Microsoft Exchange still needs your attention

The last word has not yet been spoken about the recent Microsoft Exchange vulnerabilities and Hafnium, a Chinese state-affiliated group of hackers whose main purpose is espionage. Unfortunately, as it turns out, we cannot put the situation behind us just yet.

What happened?

Hackers gained access to an Exchange environment through a vulnerability in Microsoft Exchange and set up persistence. After this they obtained the required credentials, were able to decrypt the system data and collect data. Basically, four vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 en CVE-2021-27065) were used for this. The first vulnerability allows for authenticated access to the Exchange server. The other three made it possible to use this access to write files to and on the server and to execute code.

These CVEs were announced almost a month ago and the patches from Microsoft have also been available for several weeks. Still not all companies have succeeded to patch their Exchange server. So unfortunately it is very well possible that your own organization has become a victim of a ‘sneaky’ intruder without realizing it. Understandably, patches applied after the fact will do nothing to stop an attacker who may already have penetrated the system. If you want to be sure you are safe, you will have to actively look for a possible breach, so that the necessary action can be taken.

Why does this matter?

A critical fact is that previous persistence and acquired credentials can also be used for a second phase, also called ‘secondary breach’. Because of these vulnerabilities, it is now possible to move laterally in the infrastructure and reach sensitive data. The great danger in this case is that this sensitive data is either distributed or encrypted and then used to extort organizations.

From this situation we learn that patching the servers should be a standard priority. But we also see that an attack is not routinely noticed by every company, which could cause enormous damage.

Would you like more insight into your threat landscape?

Contact us via or call +31 (0)33 4500 370 and we will gladly inform you about the possibilities of detecting and mitigating recent and new attacks.