Executive Summary

CVE-2021-26858 is a critical vulnerability in Microsoft Exchange Server that allows for remote code execution. This vulnerability is part of a series of vulnerabilities collectively known as ProxyLogon. It is a post-authentication arbitrary file write vulnerability, meaning that an attacker must first authenticate to the Exchange server before they can exploit this flaw. The HAFNIUM APT group, a state-sponsored group operating out of China, has been actively exploiting this vulnerability, targeting entities in the United States across various sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

Technical Information

CVE-2021-26858 is a critical vulnerability in Microsoft Exchange Server that allows for remote code execution. This vulnerability is part of a series of vulnerabilities collectively known as ProxyLogon. It is a post-authentication arbitrary file write vulnerability, meaning that an attacker must first authenticate to the Exchange server before they can exploit this flaw. The vulnerability has a CVSS v3.1 Base Score of 7.8, indicating a high severity level. The attack vector is local, with low attack complexity, no privileges required, and no user interaction needed. The scope is unchanged, with high confidentiality, integrity, and availability impacts.

The affected products include Microsoft Exchange Server 2010 SP3, Microsoft Exchange Server 2013 CU22, CU23, Microsoft Exchange Server 2016 CU10, CU11, Microsoft Exchange Server 2019 CU7, and CU8. The vulnerability allows an authenticated attacker to write arbitrary files to the server, which can then be executed to achieve remote code execution.

The attack chain typically involves the attacker first authenticating to the Exchange server using stolen credentials or by exploiting another vulnerability, such as CVE-2021-26855. Once authenticated, the attacker uses CVE-2021-26858 to write a malicious file to the server. This file is then executed, allowing the attacker to run arbitrary code on the server.

Exploitation in the Wild

The HAFNIUM APT group has been actively exploiting CVE-2021-26858 in the wild. HAFNIUM is a state-sponsored group operating out of China, known for targeting entities in the United States across various sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. The group has been using this vulnerability to gain initial access to Exchange servers, write malicious files, and execute arbitrary code.

Indicators of Compromise (IOCs) for this vulnerability include unusual files in the Exchange Server directories, suspicious outbound network traffic from the Exchange server, and unexpected changes in the configuration of the Exchange server. Organizations should monitor their Exchange servers for these IOCs to detect potential exploitation.

APT Groups using this vulnerability

The HAFNIUM APT group has been identified as the primary actor exploiting CVE-2021-26858. HAFNIUM is a state-sponsored group operating out of China, known for targeting entities in the United States across various sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. The group's exploitation of this vulnerability has been well-documented, and organizations in these sectors should be particularly vigilant.

Affected Product Versions

The affected product versions include Microsoft Exchange Server 2010 SP3, Microsoft Exchange Server 2013 CU22, CU23, Microsoft Exchange Server 2016 CU10, CU11, Microsoft Exchange Server 2019 CU7, and CU8. Organizations using these versions of Exchange Server should prioritize patching and mitigation efforts to protect against this vulnerability.

Workaround and Mitigation

To mitigate the risk posed by CVE-2021-26858, organizations should apply the patches released by Microsoft immediately. The patches can be found in the Microsoft Security Advisory for CVE-2021-26858. In addition to applying patches, organizations should regularly monitor their Exchange servers for the indicators of compromise listed above. Network segmentation can also help limit the potential impact of a breach by isolating Exchange servers from the rest of the network.

References

For more information on CVE-2021-26858 and related vulnerabilities, please refer to the following sources:

• National Vulnerability Database (NVD) - CVE-2021-26858
• Microsoft Security Response Center (MSRC) - CVE-2021-26858
• CISA Known Exploited Vulnerabilities Catalog
• Rapid7 - CVE-2021-26858
• FortiGuard - CVE-2021-26858
• NopSec - Four Zero-day Vulnerabilities in Microsoft Exchange Server
• CISA - Mitigate Microsoft Exchange Server Vulnerabilities
• BI-Zone - Hunting Down MS Exchange Attacks. Part 1. ProxyLogon

Rescana is here for you

At Rescana, we understand the critical importance of protecting your organization from cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform helps you stay ahead of vulnerabilities like CVE-2021-26858 by providing real-time monitoring, threat intelligence, and automated remediation. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com. We are here to help you safeguard your digital assets and ensure the security of your operations.