What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Jul 04, 2022
Ongoing Qakbot Campaign
THE THREAT eSentire has observed a significant increase (see Figure 1) in Qakbot (Qbot) malware infections through the month of June 2022. Qakbot is an information stealing malware. In observed…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1200+ organizations in 75+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
May 17, 2022
Cybersecurity Leader eSentire Continues Its Commitment to Rigorous Security Standards Earning PCI DSS Certification
Waterloo, ON, May 17, 2022 — eSentire, the Authority in Managed Detection and Response (MDR), maintains one of the most secure and robust IT environments of any MDR provider in the industry. To that end, eSentire today announced that it has received the Payment Card Industry Data Security Standard (PCI DSS) certification, considered one of the most stringent and comprehensive payment card…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Security advisories — Mar 02, 2021

Multiple 0-Day Exploits Targeting On-Premise Exchange Versions

2 minutes read
Speak With A Security Expert Now

THE THREAT

On March 2nd 2021 Microsoft released security updates for multiple 0-day vulnerabilities in on-premises versions of Exchange. Microsoft also published a threat research report describing technical details related to these attacks.

Microsoft has indicated these attacks are limited and targeted in nature and attributes the activity to a threat actor group dubbed HAFNIUM. Customers should prioritize the patching of affected products immediately.

When exploited, these vulnerabilities permit access to on-premises Exchange servers enabling unauthorized access to email. Additionally, Microsoft reports attackers employed webshell malware to maintain access to compromised Exchange servers. Exchange Online is not affected by these vulnerabilities.

What we’re doing about it

What you should do about it

Additional information

The recent critical vulnerabilities are as follows and affect Microsoft Exchange Server versions 2013, 2016, and 2019.

CVE-2021-26855 (CVSS Score: 9.1/10) – Is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange, which allows a threat actor to send an arbitrary HTTP request and authenticate as the Exchange server.

CVE-2021-26857 (CVSS Score: 7.8/10) – Is an insecure deserialization vulnerability in the Unified Messaging service and requires administrator privileges or the use of another vulnerability to exploit. This vulnerability gave HAFNIUM the controls to run code as SYSTEM on an exchange server.

CVE-2021-26858/CVE-2021-27065 (CVSS Score: 7.8/10) – Are post-authentication arbitrary file write vulnerabilities in Microsoft Exchange and require either compromising an admin’s credentials or the use of CVE-2021-26855.

The vulnerabilities above were used as a part of the attack chain by HAFNIUM, which required the initial ability to make an untrusted connection to a Microsoft Exchange server on port 443. While this can be mitigated by setting up a VPN to separate the Exchange server from external access or by restricting untrusted connections, it will only protect users from the initial portion of the attack. Threat actors can use alternative means to exploit these vulnerabilities, such as convincing an administrator to run a malicious file or if the attacker already gained access to the environment via other means.

All of these vulnerabilities should receive a high priority for patching as exploitation was observed and attributed to state-sponsored group HAFNIUM.

References:

[1] https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

[2] https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

Join 100,000+ Security Leaders

Get notified when there's a new security advisory, and receive the latest news, intel and helpful tools & assets. You can unsubscribe anytime.

By clicking the button below I confirm that I have read and agree to the eSentire privacy policy.

View Most Recent Blogs