Security News

CRITICAL REMOTE CODE EXECUTION FLAWS IN MICROSOFT EXCHANGE ARE BEING ACTIVELY EXPLOITED

By

The SonicWall Capture Labs Threat Research team has received reports that threat actors are actively exploiting the following Microsoft Exchange vulnerabilities:

  • CVE-2021-26855
  • CVE-2021-26857
  • CVE-2021-26858
  • CVE-2021-27065

These vulnerabilities allow the attackers access to emails found in the Exchange Servers, which could include sensitive or personal data.

Affected Products:

Microsoft Exchange Server 2013, 2016 and 2019 are affected by these vulnerabilities. Users should apply the updates as soon as possible.  Microsoft has also released a “Defense in Depth” update for Exchange Server 2010.

On March 2, 2021, SonicWall Capture Labs Threat Research team released the following signatures to protect against such attacks:

IPS: 15418 WEB-ATTACKS Microsoft Exchange Server Remote Code Execution (CVE-2021-26857)
IPS: 15419 WEB-ATTACKS Microsoft Exchange Server Remote Code Execution ( CVE-2021-26855) 1
IPS: 15420 WEB-ATTACKS Microsoft Exchange Server Remote Code Execution ( CVE-2021-26855) 2
IPS: 15421 WEB-ATTACKS Microsoft Exchange Server Remote Code Execution 1

It is also recommended that DPI-SSL be enabled.  The following articles describe how to configure DPI-SSL:
https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-client-dpi-ssl/170505885674291/
https://www.sonicwall.com/support/knowledge-base/how-to-configure-server-dpi-ssl/170505900099021/

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Another Android Trojan targeting Korean Banks (July 18, 2014)
New Bitcoin infostealer Trojan spotted in the wild (Dec 13, 2013)
TOTOLINK A3000RU Command Injection
New banker Trojan steals information via compromised webservers (Aug 10, 2011)
Export-grade ciphers are still in use (Oct 7, 2016)
OpenLDAP slapd Integer Underflow Vulnerability
Ramnit evolves into a financial malware (Aug 25, 2011)
IBM Installation Manager Code Execution (Oct 2, 2009)