MS Exchange - 0-DAY Vulnerability

Oren_Koren

On March 2^nd , 2021, Volexity reported the in-the-wild exploitation of the following Microsoft Exchange Server vulnerabilities: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.

Further investigation uncovered that an attacker was exploiting a zero-day and used in the wild. The attacker was using the vulnerability to steal full contents of several user mailboxes. This vulnerability is remotely exploitable and does not require authentication or special knowledge or access to a specific environment.

Read more in the following blog

r1der · ‎2021-03-08

Thank you for sharing this @Oren_Koren! We are all patched and want to start investigating if any attacks were already made. We've checked other Exchange paths that were in other articles and so far so good.

If the report returns "No Data Found" would that mean no attacks were made, or maybe its not able to pull the information needed for this report? Screenshots attached.

The pre-infection and file indicator pages had all '0', and I set the custom date range from December 01, 2020 00:00 - March 08, 2021 23:59.

Thank you,

Oren_Koren · ‎2021-03-09

Hey @r1der ,

the report will show you if you got a hit from one of the files OR network indicators/CVEs.

we see a rise of usage in those Vulnerability in the wild so the goal of the report is to expose if someone tried to use it against you.

ToRo · ‎2021-03-10

Hi Oren and Check Mates admins,

We have run the report at another environment with the same result as @r1der : NO DATA FOUND message in the report. Is this the expected outcome if no hits? Can you confirm, please?

ToRo · ‎2021-03-11

Actually with some help from one my colleagues (Tom Kendrick) came to an answer:

SHORT answer: It is the expected output of NO DATA FOUND when there are no hits/logs and the right signatures/protections are enabled and used..

LONG explanation:

If you have the IPS protections available and applied to the profile, then you will get hits if the event is happening. Of course you could not know of any hits before that date. If, since that date you look at IPS logs and see no hits after filtering for the protection matching the cve, or the cve, then you're good. Because there are no logs of any type.

The pre-defined report created by my colleague Oren is a view filter looking for the CVE’s in the IPS blade:

blade:IPS and (("CVE-2021-26855") OR ("CVE-2021-26857") OR ("CVE-2021-26858") OR ("CVE-2021-27065"))

And then the file indicators are looking for evidence of the “family”:

(HAFNIUM.TC.*) OR (Trojan.Win32.Hafnium.TC.*)

So, if you put this into the log view, and see noting too, then you must be fine (assuming the protections are enabled).

Oren_Koren · ‎2021-03-13

Hey, indeed Tom is correct.

we see a rise in the usage of those vulnerabilities in the wild so eventually (probably) you will get a log/logs related to it (in the pre-infection stage).

in the post infection - ((HAFNIUM.TC.*) OR (Trojan.Win32.Hafnium.TC.*)) - that means you have already got the hit inside the network.

Oren_Koren · ‎2021-03-09

Hey @r1der ,

the report will show you if you got a hit from one of the files OR network indicators/CVEs.

we see a rise of usage in those Vulnerability in the wild so the goal of the report is to expose if someone tried to use it against you.

Filters

Sort By

Categories

MS Exchange - 0-DAY Vulnerability

SmartEvent Type: Views & Reports,

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.