• CERTIFICATE
    • Eminent VARs of India
    • Best OEM 2023
  • SYNDICATION
    • AMD
    • DELL TECHNOLOGIES
    • HITACHI
    • LOGMEIN
    • MICROSOFT
    • RIVERBED
    • STORAGECRAFT
    • THALES
  • EVENTS
  • GO DIGITAL
  • INFOGRAPHICS
  • PRESS
    • Press Release PR News Wire
    • Press Release Business Wire
    • GlobeNewsWire
  • SPECIAL
    • WHITE PAPER
    • TECHNOMANIA
    • SME
    • SMART CITY
    • SERVICES
    • EDITOR SPEAK
    • CSR INITIATIVES
    • CHANNEL GURU
    • CHANNEL CHIEF
    • CASE STUDY
  • TECHTREND
    • VAR PANCHAYAT
    • TELECOM
    • SOFTWARE
    • POWER
    • PERIPHERALS
    • NETWORKING
    • LTE
    • CHANNEL BUZZ
    • ASK AN EXPERT
  • SUBSCRIBE
  • Apps
  • Gaming
  • KDS
  • Security
  • Telecom
  • WFH
  • Subscriber to Newsletter
  • April Issue
  • Blogs
  • Vlogs
  • Faceoff AI
    

HOME
NEWS

Exploits on Organizations Worldwide Tripled after Microsoft's Revelation of Four Zero-days


By VARINDIA - 2021-03-15
Exploits on Organizations Worldwide Tripled after Microsoft's Revelation of Four Zero-days

Following the revelation of four zero-day vulnerabilities currently affecting Microsoft Exchange Server, Check Point Research (CPR) discloses its latest observations on exploitation attempts against organizations that it tracks worldwide.

 

 

Adi Ikan, Head of Network Research and Protection

Lotem Finkelsteen, the head of Threat Intelligence

Yaniv Balmas, Check Point’s Head of Cyber Research

Sagi Tzadik, Security Researcher

 

· CPR has seen hundreds of exploit attempts against organizations worldwide

· In the past 72 hours alone, CPR has observed that the number exploitation attempts multiplied by more than 6 times

· The country most attacked has been The United States (21% of all exploit attempts), followed by The Netherlands (12%) and Turkey (12%).

· Most targeted industry sector has been Government/Military (27% of all exploit attempts), followed by Manufacturing (22%), and then Software vendors (9%).

 

Since the recently disclosed vulnerabilities on Microsoft Exchange Servers, a full race has started amongst hackers and security professionals. Global experts are using massive preventative efforts to combat hackers who are working day-in and day-out to produce an exploit that can successfully leverage the remote code execution vulnerabilities in Microsoft Exchange.

 

CPR has outlined the disclosed vulnerabilities, the targeted organizations by country and industry, and then recommendations to prevent the attacks, which are yet to come.

 

Current attack attempts in numbers

The country most attacked has been The United States (21% of all exploit attempts), followed by The Netherlands (12%) and Turkey (12%).

 

Most targeted industry sector has been Government/Military (27% of all exploit attempts), followed by Manufacturing (22%), and then Software vendors (9%).

 

 

Behind-the-scenes of the Zero Days

 

On March 3, 2021 Microsoft released an emergency patch for its Exchange Server product, the most popular mail server worldwide. All incoming and outgoing emails, calendar invitations and virtually anything accessed within Outlook goes through the Exchange server.

 

Orange Tsai (Cheng-Da Tsai) from DEVCORE, a security firm based in Taiwan, reported two vulnerabilities in January. Unware of the full magnitude of these findings, Microsoft was prompted to further investigate their Exchange server. The investigation uncovered five more critical vulnerabilities.

 

The vulnerabilities allow an attacker to read emails from an Exchange server without authentication or accessing an individual’s email account. Further vulnerability chaining enables attackers to completely take over the mail server itself.

 

Once an attacker takes over the Exchange server, they can open the network to the internet and access it remotely. As many Exchange servers have internet exposer (specifically Outlook Web Access feature) and are integrated within the broader network, this poses a critical security risk for millions of organizations.

 

 

 

Orange Tsai (Cheng-Da Tsai) teaser for pre-authentication remote code execution chain on Twitter, Jan 05,2021.

 

What organizations are at risk?

 

If your organization’s Microsoft Exchange server is exposed to the internet, and has not been updated with the latest patches nor protected by a third party software such as Check Point, then you should assume the server is completely compromised. Compromised servers could enable an unauthorized attacker to extract your corporate emails and execute malicious code inside your organization with high privileges.

 

Technical Explanation

 

 

· CVE-2021-26855 - is a server-side request forgery (SSRF) vulnerability in Exchange which allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

 

· CVE-2021-26857 - is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is desterilized by a program. Exploiting this vulnerability gives HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

 

· CVE-2021-26858 - is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

 

· CVE-2021-27065 - is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

 

Since the disclosure, CPR has received questions regarding the identity of the attackers, their motivation and the wide context of recent major hacks.

