Lessons Learned from Microsoft Exchange Zero-Days

By Jim Wachhaus | March 16, 2021

By now I’m sure that most everyone has heard of the Microsoft Exchange vulnerabilities, and hopefully addressed them in their systems. Still, it's definitely worth looking at what these vulnerabilities and the age of the systems they were on says about the temporal complexity of today’s attack surface.

It’s easy to get caught up in the shiny, newness of the technology landscapes we create during this age of digital transformation. So this zero-day is a great reminder that while newness is certainly important—we also need to keep looking for those aging systems that may be tried-and-true, but need to be upgraded or replaced before they are forgotten paths of least resistance. And if they cannot be upgraded and replaced, put them behind a firewall or VPN gateway and supply some good agent-based monitoring or network intrusion prevention, or closely watched logging for anomaly detection. When old systems start doing new tricks it is probably not good.

What’s Old Is New Again

What first got me thinking this way was the fact that ever since October 2003 I’ve had a reminder in my calendar for the second Tuesday of every month. I recall setting it up in Lotus Notes, which was the collaboration software of choice back then with 46% of the market. I don’t even think my cell phone at the time was capable of telling me about this event, or if it was I hadn’t set that up, because that phone clipped on my belt looked like the one to the right.
Figure 1. Picture of a Motorola i700plus, rugged, bulky, not waterproof

I was reminded of this old technology and the long upgrade journey I’ve been on since then when my Patch Tuesday reminder chimed this week on my soon-to be-upgraded March 2018 Samsung Galaxy S9 after Microsoft sent an out-of-band notification to its vast user base of a set of critical vulnerabilities on Tuesday, March 2nd, a week earlier. This reminder traveled through time from past Jim to future Jim through at least a dozen laptops and at least as many phones with who-knows-how-many hours of updates transmitted via wires and wireless, and on so many different operating systems, to get to me today. Like deja vu, what’s old is new again.

Figure 2. Picture of front and back of Samsung Galaxy S9, fragile, bulky, water resistant


Microsoft Exchange Vulns: Old Technology Impacts the Present

The latest vulnerabilities, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, are all Remote Code Execution Vulnerabilities that allow an authenticated (or trusted) attacker with access to a 2010, 2013, 2016, or 2019 Exchange (MSE) server to write a file to any path on the server. It’s important to note that 2010 MSE support ended on October 13, 2020. We can estimate that this unknown “zero-day” has been around since MSE 2010 was released on November 9, 2009, so if we look at the days since then, these are actually T-minus-4131-day vulnerabilities and counting

According to plenty of reporting on this subject, exploitation of the flaws was first noticed at the beginning of January, and since that time the traffic has increased by orders of magnitude.  A sophisticated group of attackers out of China dubbed Hafnium initially used these vulnerabilities, but now it’s a free-for-all as other groups attempt to grab MSE real-estate and launch further attacks from these persistent, sometimes mission-critical beachheads.

What is also pretty amazing about this activity is how quickly it moved from unknown to automatically breached. Over a matter of days the number of potential victims went from 30,000 to 60,000 or more, and organizations are still scrambling just to identify the targets in their attack surface to protect them, all while the malicious actors leverage automated scanners and scripts to easily find and exploit targets.

Vulnerability scanning and penetration tests provide security hygiene, but not a full picture of what attackers are most likely to target. Using CyCognito to understand the risks that are present informs how to scope a pen test and even select the methodology.

Megan Bell Chief Privacy and Security Officer

CyCognito Knows Assets

At CyCognito the age (or newness) of exposed assets is not a problem. Our research team quickly created detections for these vulnerabilities and combed through our collected data to determine what assets were affected and who owned them. We did this in a matter of hours, most of which time was spent determining the correct data to query from our immense store of attack surface information. As you can see in the table to the right, the sample output from our customer base showed that 21 customers had one or more internet-exposed MSE systems vulnerable to attack. So we notified these customers immediately along with the IP addresses of the affected assets.  


Table 1 . CSV extracted from CyCognito platform of customers (realms) and MSE Asset counts vulnerable to this attack

By using the CyCognito platform’s unique attack surface graph mapping discovery engine our customers have the essential information they need to find all of the assets in their attack surface that may be compromised by this attack. The choices then are to: patch the system or take it offline. By the way, I found it heartening that it took a bit of hunting to find example systems in order to take the screenshot because most were simply taken completely offline by our customers. In the CyCognito platform today this was the view for one customer:

Content Image

Figure 3. CyCognito Platform showing filtering to vulnerable systems  
(Locations obfuscated to protect confidentiality)


nuke it from orbit

Takeaways and Next Steps

If you weren’t using the CyCognito platform before this attack, then I hope you were using some other e-mail system, or any of the many solutions available like Google or Microsoft 365 which were unaffected by this.

If you were, by chance running MSE, and certainly, if you’re running older MSE systems, there may still be time to identify these systems and patch them or "nuke them from orbit"...sometimes it’s the only way to be sure... as noted in this famous quote from Ellen Ripley (Sigourney Weaver) in the movie Aliens, just a few days late for International Women’s Day.

And if you’re interested in seeing what CyCognito can do to help you know all of your internet-exposed assets, I recommend you watch our 8-minute demo video

About Jim Wachhaus

Jim Wachhaus, Director of Technical Product Marketing, has been in technical roles on cybersecurity products for over two decades and is passionate about the discipline of cyber system defense.

Contact Author:
  • linkedin
  • email

Start Eliminating Your Shadow Risk

Demo Request