{"id":1857,"date":"2021-03-07T18:12:53","date_gmt":"2021-03-07T16:12:53","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=1857"},"modified":"2026-06-08T22:00:52","modified_gmt":"2026-06-08T22:00:52","slug":"exchange-server-cyber-attack-handling","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/exchange-server-cyber-attack-handling\/","title":{"rendered":"Handling the Microsoft Exchange Server cyber attack \u2014 why it can be worse than WannaCry"},"content":{"rendered":"\n<p style=\"text-align: justify\">In recent days we are observing <strong>massive cyber attacks<\/strong>, <strong>automated<\/strong> and on a <strong>global scale<\/strong>. These attacks exploit recent vulnerabilities in <strong>Microsoft Exchange Server<\/strong> mail systems. In Italy alone, vulnerable systems could number approximately <strong>8 000<\/strong>, while globally an estimated 200 000 systems are affected.<\/p>\n\n\n\n<p style=\"text-align: justify\">An attack of this type puts at risk the <strong>know-how<\/strong> of targeted organisations and, in certain cases, could prove fatal for those companies already severely impacted by the <strong>Covid-19<\/strong> pandemic.<\/p>\n\n\n\n<div class=\"wp-block-media-text alignwide is-stacked-on-mobile\" style=\"grid-template-columns:57% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" width=\"1024\" height=\"701\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/03\/Exchange_Vuln-1024x701-1.webp\" alt=\"\" class=\"wp-image-4293 size-full\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/03\/Exchange_Vuln-1024x701-1.webp 1024w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/03\/Exchange_Vuln-1024x701-1-300x205.webp 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/03\/Exchange_Vuln-1024x701-1-768x526.webp 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" loading=\"lazy\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><span>The vulnerabilities: <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-26855\" class=\"ek-link\">CVE-2021-26855<\/a> <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-26857\" class=\"ek-link\">CVE-2021-26857<\/a>, <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-26858\" class=\"ek-link\">CVE-2021-26858<\/a>, and <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-27065\" class=\"ek-link\">CVE-2021-27065<\/a>.<\/span><\/p>\n<p><span>Vulnerable products:&nbsp;<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Microsoft Exchange Server 2019&nbsp;<\/strong><\/li><li><strong>Microsoft Exchange Server 2016&nbsp;&nbsp;<\/strong><\/li><li><strong>Microsoft Exchange Server 2013&nbsp;&nbsp;<\/strong><\/li><li><strong>Microsoft Exchange Server 2010<\/strong><\/li><\/ul>\n<\/div><\/div>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\" id=\"h-perche-preoccuparsi-di-quest-attacco\">Why this attack warrants concern<\/h2>\n\n\n\n<p style=\"text-align: justify\">Cyber security events of this impact are rarely observed. The current situation is considerably worse than the <strong>WannaCry Ransomware<\/strong> case. In that instance, the immediate impacts of the attack at least enabled an immediate response from affected organisations.<\/p>\n\n\n\n<p style=\"text-align: justify\">The <strong>silent nature<\/strong> of this case, however, may result in <strong>failure to identify the compromise<\/strong> by numerous organisations, which will register impacts exclusively <strong>during the coming weeks and months<\/strong>.<\/p>\n\n\n\n<p style=\"text-align: justify\">To address attacks of this nature, in which threat actors exploit <strong>zero-day vulnerabilities<\/strong> or remote control software, <strong>technology alone is insufficient<\/strong>.<br>The <strong>competencies<\/strong> and <strong>defensive model<\/strong> we have developed enable effective management of security incidents at this level, from identification through malware analysis to <strong>removal of threat actors from the corporate network<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\" id=\"h-fortgale-il-racconto-di-un-tentativo-di-exploitation\">Account of an <em>exploitation<\/em> attempt<\/h2>\n\n\n\n<p style=\"text-align: justify\">During delivery of our <strong>managed security services<\/strong> we have found evidence of what has been documented in recent <em><strong>cyber threat intelligence<\/strong><\/em> reports. Our team has identified and managed two distinct cyber attacks of this type.