Volexity, a US-based security firm, reported attacks involving the ProxyLogon vulnerability as early as Jan. At the time, the researcher credited with the discovery of the vulnerabilities tweeted publicly.Īt that point, attacks were already appearing in the wild. Given the time of year and the existence of a long New Year’s holiday weekend, DevCore reached out and notified Microsoft of the vulnerabilities on the following Tuesday (Jan. This second vulnerability is now known publicly as CVE-2021-27065. 30, 2020, DevCore also discovered a second post-authentication file write bug that could be chained together with the first vulnerability to gain privileged access to Exchange Servers and write files of an attacker’s choosing to any directory. 27, 2020, DevCore researchers demonstrated that this vulnerability could be leveraged to perform authentication bypass, thereby granting its users administrator-level permissions on vulnerable Exchange Servers. This vulnerability was given the name ProxyLogon by DevCore and is now known publicly as CVE-2021-26855.įollowing this initial discovery, on Dec. In the two-month window between October and December 2020, DevCore researchers made considerable progress that ultimately led to the discovery of a pre-authentication proxy vulnerability on Dec.
This story begins over six months ago when DevCore, a Taiwan-based security consulting firm, first initiated a project to explore the security of Microsoft Exchange Server products.
Microsoft Exchange Server Attack Timeline Summary As the situation continues to unfold, we urge others to also share what they uncover so that we as a cybersecurity community get a complete picture as quickly as possible. Given the importance of this event, we are publishing a timeline of the attack based on our extensive research into the information currently available to us and our direct experience defending against these attacks. Organizations can look to our remediation guide for steps they can take to ensure they have properly secured their Exchange Servers.Īs we enter the second week since the vulnerabilities became public, initial estimates place the number of compromised organizations in the tens of thousands, thereby dwarfing the impact of the recent SolarStorm supply chain attack in terms of victims and estimated remediation costs globally. The act of patching will not remediate any access that attackers may have already gained to vulnerable systems.
Zero z server attack Patch#
Applying the patch is a necessary first step, but insufficient given the amount of time the exploit was in the wild. 3 and when Microsoft released the patch on March 2. This has been going on at an unprecedented scale – as of March 8, based on telemetry collected from the Palo Alto Networks Expanse platform, we estimated there remained over 125,000 unpatched Exchange Servers in the world.īased on the reconstructed timeline, it’s now clear that there were at least 58 days between the first known exploitation of this vulnerability on Jan. It is therefore unsurprising that multiple attackers sought and continue to seek to compromise vulnerable systems before they are patched by network administrators. Both the vulnerabilities themselves and the access that can be achieved by exploiting them are significant.
Since the initial attacks, Unit 42 and a number of other threat intelligence teams have seen multiple threat groups now exploiting these zero-day vulnerabilities in the wild. Alongside revealing these vulnerabilities, Microsoft published security updates and technical guidance that stressed the importance of patching immediately, while concurrently noting active and ongoing exploitation by an Advanced Persistent Threat (APT) they call HAFNIUM. On March 2, the world was introduced to four critical zero-day vulnerabilities impacting multiple versions of Microsoft Exchange Server ( CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065).
0 kommentar(er)
