There have been multiple cyberattacks on the Exchange Server since the beginning of 2021. Here’s a quick look at the timeline of the attacks on Microsoft Exchange Server and massive data breaches in 2021.
Microsoft Exchange is an enterprise email and calendaring server used by enterprises and government institutions worldwide. It stores highly confidential information and business data that, if breached, can cripple an organization. This makes Exchange Servers a prime target for cyberattacks by various state-sponsored and financially motivated threat actors.
Microsoft Exchange Server Data Breach 2021 Timeline
Cyberattacks on Microsoft Exchange Server began in early January 2021 when researcher Orange Tsai from DEVCORE, a security testing company, disclosed the Exchange Server vulnerabilities.
Orange Tsai reported a series of 4 zero-day vulnerabilities found on on-premises Exchange Servers 2013, 2016, and 2019, referred to as ProxyLogon.
In January 2021, Volexity, a cybersecurity organization, observed the first breach where attackers exploited the ProxyLogon vulnerability.
The ProxyLogon vulnerability is considered the most impactful and severe vulnerability found in the history of Exchange Server. It allowed the threat actors to bypass authentication and gain full access to the Exchange Server with administrative privileges. It also allowed the threat actors to compromise the network and access other devices connected to the same network.
Attackers installed web shells, such as China Chopper, and backdoors to access the servers later, even when the servers are fully patched and no longer vulnerable.
Although Microsoft had released the security updates on March 2, 2021 (for Exchange 2010 and later versions), the vulnerability had already led to multiple malicious attacks and massive data breaches on unpatched Exchange Servers by multiple threat actors, including an allegedly state-sponsored threat group called Hafnium.
The attackers compromised approximately 250,000 Exchange Servers (including 30,000 in the US and 7,000 in the UK) as of March 9, 2021, by exploiting the ProxyLogon vulnerabilities.
Later, researchers disclosed more ‘proxy’ (authentication bypass) vulnerabilities, such as ProxyOracle, ProxyShell, and ProxyToken, leading to multiple ransomware attacks and data breaches on the Exchange Servers.
Here’s how it went and still going on.
Volexity, a US-based security firm, on January 3, 2021,reported attacks on Exchange Server where threat actors were exploiting the Server-Side Request Forgery (SSRF) vulnerability CVE-2021–26855, which was later dubbed as ProxyLogon.
Orange Tsai at DEVCORE, Volexity, and Microsoft Threat Intelligence Center (MSTIC) notified Microsoft of ProxyShell vulnerability on January 5, 2021. Orange Tsai also tweeted about the Remote Code Execution (RCE) vulnerability publicly on January 5.
On January 17, 2021, Orange Tsai reported two more Common Vulnerabilities and Exposures — CVE-2021–31196 and CVE-2021–31195, referred to as ProxyOracle.
Dubex, a security firm based in Denmark, is believed to have noted the first active exploitation of Microsoft Exchange UMWorkerProcess vulnerability known as CVE-2021–26857 on January 18, 2021. Dubex reported the vulnerability and its findings to Microsoft 10 days later, on January 27, 2021.
On February 2, 2021, Volexity provided more information on attacks to Microsoft that started occurring on January 3, 2021.
DEVCORE, with Volexity and MSTIC, reached out to Microsoft on February 18, 2021, requesting the patch release timeline. On February 27, 2021, Microsoft informed DEVCORE that they are ready to release Exchange Server security updates to patch the ProxyLogon vulnerability.
It is also important to note that the cybersecurity firms and community started seeing spikes in exploitation activities by multiple threat actors and groups on the same day.
Microsoft had planned to release the security patches on March 9, 2021, to patch the four zero-day vulnerabilities (ProxyLogon). However, the updates were released a week earlier, as we know, on March 2, 2021.
They also warned users about the active exploitation of ProxyLogon vulnerability by a threat group named Hafnium, allegedly backed by China.
However, after the release of security updates and publication of four zero-day CVEs, there was a sudden surge of malicious attacks on vulnerable Exchange Servers. Multiple threat actors started exploiting the ProxyLogon vulnerability and compromising the unpatched servers before organizations could deploy the patches and update their servers.
On March 4, 2021, Microsoft released a script for checking the indicators of compromise (IOCs) and provided additional resources to aid organizations to investigate the attacks.
On March 15, 2021, Microsoft released Microsoft Exchange On-Premises Mitigation Tool(EOMT) for businesses and organizations with no dedicated IT or security team to mitigate the risks and apply security updates.
On April 2, 2021, Orange Tsai with Zero Day Initiative (ZDI) informed Microsoft about three more ‘proxy’ vulnerabilities — CVE-2021–34473, CVE-2021–34523, and CVE-2021–31207, dubbed as ProxyShell. These vulnerabilities lie in Microsoft Client Access Service (CAS).
These vulnerabilities, when chained together, allows threat actors to execute arbitrary code on compromised servers, similar to Hafnium, and gain access to the Exchange Server.
On April 13, 2021, Microsoft released updates to patch 114 CVEs, including the two ProxyShell vulnerabilities — CVE-2021–34473 and CVE-2021–34523 before attackers could exploit them.
On May 11, 2021, Microsoft released more patches for Exchange Server 2013, 2016, and 2019, to patch several vulnerabilities, including the partially patched ProxyShell vulnerability (CVE-2021–31207).
Microsoft released more patches in subsequent months, i.e., June, July, and August 2021, to patch several RCE vulnerabilities reported by various researchers and security firms.
However, threat actors are still exploiting the ‘proxy’ vulnerabilities, such as ProxyLogon, ProxyShell, and recently discovered ProxyToken, on unpatched servers. ProxyToken is a newly discovered bug found in Microsoft Exchange Server. The vulnerability was reported by researcher Le Xuan Tuyen at VNPT ISC to Microsoft in March 2021, represented with the CVE-2021–33766 identifier. However, it was patched with July 2021 updates.
To Wrap Up
Researchers have warned against more attacks on the unpatched Exchange Servers as Microsoft releases more patches and new vulnerabilities are being disclosed. To defend against malicious attacks and prevent a data breach, install the latest updates released by Microsoft for on-premises Exchange Server as soon as possible. The more you wait, the more you risk your data and organization.
After the attack, the updates and patches can only protect from future attackers. It cannot undo or remove web shells and backdoors installed by the threat actors that provide them with access to your server and data.
Also, take backup regularly and follow the 3–2–1 backup rule for added protection against data breaches due to ransomware attacks and other disasters. You may also keep an Exchange recovery tool, such as Stellar Repair for Exchange, that comes in handy when backups do not work or turn out obsolete. It can help you recover mailboxes from the databases (including corrupt and damaged databases) on an offline or compromised Exchange Server and export them to a new live Exchange Server or Office 365 directly.