<br>The identification (<em><strong>detection<\/strong><\/em>) of this type of compromise is not straightforward. Several indicators of compromise (<strong>IOC<\/strong>) have been shared, but this information is closely tied to studied cases and not always applicable across all infrastructures.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"1440\" height=\"810\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2022\/01\/UA_eschangeServer.gif\" alt=\"\" class=\"wp-image-4296\" loading=\"lazy\" \/><\/figure><\/div>\n\n\n\n<p style=\"text-align: justify\">Attack identification occurred exclusively through <em><strong>hunting<\/strong><\/em> activity by our team, which identified the <strong><em>upload<\/em><\/strong> of malicious code (China-Chopper-like WebShell) on several systems. The process that wrote the malicious file is as follows:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1024\" height=\"207\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/03\/evidenza-1024x207-1.webp\" alt=\"\" class=\"wp-image-4294\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/03\/evidenza-1024x207-1.webp 1024w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/03\/evidenza-1024x207-1-300x61.webp 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/03\/evidenza-1024x207-1-768x155.webp 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" loading=\"lazy\" \/><figcaption>Exploitation of the vulnerability<\/figcaption><\/figure>\n\n\n\n<p style=\"text-align: justify\">The event, though not apparently malicious, is the result of exploitation of the vulnerabilities leading to the writing of malicious &#8220;.aspx&#8221; files to disk for remote access.<br>Two different webshells detected during this period:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>supp0rt.aspx<\/strong><\/li><li><strong>OutlookEN.aspx<\/strong><\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1024\" height=\"91\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/03\/webshell_CC-1024x91-1.webp\" alt=\"\" class=\"wp-image-4295\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/03\/webshell_CC-1024x91-1.webp 1024w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/03\/webshell_CC-1024x91-1-300x27.webp 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/03\/webshell_CC-1024x91-1-768x68.webp 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" loading=\"lazy\" \/><figcaption>WebShell &#8211; China Chopper<\/figcaption><\/figure>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\" id=\"h-prima-fase-accesso-iniziale-ta1190\"><strong><span style=\"color:#000000\" class=\"tadv-color\">First phase |<\/span><\/strong> Initial Access [<a href=\"https:\/\/attack.mitre.org\/techniques\/T1190\/\" class=\"ek-link\">T1190<\/a>]<\/h3>\n\n\n\n<p style=\"text-align: justify\">Exploiting <strong>Microsoft Exchange<\/strong> vulnerabilities (<a href=\"https:\/\/msrc-blog.microsoft.com\/2021\/03\/02\/multiple-security-updates-released-for-exchange-server\/\" class=\"ek-link\">link<\/a>), multiple threat actor groups are compromising vulnerable systems worldwide in a massive and non-targeted manner. The vulnerability enables them to perform <em>upload<\/em> of malicious files for remote system control (<strong>Web Shell<\/strong>).<\/p>\n<p style=\"text-align: justify\">Our analyst team has, at present, identified exclusively <strong><em>exploitation<\/em><\/strong> and <strong><em>upload<\/em><\/strong> activity of malicious <em>files<\/em>. No further malicious activity has been detected in recent days.<\/p>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\" id=\"h-seconda-fase-previsioni-e-speculazioni\"><strong>Second phase |<\/strong> Projections and analysis<\/h3>\n\n\n\n<p style=\"text-align: justify\">Given the type of access obtained by threat actors during the first phase, we assess that threat actors will execute more complex compromise activities only at a later stage.<br>Projected <strong>tactics<\/strong> that may be observed in coming weeks on compromised systems:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Exfiltration of information from corporate email [<a href=\"https:\/\/attack.mitre.org\/tactics\/TA0010\/\" class=\"ek-link\">TA0010<\/a>];<\/li><li><strong>Ransomware<\/strong> attack on the <em>Exchange Server<\/em> [<a href=\"https:\/\/attack.mitre.org\/tactics\/TA0040\/\" class=\"ek-link\">TA0040<\/a>];<\/li><li>Sale of obtained access in <em><strong>black markets<\/strong><\/em>;<\/li><li><em><strong>Lateral movement<\/strong><\/em> toward other corporate systems such as &#8220;Domain Controller&#8221; [<a href=\"https:\/\/attack.mitre.org\/tactics\/TA0008\/\" class=\"ek-link\">TA0008<\/a>, <a href=\"https:\/\/attack.mitre.org\/tactics\/TA0006\/\" class=\"ek-link\">TA0006<\/a>];<\/li><li><em><strong>Escalation<\/strong><\/em> to obtain privileged credentials [<a href=\"https:\/\/attack.mitre.org\/tactics\/TA0006\/\">TA0006<\/a>];<\/li><li>Launch of <strong><em>ransomware<\/em> attack across multiple infrastructure systems<\/strong> [<a href=\"https:\/\/attack.mitre.org\/tactics\/TA0040\/\">TA0040<\/a>].