Why are these vulnerabilities so dangerous? Security firm Volexity, which Microsoft credited in its security alert detailing the vulnerabilities, said it first saw attackers exploiting the bugs on January 6, 2021. The versions impacted are Exchange Server 2013, 2016, and 2019. Microsoft released an out-of-band patch to address the vulnerabilities in Exchange Server on March 2, 2020. When did we first find out about these attacks? Symantec customers are protected from attacks exploiting these vulnerabilities. Successful exploitation of ProxyLogon allows attackers to gain a foothold on a targeted network, potentially leading to further compromise and data exfiltration. Two of the vulnerabilities (CVE-2021-26855 and CVE-2021-27065) and the technique used to chain them together for exploitation have been given the name “ProxyLogon” by security company DevCore. However, since then it has been reported that multiple threat actors have been rushing to exploit these vulnerabilities in Exchange Server. At the time, Microsoft said these vulnerabilities were being exploited by an advanced persistent threat (APT) group it dubbed Hafnium (Symantec tracks this group as Ant) in targeted attacks. Microsoft released emergency patches last week (March 2) for the four vulnerabilities, which were being exploited by attackers in the wild. Users of Microsoft Exchange Server are advised to update to the latest version immediately, as a growing number of attackers are attempting to exploit four recently patched zero-day vulnerabilities in the software. Blog updated March 11: Case studies detailing post-compromise activity seen by Symantec added, along with additional IoCsīlog updated March 9: IoCs, additional signatures, and pre-exploitation process diagram added.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |