Intrusions

This category includes all kinds of intrusions, virtual or physical.

Exchange Webshell (CVE-2021-26855)

Description

On March 2, 2021, Microsoft released emergency patches for their email server software Microsoft Exchange which fixed vulnerabilities that were already actively exploited in the wild.[0] Attackers quickly started installing webshells on any vulnerable installations connected to the public Internet. That way they created a persistent backdoor for themselves, enabling them to come back later and take additional steps.

Risks

  • Attackers have access to your Exchange server, can run arbitrary code on it, read emails and change the underlying OS at whim.
  • If your internal network or parts thereof can be reached via your Exchange server attackers can further advanced into your network and take additional steps like installing ransomware or stealing data.

Mitigation

  • Use Microsoft's Exchange On-premises Mitigation Tool (EOMT) which protects your server against future attacks and removes any webshells Microsoft can detect.
  • As Microsoft can obviously only remove webshells it knows about it is strongly recommended to manually check your Exchange server for other signs of an intrusion by means of a forensic analysis. If you have any indication that the attackers also accessed your internal network, implement network monitoring to confirm/dismiss this and act accordingly.

[0]: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/