Exchange hack: new patches and new findings

[German]Microsoft issued more out-of-band updates for older Microsoft Exchange Server CUs (which have already fallen out of support) last night. In addition, it is now clear, when the attack waves started and what could have protected against the hack, although four 0-day exploits existed for months. Let me summarize some new information in this post.


The mass hack by the suspected Chinese hacker group Hafnium does send shockwaves through the Microsoft universe. Many administrators and also Microsoft seem to have been caught on the wrong foot. The end of the line does not seem to have been reached yet.

New out-of-band updates

The night has arrived a mail from Microsoft, in which on newly released special updates for older cumulative Exchange Server updates, which have fallen out of support, provides. This affects Exchange Server 2016 CU 16, CU 15 and CU14, and Exchange Server 2019 CU 6, CU 5 and CU 4. Here's the text of the notification:

Title: Microsoft Security Update Releases
Issued: March 8, 2021


The following CVEs have undergone a major revision increment:


Critical CVEs
* CVE-2021-26855
* CVE-2021-27065
* CVE-2021-26857

Important CVEs

* CVE-2021-26858

Publication information

– Microsoft Exchange Server Remote Code Execution Vulnerability
– See preceding list for links
– Version 2.0
– Reason for Revision: Microsoft is releasing security updates for CVE-2021-27065,
   CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858 for several Cumulative Updates
   that are out of support, including Exchange Server 2019 CU 6, CU 5, and CU 4 and
   Exchange Server 2016 CU 16, CU 15, and CU14. These updates address only those CVEs.
   Customers who want to be protected from these vulnerabilities can apply these
   updates if they are not on a supported cumulative update. Microsoft strongly
   recommends that customers update to the latest supported cumulative updates.
– Originally posted: March 2, 2021
– Updated: March 8, 2021

If my information is correct, these updates for the older CUs should also show up for distribution under WSUS. Can anyone confirm this? For administrators, another link to the Microsoft Exchange Server build numbers and release dates page with a listing of the patches.  

Questions and answers

Due to the coverage here in the blog and in my article at German news magazine heise, some additional information has come up and questions have arisen. Here are a few things I'll briefly summarize.

When did waves of attacks occurred?

Occasionally, comments on the web say that the administrators did not patch in time and that it was their own fault. According to my information, blaming administrators and their patch management falls a bit short in some places.

German blog reader Stefan points in this comment to the site, which contains the information about the vulnerabilities and attacks. Proxylogon is about theCVE-2021-26855 vulnerability in Exchange Server, which allows an attacker to bypass authentication and impersonate an administrator. DEVCORE security researchers have combined this flaw with another post-Auth vulnerability CVE-2021-27065, which allows arbitrary file writing, to achieve code execution. This allows an unauthenticated attacker to execute arbitrary commands on Microsoft Exchange Server through an open 443 port. 

  • As early as 2019, DEVCORE security researchers pointed out the risks – gave a lot of media attention, nothing happened with Exchange.
  • In October 2020, the security researchers took on Exchange Server and found the vulnerability CVE-2021-26855 on December 10, 2020.
  • Two vulnerabilities were reported to Microsoft on December 27 and December 30, 2020, and were confirmed by MSRC on January 6, 2021.
  • When security researchers followed up with Microsoft in February 2020 as to why no patch was coming on February 2, 2021, Microsoft say something about tests and will meet the 120-day dead line of release with patches.

As recently as mid-February 2021, Microsoft was planning to roll out Exchange updates on March 9, 2021 (patchday), but then brought the whole thing forward to March 2/3, 2021 in a swashbuckling action. Already on March 4, exploits became known that were used on a massive scale in the

  • In this German comment at heise, a reader states that targeted attacks began on January 6, 2021, and that large-scale Exchange servers were taken over and backdoored as early as February 26, 2021. 
  • Within this German comment at heise  a reader states that the majority of his Exchange servers, which were accessible from the Internet via port 443, were taken over on March 3, 2021, shortly after the updates were released. The remaining Exchange servers were hacked and taken over on March 4 and 5, 2021.

German blog reader Erlenmeyer also highlighted it again at heise in this comment. Krebs on Security has here a more detailed timeline, but some dates are differs from the figures above. The only salvation for many Exchange admins would have been if a patch or warning had come in mid-January 2021. 

The whole thing reminds me of the Shitrix issue, where I had something on the blog on December 20, 2019 and then again on January 3, 2020. Then just over a week later there were the hacks or ransomware infections in companies and municipalities that exploited this vulnerability.

And two more thoughts. I'm always told (off the record) that there are Thread Intelligence solutions running along with Microsoft Defender ATP that protect against unknown threats. I may be wrong, but I can't shake the feeling that these great solutions were blind to the attacks (reminiscent of SolariGate, where the US solution Einstein didn't notice anything either). Below is a tweet from March 3, 2021 that still talks about limited attacks – German reader Erlenmeyer dug this up again. And it crystallizes that the Microsoft monoculture not only creates fatal dependencies but also a space-consuming attack surface.  

Exchange 0-day-Exploits

Does a reverse proxy protect?

There was comments at heise in the forums and also in the German blog that using a reverse proxy would prevent the attack. I'm not into that, but the reverse proxy is often used for performance optimization – but could also be used for firewall features. If firewall filtering is done on specific IP addresses or pre-authentification against AD, that may have helped. But I refer to this German comment, where Christoph points out that 95% of customer systems were running behind reverse proxy servers and yet some were compromised. 

The only effective protection that probably existed prior to the release of the unscheduled Exchange security updates was to disable or filter communications over port 443.

Why is Exchange Online not affected?

Microsoft itself states in its support posts that Exchange Online is not affected by the vulnerabilities. I did not search specifically, but found a discussion and possible explanation in this heise comment. The short version: Exchange Online does not have a publicly accessible Exchange Control Panel (ECP).

Similar articles
Exchange server 0-day exploits are actively exploited
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Hack News – Test tools from Microsoft and others
Microsoft MSERT helps to scan Exchange Servers
Cyber attack on Exchange server of the European Banking Authority

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *