The zero day
On 2 March, 2021 Microsoft released a blog post that identified 4 new zero day vulnerabilities that affected MS Exchange servers.
These were:
CVE-2021-26855: This vulnerability allows the attacker to steal the full content of several user mailboxes remotely, without authentication.
CVE-2021-26858 and CVE-2021-27065: These allowed the attacker to arbitrary write a file on any path on the server.
CVE-2021-26857: This vulnerability allows the attacker to execute remote code on the Exchange server.
These 4 zero days chained together provide the attacker a toolkit for gaining complete control of Exchange servers.
The vulnerabilities identified by Microsoft allowed the attackers to remotely access Exchange servers using SSRF and deploy web shells thereby gaining access to the server. Then they could deploy additional malware to perform a range of malicious tasks. Once successful, the attacker could extract data from email boxes by merely knowing the server name and email or deploy ransomware, etc.
The timeline
The time window for organisations to remediate a zero day has reduced to 2 days!
Incident Response and Remediation
Organisations have a limited time window for incident detection & response. Here is what you can do to make your response more cogent and faster:
Step 1: Monitor your OEM communications and your cybersecurity circles to identify the zero day as soon as possible. In this case, Microsoft communicated well and made the vulnerability public. Informal channels are key. We first heard of this when this information was shared on one of our Infosec Professionals group on Signal by a senior Microsoft person.
Step 2: Find out if you are affected. Check the CVEs to identify affected systems.
Step 3: Evaluate your patching readiness along with any compensating controls provided by your other security tools (EDR, AV, WAF, IPS, etc.)
Step 4: Find out if there is a mechanism to check if you are compromised. If there are public IoCs available, then you can perform this task faster. You can also use internal tools like file integrity monitors to check for the IoC signatures on the vulnerable servers.
Step 5: If you find an IoC, initiate your full blown incident response plan and start assessments and forensics immediately. Isolate the affected systems while continuing to patch the rest of the vulnerable systems.
Handling an incident like this zero day requires being able to handle multiple moving parts, like the server team, network team, vulnerability management team, etc. The role of infosec here is looking at the big picture and ensuring that the whole response exercise is coordinated and runs according to a reasonable plan.
Read this well written article by Peter Sullivan on incident response for zero days to improve your incident response mechanism.
Principles from the incident response article we mentioned above:
Principle 1. An organization can only protect itself against those cybersecurity threats that it already knows about.
Principle 2. For threats that are unknown, an organization must react to them quickly and effectively.
Principle 3. It is not possible to respond to any computer or information security incident until an organization can detect that an incident has occurred.
Quote of the week
We worried for decades about WMDs – Weapons of Mass Destruction. Now it is time to worry about a new kind of WMDs – Weapons of Mass Disruption - John Mariotti