Cybersecurity experts are warning exploits against organizations worldwide have grown ten-fold after recent Microsoft Exchange Server zero-day vulnerabilities known as “ProxyLogon” were revealed.
According to the new Check Point research, security professionals are in a “full race” with hackers to put in protections before bad actors can can launch further attacks.
“Global experts are using massive preventative efforts to combat hackers who are working day-in and day-out to produce an exploit that can successfully leverage the remote code execution vulnerabilities in Microsoft Exchange,” the Check Point team warned.
Moreover the Check Point Research (CPR) team has observed thousands of exploit attempts against organizations worldwide. To add, CPR monitored 7,200 attempted attacks as of March 15, a ten-fold increase since March 11.
The top five countries under attack include (with percentage of exploit attempts):
- United States (17%)
- Germany (6%)
- United Kingdom (5%)
- The Netherlands (5%)
- Russia (4%).
Moreover, the top industries under attack include:
- Government/Military (23%)
- Manufacturing (15%)
- Banking & Financial Services (14%)
- Software vendors (7%)
- Healthcare (6%).
The Check Point team further explained “millions of organizations” could potentially be at risk:
“Once an attacker takes over the Exchange server, they can open the network to the internet and access it remotely. As many Exchange servers have internet exposer (specifically Outlook Web Access feature) and are integrated within the broader network, this poses a critical security risk for millions of organizations.”
On March 2, 2021, Microsoft announced the detection of the zero-day exploits and quickly released emergency out-of-band security updates to fix multiple Critical vulnerabilities impacting Microsoft Exchange Server 2013, 2016 and 2019.
Each of the ProxyLogon vulnerabilities, along with Microsoft patch advisories are listed below:
Of special note, the security experts warned that CVE-2021-26855 can “allow an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server.”
To add, the Exchange vulnerability basically exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). The remaining three vulnerabilities can all result in remote code execution and could be used in combination with CVE-2021-26855 to further exploit impacted systems.
Other risk mitigations
If organizations are unable to patch Exchange Server 2013, 2016 and 2019 immediately, Microsoft also provided interim mitigations as well as a detection tool to help them find indicators of compromise (IoC). Microsoft said the mitigations are effective against attacks in the wild, but are not guaranteed to be completely effective against exploitation of these vulnerabilities.
Although patching is still highly recommended, organizations can implement an IIS Re-Write Rule (for CVE-2021-26855) and disable Unified Messaging (UM), Exchange Control Panel (ECP) VDir, and Offline Address Book (OAB) VDir Services.
- CISA publishes reports on DearCry ransomware and China Chopper Web Shell malware linked to Exchange Server exploits
- FBI and CISA issue urgent joint cybersecurity advisory on Exchange server hacks
- Microsoft March 2021 Security Updates, fixes for 14 Critical bugs
- Microsoft releases emergency patches for Exchange Server RCE vulnerabilities exploited in the wild (Updated)