March 2021 Microsoft Exchange 0-Day Reports

March 2021 Microsoft Exchange 0-Day Reports

Microsoft has published multiple zero-day vulnerabilities used to attack on-premises versions of Microsoft Exchange Server that can be used in targeted attacks.

Microsoft Threat Intelligence Center stated that this campaign may be related to the technical tactics and procedures used by the group called HAFNIUM, which is considered to be supported by China.

In the observed attacks, it was stated that the attackers used these security vulnerabilities to access Exchange servers and used them to install additional malware to provide long-term, targeted access in their target environments.

Multiple security updates for exploited vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065) were released this week. It is recommended that the Exchange servers used be updated urgently.

In addition, the following links / addresses can be followed for updates:

• CVE-2021-26855
• CVE-2021-26857
• CVE-2021-26858
• CVE-2021-27065

Reported IoCs

-

Webshell Hashes

• b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
• 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
• 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
• 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
• 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
• 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
• 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
• 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944

File Paths

• C:\inetpub\wwwroot\aspnet_client\
• C:\inetpub\wwwroot\aspnet_client\system_web\ In Microsoft Exchange Server setup file path:
• %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
• C:\Exchange\FrontEnd\HttpProxy\owa\auth\

Webshell File Names

• web.aspx
• help.aspx
• document.aspx
• errorEE.aspx
• errorEEE.aspx
• errorEW.aspx
• errorFF.aspx
• healthcheck.aspx
• aspnet_www.aspx
• aspnet_client.aspx
• xx.aspx
• shell.aspx
• aspnet_iisstart.aspx
• one.aspx

Resources

• https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/
• https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
• https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/