The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an urgent joint cybersecurity advisory on the Microsoft Exchange vulnerability exploits, collectively known as “ProxyLogon.”
The joint task force also provided details on Tactics, Techniques, and Procedures (TTPs) on how malicious cyber actors use zero-day exploits (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to gain access.
On March 2, 2021, Microsoft announced the detection of the zero-day exploits and quickly released emergency out-of-band security updates to fix multiple Critical vulnerabilities impacting Microsoft Exchange Server 2013, 2016 and 2019.
In the recent alert, the FBI and CISA have assessed that it is likely nation-state actors and cyber criminals who are exploiting these vulnerabilities in order to gain persistent access of compromised servers and take control of an enterprise network.
The cyber experts further warn of the huge impact and urgency of the threat in the advisory:
“It has the potential to affect tens of thousands of systems in the United States and provides adversaries with access to networks containing valuable research, technology, personally identifiable information (PII), and other sensitive information from entities in multiple U.S. sectors. FBI and CISA assess that adversaries will continue to exploit this vulnerability to compromise networks and steal information, encrypt data for ransom, or even execute a destructive attack. Adversaries may also sell access to compromised networks on the dark web.”
Brian Krebs wrote several days ago that at least 30,000 U.S. organizations, to include many small businesses, towns and local governments, were hacked. As a result, the bad actors likely stole sensitive email and personal data.
In addition, the actors also targeted academic institutions and firms in multiple sectors to include agriculture, biotechnology, aerospace, defense, legal services, power utilities, and pharmaceutical industries. CISA and FBI alleged these actions are also consistent with previous targeting activity by Chinese cyber actors, .
CISA and FBI also described some of the common tactics and technique the actors have used in recent attacks:
“The actor(s) frequently appeared to be writing webshells to disk for initial persistence, conducting further operations to dump user credentials, adding/deleting user accounts as needed, stealing copies of the Active Directory database (NTDS.dit), and moving laterally to other systems and environments. The actors appear to be collecting, compressing, and exfiltrating mailbox data.”
Readers can check out the full report to learn more about the technical information derived from open source reports to help organizations in mitigating the vulnerabilities.