What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Mar 15, 2023
CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Zero-Day Vulnerability
THE THREAT On March 14th, as part of Microsoft’s monthly Patch Tuesday release, the company disclosed a critical, actively exploited vulnerability impacting Microsoft Office and Outlook. The…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Mar 20, 2023
Exertis and eSentire Partner to Deliver 24/7 Multi-Signal MDR, Digital Forensics & IR Services and Exposure Management to Organisations Across the UK, Ireland, and Europe
Basingstoke, UK– 20 March, 2023. Leading technology distributor, Exertis, announced today that it has bolstered its cybersecurity services, adding eSentire, the Authority in Managed Detection and Response (MDR), to its Enterprise portfolio of offerings. eSentire’s award-winning, 24/7 multi-signal MDR, Digital Forensics & Incident Response (IR), and Exposure Management services will be available…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Security advisories — Mar 02, 2021

Multiple 0-Day Exploits Targeting On-Premise Exchange Versions

2 minutes read
Speak With A Security Expert Now

THE THREAT

On March 2nd 2021 Microsoft released security updates for multiple 0-day vulnerabilities in on-premises versions of Exchange. Microsoft also published a threat research report describing technical details related to these attacks.

Microsoft has indicated these attacks are limited and targeted in nature and attributes the activity to a threat actor group dubbed HAFNIUM. Customers should prioritize the patching of affected products immediately.

When exploited, these vulnerabilities permit access to on-premises Exchange servers enabling unauthorized access to email. Additionally, Microsoft reports attackers employed webshell malware to maintain access to compromised Exchange servers. Exchange Online is not affected by these vulnerabilities.

What we’re doing about it

What you should do about it

Additional information

The recent critical vulnerabilities are as follows and affect Microsoft Exchange Server versions 2013, 2016, and 2019.

CVE-2021-26855 (CVSS Score: 9.1/10) – Is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange, which allows a threat actor to send an arbitrary HTTP request and authenticate as the Exchange server.

CVE-2021-26857 (CVSS Score: 7.8/10) – Is an insecure deserialization vulnerability in the Unified Messaging service and requires administrator privileges or the use of another vulnerability to exploit. This vulnerability gave HAFNIUM the controls to run code as SYSTEM on an exchange server.

CVE-2021-26858/CVE-2021-27065 (CVSS Score: 7.8/10) – Are post-authentication arbitrary file write vulnerabilities in Microsoft Exchange and require either compromising an admin’s credentials or the use of CVE-2021-26855.

The vulnerabilities above were used as a part of the attack chain by HAFNIUM, which required the initial ability to make an untrusted connection to a Microsoft Exchange server on port 443. While this can be mitigated by setting up a VPN to separate the Exchange server from external access or by restricting untrusted connections, it will only protect users from the initial portion of the attack. Threat actors can use alternative means to exploit these vulnerabilities, such as convincing an administrator to run a malicious file or if the attacker already gained access to the environment via other means.

All of these vulnerabilities should receive a high priority for patching as exploitation was observed and attributed to state-sponsored group HAFNIUM.

References:

[1] https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

[2] https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

View Most Recent Blogs