 

According to Lotem Finkelsteen, Manager of Threat Intelligence, Check Point Software,

 

“If your organization’s Microsoft Exchange server is exposed to the internet, and if it has not been updated with the latest patches, nor protected by a third party software, then you should assume the server is completely compromised. In this attack, as in Sunburst, a particularly common platform was used as a front door for covert entry and prolonged stay within the network. Right now, the purpose of the attack and what cybercriminals wanted within the network is still unknown. What we do know is that compromised servers could enable an unauthorized attacker to extract your corporate emails and execute malicious code inside your organization with high privileges. Organizations who are at risk should not only take preventive actions on their Exchange, but also scan their networks for live threats and assess all assets.”

 

Prevent Future Attacks and Remain Protected

 

Here are Check Point’s recommendations to prevent future attacks and remain protected:

 

· Patch – immediately update all Microsoft Exchange Servers to the latest patched versions available by Microsoft. This update is not automatic and you are expected to perform it manually.

· Threat Prevention protections - Check Point provides comprehensive security coverage to the vulnerabilities reported by Microsoft with the following Threat Prevention protections:

IPS

o CVE-2021-26855 - CPAI-2021-0099

o CVE-2021-26857 - CPAI-2021-0107

o CVE-2021-26858 - CPAI-2021-0107

o CVE-2021-27065 - CPAI-2021-0099

 

Threat Emulation

o Trojan.WinsCVE-2021-27065.A

 

Anti-Virus

o HAFNIUM.TC. XXX

o Trojan.Win32.Hafnium.TC.XXX


Check Point Harmony Endpoint (formally known as SandBlast Agent)

o Behavioral.Win.SuspExchange.A

o Behavioral.Win.SuspExchange.B

o Behavioral.Win.SuspExchange.C

o Behavioral.Win.SuspExchange.D

See What’s Next in Tech With the Fast Forward Newsletter

SECURITY
View All
Zscaler announces AI innovations to its Data Protection Platform
Technology

Zscaler announces AI innovations to its Data Protection Platform

by VARINDIA 2024-05-20
SHIELD to enhance Swiggy’s fraud prevention and detection capabilities
Technology

SHIELD to enhance Swiggy’s fraud prevention and detection capabilities

by VARINDIA 2024-05-20
Axis Communications announces its first thermometric camera designed for Zone/Division 2
Technology

Axis Communications announces its first thermometric camera designed for Zone/Division 2

by VARINDIA 2024-05-20
SOFTWARE
View All
Hitachi Vantara and Veeam announce Global Strategic Alliance
Technology

Hitachi Vantara and Veeam announce Global Strategic Alliance

by VARINDIA 2024-05-16
Adobe launches Acrobat AI Assistant for the Enterprise
Technology

Adobe launches Acrobat AI Assistant for the Enterprise

by VARINDIA 2024-05-11
Oracle Database 23ai offers the power of AI to Enterprise Data and Applications
Technology

Oracle Database 23ai offers the power of AI to Enterprise Data and Applications

by VARINDIA 2024-05-10
START - UP
View All
Data Subject Access Request is an integrated module within ID-REDACT®
Technology

Data Subject Access Request is an integrated module within ID-REDACT®

by VARINDIA 2024-04-30
SiMa.ai Secures $70M Funds from Maverick Capital
Technology

SiMa.ai Secures $70M Funds from Maverick Capital

by VARINDIA 2024-04-05
Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure
Technology

Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure

by VARINDIA 2024-02-08

Tweets From @varindiamag

Nothing to see here - yet

When they Tweet, their Tweets will show up here.

CIO - SPEAK
Automation has the potential to greatly improve efficiency and production

Automation has the potential to greatly improve efficiency and production

by VARINDIA
Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

by VARINDIA
Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

by VARINDIA
Start-Up and Unicorn Ecosystem
GoDaddy harnesses AI power for new domain name recommendations

GoDaddy harnesses AI power for new domain name recommendations

by VARINDIA
UAE’s du Telecom selects STL as a strategic fibre partner

UAE’s du Telecom selects STL as a strategic fibre partner

by VARINDIA
JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

by VARINDIA
Rapyder partners with AWS to accelerate Generative AI led innovation

Rapyder partners with AWS to accelerate Generative AI led innovation

by VARINDIA
ManageEngine integrates its SIEM solution with Constella Intelligence

ManageEngine integrates its SIEM solution with Constella Intelligence

by VARINDIA
Elastic replaces traditional SIEM game with AI-driven security analytics

Elastic replaces traditional SIEM game with AI-driven security analytics

by VARINDIA
Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

by VARINDIA
Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

by VARINDIA
Dassault Systèmes to accelerate EV charging infrastructure development in India

Dassault Systèmes to accelerate EV charging infrastructure development in India

by VARINDIA
Tech Mahindra and Atento to deliver GenAI powered business transformation services

Tech Mahindra and Atento to deliver GenAI powered business transformation services

by VARINDIA
×

Reproduction in whole or in part in any form or medium without express written permission of Kalinga Digital Media Pvt. Ltd. is prohibited.

  • Distributors & VADs
  • Industry Associations
  • Telco's in India
  • Indian Global Leaders
  • Edit Calendar
  • About Us
  • Advertise Us
  • Contact Us
  • Disclaimer
  • Privacy Statement
  • Sitemap

Copyright varindia.com @1999-2024 - All rights reserved.