Microsoft Exchange Zero Day Exploits Guidance and Information

Microsoft Exchange Zero Day Exploits Guidance and Information

Name : Exploitation of Microsoft Exchange Servers ON PREM Zero-day vulnerabilities

Threat Actor(who is behind the attacks): Linked to HAFNIUM who previously targeted various US based companies in GAS, law firms etc.,

What is Bad: Attacker does not need any credentials for authentication if the below vulnerabilities were discovered on the systems and can reach these machines via public network.

Vulnerabilities actively being Exploited:

Ø  CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065

Ø  Can be exploited via Network Access if exposed public

Direction: We recommend all our Customers and who has on prem servers - Patch the Vulnerabilities above immediately to mitigate the exploitation

What it means to the customers if patched: Patching does not mean that the Customers are safe. There might be scenarios where the systems with Exchange Roles were already compromised and the threat actors may have maintained persistence with other malware or other processes in the environment.

Attackers/Threat Actors: Have the capability of creating web shells( for persistence and privilege escalations) after exploiting the vulnerabilities(post Exploitation)

Some of the Indicators of Compromise artifacts:

Ø  Help.aspx(MD5 Hash: 4b3039cf227c611c45d2242d1228a121)

Ø  Iisstart.aspx(MD5 Hash: 0fd9bffa49c76ee12e51e3b8ae0609ac)

Ø  W3wp.exe(IIS process with front end exchange server) which spawns cmd.exe to write files

Ø  BEACON MD5 Hash: 79eb217578bed4c250803bd573b10151

Other Network Indicators:





Other activities after exploitation and successful may include per the Microsoft documentation/blog:

Ø  Credential theft via dumping of LSASS process memory.

Ø  Compression of data for exfiltration via 7-Zip.

Ø  Use of Exchange PowerShell Snap-ins to export mailbox data.

Ø  Use of additional offensive security tools Covenant, Nishang, and PowerCat for remote access.


Other Investigation leads:

Ø  Check for child processes of inetserv\w3wp.exe citing cmd.exe

Ø  Any files related written to system by w2wp.exe

Ø  Temp files with extension of .aspx as names are very infidel and can be named as anything

Ø  Unexpected Export of Mailboxes

Ø  Check for LSASS process dumps from the system events.

Ø  Check for any zip files created for exfiltration on the systems

Ø  Check for any PowerShell ONE Liners scripts in SIEM tools and well as other access mechanisms.


CYFLARE what it is doing for the customers as a threat hunting mechanism:

Ø  Check for the Windows Event  Logs in case if the systems are recognized as Exchange Servers

Ø  Check for the respective IOCs mentioned above any other additional IOCs while we learn more on this threat that will help identify if the systems were compromised within the network as well as specific systems

Ø  Monitor for any Credential Dump detections such as Mimi Katz Credential Dump if triggered in the environment which could be possible for the exfiltration of data

Ø  We are also actively working with vendors to create detection rules if applicable to ensure that our customers are notified for any detections.

Ø  We are also reaching out to the Customers to have this message delivered and have them being active for any type of activity as we work together.

If the client has End point protection solutions that CYFLARE manages:

Ø  CYFLARE performs advanced threat hunting and check for logs that may contain possible exploitation related attempts for any trojans and other real time IOCs triggered who has Endpoint protection agents installed on.



Other links to blog post by Microsoft for detailed information:


    • Related Articles

    • Office 365 Integration with Breach Detection Service (Latest Version)

      Overview Office 365 is a critical part of your infrastructure. The Pulse Breach Detection platform provides API based integration with Office 365 & Azure AD to provide visibility into system changes, file sharing and authentication related events ...
    • ATT-Alienvault-Advisory

        SolarWinds Orion Supply Chain Attack                        Detections in AT&T Unified Security Management™ and IoCs in the AT&T Alien Labs Open Threat Exchange™ December 16, 2020, 11:15am (CST) TLP: Amber Dear USM Customer, The details of this ...
    • Stellar Cyber - Vendor Advisory for SolarWinds Orion Products - Countermeasure guidelines

      December 2020 Detect SolarWinds SUNBURST Backdoor with Stellar Cyber Open-XDR Platform On December 13 2020, multiple vendors such as FireEye and Microsoft reported emerging threats from a nation-state threat actor who compromised SolarWinds, and ...
    • Sentinel One Quick Start Guide

      Sentinel One Quick Start Guide: Pre-Requisites:  Site Name or Client Company Number of Workstations (Windows/Linux/MAC OS) Site Administrator Email ID/s and Name Connectivity to the Internet from all the machines to install and connect to the ...
    • CyFlare SOC In a Box Quick Start Guide

      Deployment Overview Your appliance has been pre-configured based on the information provided at the time of your order for rapid deployment into your environment. The deployment consists of the following high level steps: Configure Firewall Rules ...