As originally reported by ZDNet and Brian Krebs, exploitation of the four Microsoft Exchange server vulnerabilities (CVE-2021-27065, CVE-2021-26855,CVE-2021-26857, CVE-2021-26858) have resulted in at least 30,000 compromised servers in the United States, and hundreds of thousands worldwide. Former CISA Director Chris Krebs stated that the real number of victims dwarfs the publicly reported number. Microsoft has attributed most of the early attacks using these vulnerabilities to a China-backed hacking group, Hafnium, but since proof-of-concept exploit code has been publicly released, many more unrelated APT and criminal groups have added to the number of attacks. CISA has issued a statement warning of “widespread domestic and international exploitation” of the Microsoft Exchange Server vulnerabilities, and urged agencies to apply a patch or take the system offline. According to Volexity, the attacks started as early as January 6th, 2021.
Following the exchange vulnerability announcement, Binary Defense released some of our queries related to detecting this activity, like this query here https://pastebin.com/J4L3r2RS. Additionally, Microsoft has released a tool for detecting this activity called “TestProxyLogon” – https://github.com/microsoft/CSS-Exchange/tree/main/Security. Finally, Binary Defense recommends employing a 24/7 SOC solution, such as Binary Defense’s own Security operations task force, to quickly detect early signs of compromise even when the initial attack vector is an unknown vulnerability.