last two exploits.
Microsoft lays out in their article about how to detect if the server has been compromised. Administrators, for instance, can check the logs for AuthenticatedUsers where there is no username listed and the AnchorMailbox is listed as “ServerInfo~*/*” a sample powershell command Microsoft provides is
Import-Csv -Path (Get-ChildItem -Recurse -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy" -Filter '*.log').FullName | Where-Object { $_.AuthenticatedUser -eq '' -and $_.AnchorMailbox -like 'ServerInfo~*/*' } | select DateTime, AnchorMailbox
After finding the Criteria above one can look to which program is associated with the AnchorMailbox path can be explored by reviewing logs in %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging
The above is just the information to see if an exchange server if the vulnerability was exploited in CVE-2021-26855.

If looking to see if you were affected by CVE-2021-27065, check the following log files in C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server
“All Set-＜AppName＞VirtualDirectory properties should never contain script. InternalUrl and ExternalUrl should only be valid Uris.”

Following is a PowerShell command to search for potential exploitation:
Select-String -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\ECP\Server\*.log" -Pattern 'Set-.+VirtualDirectory'

More Detailed information for the other CVEs is listed in [ Ссылка ]

Microsoft has found Multiple shells from this group in the following directories
%PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
C:\Exchange\FrontEnd\HttpProxy\owa\auth\
C:\inetpub\wwwroot\aspnet_client\
C:\inetpub\wwwroot\aspnet_client\system_web\
The following names of Webshells were found
web.aspx
help.aspx
document.aspx
errorEE.aspx
errorEEE.aspx
errorEW.aspx
errorFF.aspx
healthcheck.aspx
aspnet_www.aspx
aspnet_client.aspx
xx.aspx
shell.aspx
aspnet_iisstart.aspx
one.aspx
Sources:

Many more diagnostic and information about these threats are available on the Microsoft site below [ Ссылка ]
Mitigations and Forensic Analysis at [ Ссылка ]
Sources:
[ Ссылка ]
[ Ссылка ]
[ Ссылка ]

свернуть