Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

MS Exchange - 0-DAY Vulnerability

SmartEvent Type: Views & Reports,

Oren_Koren
Employee Alumnus
Employee Alumnus
Verified By CP

MS_CheckMates-snipt.jpg

 

On March 2nd , 2021, Volexity reported the in-the-wild exploitation of the following Microsoft Exchange Server vulnerabilities: CVE-2021-26855CVE-2021-26857CVE-2021-26858 and CVE-2021-27065.

Further investigation uncovered that an attacker was exploiting a zero-day and used in the wild. The attacker was using the vulnerability to steal full contents of several user mailboxes. This vulnerability is remotely exploitable and does not require authentication or special know

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.




6 Replies

r1der
Advisor

Thank you for sharing this @Oren_Koren! We are all patched and want to start investigating if any attacks were already made. We've checked other Exchange paths that were in other articles and so far so good.

If the report returns "No Data Found" would that mean no attacks were made, or maybe its not able to pull the information needed for this report? Screenshots attached.

The pre-infection and file indicator pages had all '0', and I set the custom date range from December 01, 202

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Oren_Koren
Employee Alumnus
Employee Alumnus

Hey  @r1der ,

the report will show you if you got a hit from one of the files OR network indicators/CVEs.

we see a rise of usage in those Vulnerability in the wild so the goal of the report is to expose if someone tried to use it against you.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


ToRo
Employee
Employee

Hi Oren and Check Mates admins,  

We have run the report at another environment with the same result as  @r1der : NO DATA FOUND message in the report. Is this the expected outcome if no hits?  Can you confirm, please?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

ToRo
Employee
Employee

Actually with some help from one my colleagues (Tom Kendrick) came to an answer:

SHORT answer: It is the expected output of NO DATA FOUND when there are no hits/logs and the right signatures/protections are enabled and used..

LONG explanation:

If you have the IPS protections available and applied to the profile, then you will get hits if the event is happening. Of course you could not know of any hits before that date. If, since that date you look at IPS logs and see no hits afte

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Oren_Koren
Employee Alumnus
Employee Alumnus

Hey, indeed Tom is correct.

we see a rise in the usage of those vulnerabilities in the wild so eventually (probably) you will get a log/logs related to it (in the pre-infection stage).

in the post infection - ((HAFNIUM.TC.*) OR (Trojan.Win32.Hafnium.TC.*)) - that means you have already got the hit inside the network.

 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Oren_Koren
Employee Alumnus
Employee Alumnus

Hey  @r1der ,

the report will show you if you got a hit from one of the files OR network indicators/CVEs.

we see a rise of usage in those Vulnerability in the wild so the goal of the report is to expose if someone tried to use it against you.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free