<\/li><\/ul>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\" id=\"h-proteggere-e-difendere-i-sistemi\">Protecting and defending systems<\/h2>\n\n\n\n<p style=\"text-align: justify\"><strong>Microsoft<\/strong> has recently published a series of security updates to secure these systems (<a href=\"https:\/\/msrc-blog.microsoft.com\/2021\/03\/02\/multiple-security-updates-released-for-exchange-server\/\" class=\"ek-link\">link<\/a>).<br>List of vulnerabilities resolved by the update: <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-26855\" class=\"ek-link\">CVE-2021-26855<\/a> <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-26857\" class=\"ek-link\">CVE-2021-26857<\/a>, <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-26858\" class=\"ek-link\">CVE-2021-26858<\/a>, and <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-27065\" class=\"ek-link\">CVE-2021-27065<\/a>.<\/p>\n\n\n\n<p style=\"text-align: justify\"><strong>Particular attention must be paid<\/strong> to the fact that applying security updates or mitigations proposed by Microsoft renders the system protected against future attacks. <strong>To remove the threat from already compromised systems, specific <a href=\"https:\/\/fortgale.com\/en\/managed-detection-and-response\/\">Managed Detection and Response<\/a> activity is required.<\/strong><\/p>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\" id=\"h-attribuzione-chi-sta-eseguendo-gli-attacchi-informatici\">Attribution &#8211; Who is executing the cyber attacks<\/h2>\n\n\n\n<p style=\"text-align: justify\">Information shared by Microsoft and other industry organisations references a cyber attack orchestrated by the <strong>HAFNIUM<\/strong> group, a known <strong>threat actor group<\/strong> that executes offensive activity against US organisations.<br>However, despite exploiting the same vulnerabilities, the attacks being observed on a global scale <strong>are not attributable to the HAFNIUM group<\/strong> but to activity by other <b><i>threat actor groups<\/i><\/b> replicating the same approach.<\/p>\n\n\n\n<p style=\"text-align: justify\">We have identified two distinct threat actor groups currently compromising <em>Exchange<\/em> systems on <strong>Italian territory<\/strong> during delivery of specialist <strong><em>cyber defence<\/em><\/strong> activities.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Organisations must verify system integrity through forensic analysis and implement continuous monitoring to detect post-exploitation activity that may manifest weeks after initial compromise.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mass exploitation of ProxyLogon (CVE-2021-26855\/26857\/26858\/27065) on Microsoft Exchange Server: web shell hunting, two distinct intrusion sets observed in Italy, defensive guidance and post-compromise containment.<\/p>\n","protected":false},"author":1,"featured_media":1889,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[36,38,65,89,93,94,95,135,136,138,167,177,3123,227,232,234,259,277,316,339,3121,3122,341,342,343,353,385,386,388],"class_list":["post-1857","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-aspx","tag-attck","tag-china-chopper","tag-cve","tag-cve-2021-26855-cve-2021-26857","tag-cve-2021-26858","tag-cve-2021-27065","tag-exchange","tag-exchange-server","tag-exploit","tag-hafnium","tag-incident-response","tag-mass-exploitation","tag-microsoft","tag-mitre","tag-msexchangeecpapppool","tag-outlooken","tag-proxylogon","tag-shodan","tag-supp0rt","tag-t1190","tag-t1505-003","tag-ta0008","tag-ta0010","tag-ta0040","tag-threat-hunting","tag-w3wp-exe","tag-wannacry","tag-webshell"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1857","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=1857"}],"version-history":[{"count":4,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1857\/revisions"}],"predecessor-version":[{"id":9842,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1857\/revisions\/9842"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=1857"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=1857"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=1857"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}