MS Exchange Attack: Staying on Top of the Intelligence for the Latest Exploits

Earlier this month Microsoft announced four zero-day vulnerabilities for Microsoft Exchange that were actively being exploited. The vulnerabilities were not disclosed prior to exploitation and now it is known that tens of thousands of Exchange servers are likely compromised by about 10 different hacking groups – some affiliated with nation-state actors including China. 

 

MS EXCHANGE ATTACK STAYING ON TOP OF THE INTELLIGENCE

 

Due to the widespread nature of the attack, and the fact that an estimated 40,000 Microsoft Exchange servers are still vulnerable, GitHub removed exploit code from their repository, stating they needed to balance service to the community against the potential for wide-spread attacks. 

However, we have observed through intelligence automatically gathered by the CYR3CON platform that there are multiple venues outside of GitHub where exploit code is still available. This illustrates a common theme we have observed regarding intelligence: a multi-sourced approach will provide better coverage as opposed to over-reliance on a single source.  We show an example of this for one of the vulnerabilities below. 

 

 

Example intelligence from the CYR3CON platform for CVE-2021-26855. Note the availability of exploit code outside of GitHub, which recently took exploit code off their site. 

Threat and vulnerability management (TVM) teams have a lot on their hands outside of maintaining access to various data sources to stay on top of the intelligence problem. Even well-known and reputable sources like NIST, ExploitDB, and those provided as standard fare by vulnerability management vendors suffer from incompleteness. One of the goals of CYR3CON was to put external sources of vulnerability intelligence together in a single location – and this allows TVM teams to stay on top of the latest exploits without maintaining access to a large number of data sources. 

Ready to learn more? Contact us today to see how machine learning and a different approach to vulnerability management leads to reduced risk for our customers.