Microsoft Exchange and Verkada Hacks: Isolate Your Apps and APIs from the Internet Cesspool
Co-written by: Ryan Barnett
AppSec Protections for Microsoft Exchange CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065
On March 2, 2021, the Microsoft Security Response Center alerted its customers to several critical security updates to Microsoft Exchange Server, addressing vulnerabilities currently under attack.
The United States Computer Emergency Readiness Team Cybersecurity and Infrastructure Security Agency also issued an alert with recommendations on how to mitigate the vulnerabilities.
CVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.
CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 allow for remote code execution.
CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server.
To locate a possible compromise of these CVEs, we encourage you to read the Microsoft Advisory.
How Akamai can help
Customers that use Akamai web application firewall (WAF) solutions, Kona Site Defender and Web Application Protector, with the Automated Attack Groups engine received an automatic update for protection. If you use Automated Attack Groups, we recommend you set all of the attack groups, but specifically the Web Platform Attack Group, to “Deny” to prevent these exploitation attempts.
Kona Site Defender customers using Kona Rule Set (KRS) should update the profile and enable newly released rules ID 3000083 and 3000084 in the Total Request Score (Inbound) attack group in order to protect against attempts to exploit the following CVEs:
CVE-2021-26855, which is the SSRF vulnerability
CVE-2021-27065, which is being used to upload webshells
To protect against attempts to exploit Exchange Server vulnerabilities, Akamai recommends that either the attack group or the individual KRS rules be put into Deny mode.
Akamai's research and intelligence teams observed that attackers have been quick to automate their target identification and exploitation attempts. A variety of existing controls in Akamai's security portfolio are designed to detect these attempts:
WAF -- Rate Controls, TOR IP Blocklist, and Penalty Box are all also detecting and blocking this scanning traffic
Client Reputation -- the "Web Scanner" and "Web Attacker" categories are identifying many attackers searching for vulnerable targets
Bot Management -- controls detect the incoming traffic as automated or from anonymous proxies
If you have any questions, please reach out to Akamai Support Services or your account team.
Global attack intelligence
Over the last 48 hours on our global platform we have observed:
290,000 unique attempts to scan and/or exploit these vulnerabilities
952 unique IPs involved in these attempts
731 of these unique IPs were identified by Akamai Client Reputation threat intelligence as known web scanners or web attackers with a median score of 9.6 out of 10
23,910 unique hosts targeted
80% of attack activity targeted against Commerce, High-Tech, Financial Services, and Manufacturing verticals
90% of all attack attempts targeted against organizations in the United States, Austria, India, Canada, Germany, France and the United Kingdom
Assetnote and Qualys were the top two known scanners
Figure: Attack sources; the top number represents the number of requests and the bottom number represents the number of IPs
Recommended steps
We've confirmed active attempts of exploitation of Microsoft Exchange/Outlook Web Access zero-day vulnerabilities.
Successful exploitation allows an unauthenticated attacker to execute arbitrary code and install webshells on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system.
Akamai customers that have Exchange/Outlook Web Access protected by either Kona Site Defender using the Automated Attack Groups rule set or the Web Application Protector product have already received an automatic update to the Platform Attacks Group. In addition, you can achieve mitigation and remediation by following these steps:
If you are a Kona Site Defender customer using the Kona Rule Set, activate the new rules to receive protection.
Deploy updates to affected Exchange Servers as recommended by Microsoft and enable the Akamai protections as recommended above.
Investigate for exploitation or indicators of persistence.
Remediate any identified exploitation or persistence and investigate their environment for indicators of lateral movement or further compromise.
You should also consider implementing Zero Trust Network Access (ZTNA) to be able to weather software vulnerabilities like these. Unlike the traditional "verify, then trust" model -- which means if users have the correct credentials, they are admitted to whichever site, app, or device they request -- ZTNA dictates that users and devices are never trusted and can only access applications and data after passing a secure authentication and authorization process that does not solely rely on user credentials. You can read more about how ZTNA can protect corporate resources in the context of these Microsoft Exchange vulnerabilities in the blog post, Microsoft Exchange and Verkada Hacks: Isolate Your Apps & APIs from the Internet Cesspool.
