Huntress Labs tracks live attacks on Microsoft Exchange servers (Image Credit: Muhammad Ribkhan from Pixabay )Huntress Labs has pushed out a blog detailing live attacks against Microsoft Exchange servers. It has reported that: “Attackers are actively scanning for vulnerable Microsoft Exchange servers and abusing the latest line of Microsoft Exchange vulnerabilities that were patched earlier this year.” Attackers are also deploying malware on affected servers including the LockFile ransomware.

The attacks are exploiting known Microsoft vulnerabilities for which THERE ARE PATCHES. That’s right. These attacks are exploiting unpatched servers where organisations have ignored patches for their infrastructure. Dave Kleinatland, researcher at Huntress Labs did some analysis on approx 1,900 Exchange servers that Huntress monitors. It shows when these servers were last patched. ALL 1,900 show that they have not had patches for at least two of the CVE’s that are being exploited.

A tale of three CVEs and three updates

The three CVEs in question are CVE-2021-21207 (patch issued May 2021), CVE-2021-34473 (patch issued July 2021) and CVE-2021-34523 (patch issued July 2021). They affected Exchange Server 2013, 2016 and 2019.

According to the blog, the attackers are using the “three chained Exchange vulnerabilities to perform unauthenticated remote code execution.” So far, Huntress Labs has reported over 100 separate incidents. How many organisations have responded and remediated their systems is not yet known.

On Saturday, Huntress Labs provided three updates relating to these attacks.

  1. Exchange 2010 is not affected but is an end-of-life product and should not be used.
  2. Across August 2021 five different webshells have been deployed to vulnerable Exchange servers. The most common of these is XSL Transform with over 130 occurrences recorded.
  3. Huntress Labs published its analysis of 1,900 Exchange servers and when they were last patched. It also worked with industry security researchers Kevin Beaumont and Rich Warren to corroborate some attacks. That corroboration confirmed that a number of webshell and LockFile ransomware incidents may be related to this attack.

Enterprise Times: What does this mean?

It is hard to be surprised when another set of attacks are reported exploiting vulnerabilities for which there are patches. Organisations continue to be lazy and make poor risk assessments when it comes to patch or not patch. In this case, it seems that those who ignored the well-publicised Microsoft patches are beginning to pay the price.

However, as with many Exchange attacks, this is about more than just those companies. Once inside an Exchange server, attackers will look to exploit the trust between the compromised organisation, its customers and its suppliers. It can lead to phishing, business email compromise, credential theft and other attacks.


Please enter your comment!
Please enter your name here