Proof-of-concept exploit code has been released online to proactively exploit a high severity vulnerability affecting Microsoft Exchange servers.
This security bug, tracked as CVE-2021-42321, affects on-premises Exchange Server 2016 and Exchange Server 2019 (including those used by customers in Exchange hybrid mode) and was patched in 2021 It is being patched in the November 2021 Patch Tuesday.
A successful attack will allow an authenticated attacker to remotely execute code on a vulnerable Exchange server.
About two weeks after the CVE-2021-42321 patch was issued, researcher Janggggg published a proof-of-concept exploit for the Exchange post-auth RCE bug.
This PoC can be used to recognize signature patterns of successful attack events by simply running mspaint.exe on the target.
Warn to patch immediately
Microsoft is aware of a limited number of real-world targeted attacks using one of the vulnerabilities (CVE-2021-42321), a post-authentication vulnerability in Exchange 2016 and 2019.
“Our recommendation is that you install these updates immediately to protect your environment.”
“Our recommendation is to install these updates immediately to protect your environment,” he said, urging Exchange administrators to apply the patches.
If you have not yet patched this security vulnerability on your on-premises servers, you can use the latest version of the Exchange Server Health Checker script to easily inventory all Exchange servers in your environment that need to be updated. If you have not yet patched your environment, you can use the latest version of the Exchange Server Health Checker script to easily inventory all Exchange servers in your environment that need to be updated.
To check if a vulnerable Exchange server has already been exploited for CVE-2021-42321, you need to run the following PowerShell query on each Exchange server and check for specific events in the event log.
Get-EventLog -LogName Application -Source "MSExchange Common" -EntryType Error | Where-Object { $_.Message -like "< em>BinaryFormatter.Deserialize" }
Attack on an on-premise Exchange server
Exchange will have to deal with two massive waves of attacks targeting ProxyLogon and ProxyShell security vulnerabilities starting in 2021.
State sponsored hackers have been exploiting ProxyLogon to deploy web shells, cryptominer, ransomware, and other malware since early March.
These attacks targeted over 250,000 Microsoft Exchange servers owned by tens of thousands of organizations around the world.
Four months later, the United States and its allies in the EU, the United Kingdom, and NATO officially announced that China was responsible for these widespread Microsoft Exchange hacking attacks.
Also in August, an Exchange server was scanned and breached using the ProxyShell vulnerability after security researchers reproduced the vulnerability.
Initially, the payloads dropped using the ProxyShell vulnerability were harmless, but attackers later started dropping the LockFile ransomware payload on hacked Windows domains using the Windows PetitPotam vulnerability. The attacker then used the Windows PetitPotam vulnerability to drop the LockFile ransomware payload on hacked Windows domains.
With this latest vulnerability (CVE-2021-42321), we are already seeing attackers scanning and attempting to compromise vulnerable systems.
Because Microsoft Exchange is a common target for initial access to a target company’s network, it is highly recommended that the server be kept up-to-date with the latest security patches.
Comments