6.3.21


Microsoft rushes out fixes for four zero‑day flaws in Exchange Server

At least one vulnerability is being exploited by multiple cyberespionage groups to attacks targets mainly in the US, per ESET telemetry

 By Amer Owaida

Microsoft has rushed out emergency updates to address four zero-day flaws affecting Microsoft Exchange Server versions 2013, 2016, and 2019. Threat actors have been observed exploiting the vulnerabilities in the wild to access on-premises Exchange servers, which allowed them to steal emails, download data, and compromise machines with malware for long-term access to the victim networks. Due to the severity of the threat, the Redmond tech titan is urging users to patch their systems immediately.

Indexed as CVE-2021-26855CVE-2021-26857CVE-2021-26858 and CVE-2021-27065, the security loopholes are being exploited by the attackers as part of an attack chain. Microsoft’s decision to issue an out-of-band update instead of releasing the fixes as part of its monthly Patch Tuesday bundle underscores the seriousness of the threat. Microsoft attributed the attack to a relatively little-known Advanced Persistent Threat (APT) group codenamed Hafnium.

According to ESET telemetry, at least one of the vulnerabilities is being targeted by multiple cyberespionage groups, to wit LuckyMouse (also known as Emissary Panda or APT27), as well as Tick and Calypso. The flaw, indexed as CVE-2021-26855, is a server-side request forgery vulnerability that allows an attacker to send arbitrary HTTP requests and authenticates them as the Exchange server.

While most attacks have been observed to be against servers located in the United States, APT groups have been targeting the servers of governments, law firms, and private companies in other parts of the world, Germany in particular.

 

Complete article: Microsoft rushes out fixes for four zero‑day flaws in Exchange Server | WeLiveSecurity