These vulnerabilities permits to access, without any authentication, to all Exchange mailboxes contents.
This is possible on all Exchange servers that are published, on internet, through OWA (attacker need onlty to know user account name)
Afterward attackers created several backdoors, through aspx webshell, creating AD credentials dump. (having horizontal attacks possibility)
There are two scenarios:
- Standalone: require single user (SID) (more difficult)
- Cluster (DAG) only end user email name is required.
Attack is possibile only if you know server FQDN (but this is easy to be knwon sending an http post call to Exchange Web Services)
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855
Patches are here available: (for Exchange 2010 too)
Other articles:
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
[original articles]
https://www.windowserver.it/2021/03/exchange-server-sotto-attacco-cosa-sta-succedendo/
https://www.wired.it/internet/web/2021/03/05/microsoft-exchange-hacker-cina/
[update 2021.03.19]
Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus
[update 2021.03.24]
[update 2021.03.29]
How to Recover Exchange Server after Black KingDom Ransomware Attack?
https://www.stellarinfo.com/blog/recover-exchange-server-after-black-kingdom-ransomware-attack/
