Skip to main content


Critical Microsoft Exchange Server Vulnerabilities and Attacks

Critical Microsoft Exchange Server Vulnerabilities and Attacks
If your organization uses on-premises, hosted, or hybrid Exchange visible from the Internet, please read and protect your organization!

Microsoft Exchange Servers Are Actively Being Targeted and Compromised

For the last month, Microsoft and other security firms have been shouting from the mountain tops about targeted attacks against on-premises, hosted, or hybrid (combination Exchange and Office 365) Exchange servers. These attacks take advantage of four security vulnerabilities in Exchange, leading to full email and server compromise, as well as potentially taking additional malicious actions, including ransomware. The primary threat actor involved is a new Chinese state-sponsored hacking group known as Hafnium. However, at least five additional threat actors are actively exploiting these same vulnerabilities.

Attacks have been ongoing since January but increased significantly in February. Microsoft released patches to mitigate these vulnerabilities on March 2, 2021, two months after the initial attacks were detected.

According to Steven Adair, president of the cybersecurity firm Volexity, “if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”

Additionally, according to the National Security Council, applying known patches to Exchange servers is not remediation at this point. If you’re not sure if your Exchange servers were compromised or not, you need to take immediate action and investigate for compromise and malicious activity, as well as monitor activity going forward. In particular, a web shell installation before your servers were patched will continue to be a web shell even after patching.

The former director of the Cybersecurity and Infrastructure Agency (CISA), Chris Krebs, warned, “If your organization runs an OWA server exposed to the internet, assume compromise between February 26-March 3.” At SBS we have seen compromises as late as March 9.

Cybersecurity journalist Brian Krebs initially reported the compromise as affecting “at least 30,000” US-based organizations. That number has since grown to at least 60,000 US-based organizations compromised as of this writing.


How Do Web Shell Attacks Work?

Microsoft has been banging the drum on the dramatic increase in web shell attacks for quite some time now. According to Microsoft, a web shell is “typically a small piece of malicious code written in typical web development programming languages (e.g., ASP, PHP, JSP) that attackers implant on web servers to provide remote access and code execution to server functions. Web shells allow attackers to run commands on servers to steal data or use the server as a launch pad for other activities like credential theft, lateral movement, deployment of additional payloads, or hands-on-keyboard activity, while allowing attackers to persist in an affected organization.”

Example Web Shell Attach Chain

Example web shell encounters - Image courtesy of Microsoft

Web shells are typically installed via vulnerabilities in web applications on the internet-facing web server itself. Attackers constantly scan the internet (remember, your internet-connected devices are just IP addresses that can be scanned from anywhere, at any time) looking for vulnerable servers to attack. Attackers not only seek out known vulnerabilities that are unpatched, but also take advantage of new vulnerabilities that have been recently disclosed or are considered a zero-day vulnerability (no patch available).

Once implemented, a web shell can be one of the most effective forms of persistence an attacker can leverage to access the server or the rest of an organization’s network. A web shell that has been deployed and remains undetected essentially guarantees the attacker a backdoor into your network.


Web Shell Code Example

Example web shell code - Image courtesy of Microsoft

The following CVE’s were put out by Mitre once these zero-day exploits were announced by Microsoft.

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the

CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.  


Digging a Little Deeper

Exchange supports certain connectivity tests as seen below

Example Web Shell Attach Chain

Image courtesy of Microsoft

For example, running this PowerShell cmdlet against Exchange returns the following information. Test-OutlookWebServices -identity: –MailboxCredential (Get-Credential)



Exploiting 26855 allowed the attacker to perform an SSRF verifying services at the server – most likely for recon or to build their attack list, and potentially causing the SSRF to spit back the admin console credentials. We saw quite a few http proxy logons with autodiscovers in the http proxy logs for this vulnerability – meaning they were using this to authenticate to the server’s http proxy through IIS.

Exploiting 26858 allowed the attacker to write a file to any directory on the Exchange server once they were authenticated with 26855. They didn’t do this right away in many cases, sometimes it was 4 to 10 hours later, some cases it was days later. Exploited 26858 appeared in the OAB (Offline Address Book) Generator Logs. In many cases we investigated, there were many cmdlet attempts to expose the OAB and even mirror it to their own server. This was part of the full attack but we saw many of the attacks stop here.

Exploiting 27065 allowed the attacker to write a file to any directory on the Exchange server once they were authenticated with 26855. They didn’t do this right away in many cases either, sometimes it was 4 to 10 hours later, some cases it was days later. This was the stage where they would install their web shell. The two web shells we experienced while helping customers with incident response were China Chopper and Sapphire Pidgeon. Exploited 27065 appeared in the ECP (Exchange Control Panel) logs. We saw instances of the web shell being dropped in .js code and instances in C# code.

Exploiting 26857 allowed the attacker to run their web shells as SYSTEM on the Exchange server and from there, move on further into the Exchange server and laterally to other servers on the network. Below is a depiction from Microsoft of what the attacker could accomplish once at this point in the attack.


Example Web Shell Attach Chain

Example web shell attack chain - Image courtesy of Microsoft


Who is Hafnium?

According to Microsoft, “HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”

In banking we are mainly seeing probes and some web proxy logons in ECP but in all cases so far they are looking around and then moving on. You may be thinking then, “So, Buzz, we don’t need to worry about this then?” You absolutely do. As of March 8, other groups are starting to exploit these vulnerabilities. Hafnium seems to have been first to the plate with compromises from January 2021 to current. These new actors could be anyone looking to get sensitive information out of your email or servers. Even if you were breached by Hafnium only, you need to see if any sensitive information was exposed and report it to the proper regulators and customers.


What Should I Do?

This blog post by Microsoft has good information in it:

This CISA article has a lot of great information in it as well:

  1. You’ll want to first run this script if you think you might be affected. It will search the various log points for IoCs.
  2. Next, you’ll want to run this script if the previous one confirms compromise to make sure your server is all patched up and has no active web shells on it. MSERT is a tool by MS used in this script to find and remove active web shells.
  3. We strongly suggest that if your server had a web shell that you have the SBS incident response team or a similar digital forensics firm perform forensics on your system to make sure nothing else was infiltrated or exfiltrated. Attackers continue to use these exploits and web shells to further infiltrate government and corporate organizations.


Were there any warning signs this was coming?

Microsoft tipped their hat to these attacks before they could publicly release it here:


Other Notable Resources


Written by: Buzz Hillestad, Senior Information Security Consultant and DFIR Team Lead
SBS CyberSecurity


SBS Resources: 
SBS CyberSecurity has been helping organizations identify and understand cybersecurity risks to make more informed business decisions since 2004. If your organization is looking to better understand your cyber risk; build, maintain, or test your cybersecurity program; and make smarter, more informed cybersecurity business decisions, SBS can help.

  • {Service} Incident Response Team: If your organization needs immediate assistance with an active incident or security breach situation, call (605) 923-8722 to speak to our Incident Response Team. 
  • {Blog} Indicators of CompromiseIf someone was in your network, would you know? If someone was sending your data out the back door of your network, could you tell? To answer these questions, you must first understand your networking environment and what "normal" in that environment looks like. How do you start to figure out what "normal" looks like on your network? Here's a start. 


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Vulnerability Assessor  Certified Banking Incident Handler

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Monday, April 12, 2021
Categories: Blog